Bugzilla – Bug 912076
VUL-0: CVE-2014-9495: libpng16: overflow in png_read_IDAT_data
Last modified: 2016-04-27 20:18:02 UTC
CVE-2014-9495 It was reported [1] that libpng versions 1.6.9-1.6.15 contain heap overflow vulnerability, that under certain circumstances [2] can allow a controlled write. Other versions of libpng might be vulnerable as well. This looks like the upstream commit that fixes this: http://sourceforge.net/p/libpng/code/ci/dc294204b641373bc6eb603075a8b98f51a75dd8/ References: https://bugzilla.redhat.com/show_bug.cgi?id=1179186 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9495 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9495
bugbot adjusting priority
factory has libpng 1.6.16, so fixed. sle12 has libpng 1.6.8, not affected. 13.2 has libpng 1.6.13, affected.
http://sourceforge.net/p/libpng/code/ci/6d8c88177af0bd8732489f11e7c63cf861e30321/ is needed, too.
mr#280300
For openSUSE, see mr#280568.
Created attachment 619112 [details] Used patch.
You have recorded it on planned update list for sle12, so P4 for me.
libpng12 is not affected, see comment 9
(In reply to Petr Gajdos from comment #6) > http://sourceforge.net/p/libpng/code/ci/ > 6d8c88177af0bd8732489f11e7c63cf861e30321/ > > is needed, too. Actually, CVE-2014-9495 is assigned only to this commit. See http://www.openwall.com/lists/oss-security/2015/01/10/1 for explanation.
Even 1.6.6 seems to be affected, too. The explanation is here: Index: png.c =================================================================== --- png.c.orig 2013-09-16 17:33:45.000000000 +0200 +++ png.c 2015-01-13 18:38:08.160021035 +0100 @@ -2415,7 +2415,10 @@ - 1 /* filter byte */ - 7*8 /* rounding of width to multiple of 8 pixels */ - 8) /* extra max_pixel_depth pad */ + { png_warning(png_ptr, "Width is too large for libpng to process pixels"); + error = 1; + } /* Check other values */ if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && Without this patch: even if the check is there, png will not error out and later segfault happens the same way as for e. g. 1.6.13.
openSUSE: mr#281058 sle12: mr#48203
SUSE-SU-2015:0092-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 912076,912929 CVE References: CVE-2014-9495,CVE-2015-0973 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): libpng16-1.6.8-5.1 SUSE Linux Enterprise Server 12 (src): libpng16-1.6.8-5.1 SUSE Linux Enterprise Desktop 12 (src): libpng16-1.6.8-5.1
Thanks, for record, fix is released last night libpng16-16-1.6.8-5.1.x86_64.rpm https://download.suse.com/Download?buildid=GEaYhODKCiY~
openSUSE-SU-2015:0161-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 912076,912929 CVE References: CVE-2014-9495,CVE-2015-0973 Sources used: openSUSE 13.2 (src): libpng16-1.6.13-2.4.1 openSUSE 13.1 (src): libpng16-1.6.6-16.1
released. older libpng as libpng16 are not affected.