Bugzilla – Bug 958791
VUL-1: CVE-2015-8540: libpng: read underflow in libpng
Last modified: 2022-02-13 11:07:51 UTC
From: xiaoqixue_1 <xiaoqixue_1@163.com> Subject: [oss-security] CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) Date: Thu, 10 Dec 2015 22:04:02 +0800 (CST) there is a underflow read in png_check_keyword in pngwutil.c in libpng-1.2.54, which is found by XiaoQixue and ChenYu. if the data of "key" is only ' ' (0x20), it will read a byte before the buffer in line 1288. it also impacts libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 . the details as follows: https://sourceforge.net/p/libpng/bugs/244/
from mitre This says the problem was on a "1288 while (kp == ' ')" line but that seems very confusing because that line doesn't appear to be present in libpng-1.2.54 or any other version. As far as we can tell, the unpatched code has while (*kp == ' ') and the patched code has while (key_len && *kp == ' ') See http://sourceforge.net/p/libpng/code/ci/d9006f683c641793252d92254a75ae9b815b42ed/ Use CVE-2015-8540. Any instance of "kp ==" instead of "*kp ==" would have been a different type of problem but we don't think that problem ever occurred.
bugbot adjusting priority
From: Glenn Randers-Pehrson To: oss-security@lists.openwall.com > unpatched code has > > while (*kp == ' ') > > and the patched code has > > while (key_len && *kp == ' ') > That's correct. The bug tracker at SourceForge has an unpleasant effect of removing asterisks, backticks, and whatnot from bug reports, thereby making the reports very confusing.
From: Glenn Randers-Pehrson To: oss-security@lists.openwall.com The bug was introduced in libpng-0.90, was fixed in libpng-1.6.0, and will be fixed in libpng-1.0.66, 1.2.56, 1.4.19, and 1.5.26.
This is an autogenerated message for OBS integration: This bug (958791) was mentioned in https://build.opensuse.org/request/show/436518 13.2 / libpng12
Fixed in: 13.2/libpng12 12sp1/libpng15 12/libpng12 11/libpng12-0 10sp3/libpng libpng16 is not affected.
openSUSE-SU-2016:2672-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 958791 CVE References: CVE-2015-8540 Sources used: openSUSE 13.2 (src): libpng12-1.2.51-3.9.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-11-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63170
SUSE-SU-2017:0860-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1017646,958791 CVE References: CVE-2015-8540,CVE-2016-10087 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): libpng12-1.2.50-19.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): libpng12-1.2.50-19.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libpng12-1.2.50-19.1 SUSE Linux Enterprise Server 12-SP2 (src): libpng12-1.2.50-19.1 SUSE Linux Enterprise Server 12-SP1 (src): libpng12-1.2.50-19.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libpng12-1.2.50-19.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libpng12-1.2.50-19.1
SUSE-SU-2017:0901-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1017646,958791 CVE References: CVE-2015-8540,CVE-2016-10087 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): libpng12-0-1.2.31-5.43.1 SUSE Linux Enterprise Server 11-SP4 (src): libpng12-0-1.2.31-5.43.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): libpng12-0-1.2.31-5.43.1
openSUSE-SU-2017:0942-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1017646,958791 CVE References: CVE-2015-8540,CVE-2016-10087 Sources used: openSUSE Leap 42.2 (src): libpng12-1.2.50-10.3.1 openSUSE Leap 42.1 (src): libpng12-1.2.50-11.1
SUSE-SU-2017:0950-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1017646,958791 CVE References: CVE-2015-8540,CVE-2016-10087 Sources used: SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): libpng15-1.5.22-9.1 SUSE Linux Enterprise Server 12-SP2 (src): libpng15-1.5.22-9.1 SUSE Linux Enterprise Server 12-SP1 (src): libpng15-1.5.22-9.1 SUSE Linux Enterprise Desktop 12-SP2 (src): libpng15-1.5.22-9.1 SUSE Linux Enterprise Desktop 12-SP1 (src): libpng15-1.5.22-9.1
openSUSE-SU-2017:1037-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1017646,958791 CVE References: CVE-2015-8540,CVE-2016-10087 Sources used: openSUSE Leap 42.2 (src): libpng15-1.5.22-5.3.1 openSUSE Leap 42.1 (src): libpng15-1.5.22-7.1
released