952051 – (CVE-2015-7981) VUL-1: CVE-2015-7981: libpng,libpng12,libpng15,libpng12-0,libpng16: out-of-bound read

Bug 952051 (CVE-2015-7981) - VUL-1: CVE-2015-7981: libpng,libpng12,libpng15,libpng12-0,libpng16: out-of-bound read

Summary: VUL-1: CVE-2015-7981: libpng,libpng12,libpng15,libpng12-0,libpng16: out-of-b...

Status:	RESOLVED FIXED

Alias:	CVE-2015-7981

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Deadline:	2015-11-24
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/158271/
Whiteboard:	CVSSv2:SUSE:CVE-2015-7981:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-10-26 16:04 UTC by Andreas Stieger
Modified:	2022-02-13 11:07 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-10-26 16:04:52 UTC

via oss-sec http://seclists.org/oss-sec/2015/q4/161

> there is a memory read out of bound in libpng 1.2.* and 1.4.* , which
> is used in many operate systems and applications. it may leak
> information in the application .
> 
> this bug has been accepted and fixed in LIBPNG :
> http://sourceforge.net/p/libpng/bugs/241/

From the bug:

> I find a out of bound read bug in libpng 1.2.-1.2.53 and libpng 1.4..
> the details as follows:( in function png_convert_to_rfc1123 in png.c)
> 
> 514 png_charp PNGAPI
> 515 png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
> 516 {
> 517 static PNG_CONST char short_months[12][4] =
> 518 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
> 519 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
> ...
> 
> 540 png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000"
> 541 ptime->day % 32, short_months[(ptime->month - 1) % 12],
> 542 ptime->year, ptime->hour % 24, ptime->minute % 60,
> 543 ptime->second % 61);
> ...

And...
> This bug exsit in 1.2. and 1.4. , and is not in 1.6.*

function png_convert_to_rfc1123 in png.c

when ptime->month is 0 (which gains from tIME chunk data ), the
short_months[(ptime->month - 1) % 12] will return the memory before
short_months

We'll take care of the bug by using "ptime->month - 1U" to ensure that
the "%" operation returns a value in the range 0..11

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7981
http://seclists.org/oss-sec/2015/q4/161

Comment 1 Petr Gajdos 2015-10-27 11:43:08 UTC

Commit
http://sourceforge.net/p/libpng/code/ci/fbf0f024346ca0a4ffc64b082a95c6b6bb6d29c4/

Comment 2 Bernhard Wiedemann 2015-11-16 15:00:15 UTC

This is an autogenerated message for OBS integration:
This bug (952051) was mentioned in
https://build.opensuse.org/request/show/344754 13.2 / libpng12
https://build.opensuse.org/request/show/344755 13.1 / libpng12

Comment 5 Swamp Workflow Management 2015-11-17 07:55:44 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-11-24.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62336

Comment 6 Swamp Workflow Management 2015-11-18 13:13:16 UTC

SUSE-SU-2015:2017-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 952051,954980
CVE References: CVE-2015-7981,CVE-2015-8126
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libpng12-0-1.2.31-5.35.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    libpng12-0-1.2.31-5.35.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    libpng12-0-1.2.31-5.35.1
SUSE Linux Enterprise Server 11-SP4 (src):    libpng12-0-1.2.31-5.35.1
SUSE Linux Enterprise Server 11-SP3 (src):    libpng12-0-1.2.31-5.35.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    libpng12-0-1.2.31-5.35.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    libpng12-0-1.2.31-5.35.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libpng12-0-1.2.31-5.35.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    libpng12-0-1.2.31-5.35.1

Comment 7 Swamp Workflow Management 2015-11-18 13:17:22 UTC

SUSE-SU-2015:2024-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 952051,954980
CVE References: CVE-2015-7981,CVE-2015-8126
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    libpng12-1.2.50-10.1
SUSE Linux Enterprise Server 12 (src):    libpng12-1.2.50-10.1
SUSE Linux Enterprise Desktop 12 (src):    libpng12-1.2.50-10.1

Comment 8 Swamp Workflow Management 2015-11-25 20:13:49 UTC

openSUSE-SU-2015:2099-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 952051,954980
CVE References: CVE-2015-7981,CVE-2015-8126
Sources used:
openSUSE 13.2 (src):    libpng12-1.2.51-3.3.1
openSUSE 13.1 (src):    libpng12-1.2.50-6.7.1

Comment 9 Swamp Workflow Management 2015-11-27 16:19:48 UTC

openSUSE-SU-2015:2136-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 952051,954980
CVE References: CVE-2015-7981,CVE-2015-8126
Sources used:
openSUSE Leap 42.1 (src):    libpng12-1.2.50-5.1

Comment 10 Sebastian Krahmer 2015-11-30 14:36:53 UTC

released

Comment 11 Swamp Workflow Management 2016-06-22 12:10:23 UTC

openSUSE-SU-2016:1652-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 952051,954980,984382
CVE References: CVE-2015-7981,CVE-2015-8126,CVE-2016-1514,CVE-2016-1515,CVE-2016-5108
Sources used:
openSUSE Leap 42.1 (src):    vlc-2.2.4-27.1