[arch-security] [ASA-201512-18] libpng: buffer overflow
Remi Gacogne
rgacogne at archlinux.org
Mon Dec 28 18:44:44 UTC 2015
Arch Linux Security Advisory ASA-201512-18
==========================================
Severity: High
Date : 2015-12-28
CVE-ID : CVE-2015-8472
Package : libpng
Type : buffer overflow
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package libpng before version 1.6.20-1 is vulnerable to a buffer
overflow vulnerability, incompletely fixed in version 1.6.19.
Resolution
==========
Upgrade to 1.6.20-1.
# pacman -Syu "libpng>=1.6.20-1"
The problem has been fixed upstream in version 1.6.20.
Workaround
==========
None.
Description
===========
It was discovered that the png_get_PLTE() and png_set_PLTE() functions
of libpng did not correctly calculate the maximum palette sizes for bit
depths of less than 8. In case an application tried to use these
functions in combination with properly calculated palette sizes, this
could lead to a buffer overflow or out-of-bounds reads. An attacker
could exploit this to cause a crash or potentially execute arbitrary
code by tricking an unsuspecting user into processing a specially
crafted PNG image. However, the exact impact is dependent on the
application using the library.
This issue is the result of an incomplete fix for CVE-2015-8126 in
libpng 1.6.19.
Impact
======
A remote attacker might be able to execute arbitrary code on the
affected by submitting a crafted PNG file to an application calling
directly the png_set_PLTE() with invalid palette sizes.
References
==========
https://access.redhat.com/security/cve/CVE-2015-8472
http://seclists.org/oss-sec/2015/q4/439
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151228/186b73b1/attachment.asc>
More information about the arch-security
mailing list