Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 565678 (CVE-2015-8126)

Summary: <media-libs/libpng{1.2.54,1.5.24,1.6.19}: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (CVE-2015-8126)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: base-system, flo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://sourceforge.net/p/png-mng/mailman/message/34615043/
See Also: https://bugzilla.redhat.com/show_bug.cgi?id=1281756
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 564244    

Description Agostino Sarubbo gentoo-dev 2015-11-13 13:52:04 UTC
From ${URL} :

Buffer overflow vulnerabilities in functions png_get_PLTE/png_set_PLTE, allowing remote attackers 
to cause DoS to application or have unspecified other impact. These functions failed to check for 
an out-of-range palette when reading or writing PNG files with a bit_depth less than 8. Some 
applications might read the bit depth from the IHDR chunk and allocate memory for a 2^N entry 
palette, while libpng can return a palette with up to 256 entries even when the bit depth is less 
than 8.

Affected versions of libpng are before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x 
before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19.

Upstream patches:

https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466

CVE assignment:

http://seclists.org/oss-sec/2015/q4/264


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2015-11-13 14:22:22 UTC
Arches please test and mark stable the following versions:

=media-libs/libpng-1.2.54: 
~alpha amd64 ~arm arm64 ~hppa ~ia64 m68k ~mips ~ppc64 s390 sh ~sparc x86 ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x86-linux

=media-libs/libpng-1.5.24:
~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt

=media-libs/libpng-1.6.19:
alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt
Comment 2 Agostino Sarubbo gentoo-dev 2015-11-13 14:31:12 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-13 14:31:38 UTC
x86 stable
Comment 4 Jeroen Roovers gentoo-dev 2015-11-15 06:25:45 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #1)
> Arches please test and mark stable the following versions:
> 
> =media-libs/libpng-1.2.54: 
> ~alpha amd64 ~arm arm64 ~hppa ~ia64 m68k ~mips ~ppc64 s390 sh ~sparc x86
> ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x86-linux

Most of these have no stable keywords on this SLOT.

> =media-libs/libpng-1.5.24:
> ~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh
> ~sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd
> ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos
> ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris
> ~x86-solaris ~x86-winnt

Most of these have no stable keywords on this SLOT.

> =media-libs/libpng-1.6.19:
> alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86
> ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd
> ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos
> ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris
> ~x86-solaris ~x86-winnt

This is probably the SLOT you want those stable keywords on.
Comment 5 Jeroen Roovers gentoo-dev 2015-11-15 06:27:05 UTC
Stable for PPC64.
Comment 6 Jeroen Roovers gentoo-dev 2015-11-15 07:55:24 UTC
Stable for HPPA.
Comment 7 Matt Turner gentoo-dev 2015-11-15 08:31:33 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-11-18 09:56:51 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-11-19 11:27:39 UTC
ppc stable
Comment 10 Markus Meier gentoo-dev 2015-11-21 14:36:21 UTC
arm stable
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-23 23:42:33 UTC
Ping on sparc stabilization, only one holding this down.

At the same time filing for glsa so can write it up.
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-12-27 10:49:22 UTC
sparc stable
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-31 08:00:03 UTC
Arches, Thank you for your work.

Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2016-01-26 02:18:50 UTC
It has been 30 days since last request.
Maintainer(s), please drop the vulnerable version(s).
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2016-02-25 16:28:41 UTC
Please cleanup version: 1.6.18
Comment 16 Doug Goldstein gentoo-dev 2016-02-26 02:27:10 UTC
Thanks for the report. re: http://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d936b8ae0be80754a7474c38768356b2850079e9
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2016-11-15 07:40:48 UTC
This issue was resolved and addressed in
 GLSA 201611-08 at https://security.gentoo.org/glsa/201611-08
by GLSA coordinator Aaron Bauman (b-man).