Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 683366 (CVE-2018-14048, CVE-2018-14550, CVE-2019-7317)

Summary: <media-libs/libpng-1.6.37: use-after-free vulnerability in png_image_free (CVE-2019-7317)
Product: Gentoo Security Reporter: Lars Wendler (Polynomial-C) <polynomial-c>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
media-libs/libpng-1.6.37
Runtime testing required: ---

Description Lars Wendler (Polynomial-C) gentoo-dev 2019-04-15 07:51:30 UTC
From the CHANGES file:

Version 1.6.37 [April 14, 2019]
  Fixed a use-after-free vulnerability (CVE-2019-7317) in png_image_free.
  Fixed a memory leak in the ARM NEON implementation of png_do_expand_palette.
  Fixed a memory leak in pngtest.c.
  Fixed two vulnerabilities (CVE-2018-14048, CVE-2018-14550) in
    contrib/pngminus; refactor.
  Changed the license of contrib/pngminus to MIT; refresh makefile and docs.
    (Contributed by Willem van Schaik)
  Fixed a typo in the libpng license v2.
    (Contributed by Miguel Ojeda)
  Added makefiles for AddressSanitizer-enabled builds.
  Cleaned up various makefiles.


We do not install pngminus so the two other CVEs are not relevant to us.

We're waiting for a new apng patchset to be released before we can do the version bump.
Comment 1 Larry the Git Cow gentoo-dev 2019-04-15 11:46:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=426f4ca3682918ea499ab99b48f9106f71164f1f

commit 426f4ca3682918ea499ab99b48f9106f71164f1f
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-04-15 11:45:05 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-04-15 11:45:54 +0000

    media-libs/libpng: Security bump to version 1.6.37
    
    Bug: https://bugs.gentoo.org/683366
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-libs/libpng/Manifest             |  2 ++
 media-libs/libpng/libpng-1.6.37.ebuild | 45 ++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-15 15:00:03 UTC
amd64 stable
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-16 02:13:29 UTC
arm64 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-17 11:43:12 UTC
arm stable
Comment 5 Rolf Eike Beer 2019-04-17 20:42:59 UTC
hppa/sparc stable
Comment 6 Thomas Deutschmann gentoo-dev Security 2019-04-18 20:34:39 UTC
x86 stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-20 17:51:36 UTC
alpha stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-26 20:50:24 UTC
s390 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2019-04-27 06:32:59 UTC
New GLSA Request filed.

Please continue with the stabilization
Comment 10 Sergei Trofimovich gentoo-dev 2019-04-27 16:33:33 UTC
ia64 stable
Comment 11 Sergei Trofimovich gentoo-dev 2019-04-28 07:46:14 UTC
ppc stable
Comment 12 Sergei Trofimovich gentoo-dev 2019-04-28 13:11:12 UTC
ppc64 stable
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-30 00:11:09 UTC
@base-system, please drop vulnerable.
Comment 14 Larry the Git Cow gentoo-dev 2019-04-30 07:44:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b31a7ecfeac4e19df2d77cd1b469c1b6bc77938

commit 5b31a7ecfeac4e19df2d77cd1b469c1b6bc77938
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-04-30 07:44:06 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-04-30 07:44:06 +0000

    media-libs/libpng: Security cleanup.
    
    Bug: https://bugs.gentoo.org/683366
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-libs/libpng/Manifest                |  4 ---
 media-libs/libpng/libpng-1.6.35-r1.ebuild | 45 -------------------------------
 media-libs/libpng/libpng-1.6.36.ebuild    | 45 -------------------------------
 3 files changed, 94 deletions(-)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2019-08-03 11:27:25 UTC
This issue was resolved and addressed in
 GLSA 201908-02 at https://security.gentoo.org/glsa/201908-02
by GLSA coordinator Aaron Bauman (b-man).