Bugzilla – Bug 1121624
VUL-1: CVE-2019-6129: libpng,libpng12,libpng15,libpng12-0,libpng16: png_create_info_struct in png.c in libpng has a memory leak
Last modified: 2024-03-07 13:30:02 UTC
png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6129 https://github.com/glennrp/libpng/issues/269
$ pngcp libpng_poc /dev/null libpng_poc: error(libpng): read: Not a PNG file ================================================================= ==30270==ERROR: LeakSanitizer: detected memory leaks Direct leak of 360 byte(s) in 1 object(s) allocated from: #0 0x7f07e0ecced0 in malloc (/usr/lib64/libasan.so.5+0xebed0) #1 0x7f07e1d3c23f in png_malloc_base /usr/src/debug/libpng16-1.6.36-0.x86_64/pngmem.c:95 #2 0x7f07e1d24d55 in png_create_info_struct /usr/src/debug/libpng16-1.6.36-0.x86_64/png.c:368 #3 0x55806e30a07b in read_png contrib/tools/pngcp.c:1775 #4 0x55806e30d0b1 in cp_one_file contrib/tools/pngcp.c:2180 #5 0x55806e30dba4 in cppng contrib/tools/pngcp.c:2288 #6 0x55806e30e081 in main contrib/tools/pngcp.c:2351 #7 0x7f07e0a43fea in __libc_start_main (/lib64/libc.so.6+0x22fea) SUMMARY: AddressSanitizer: 360 byte(s) leaked in 1 allocation(s). $ Yes, pngcp does not call png_destroy_info_struct() in error case. I think this is not a security issue at all. In any case, we do not ship pngcp at all.
SUSE-SU-2019:1398-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (low) Bug References: 1100687,1121624,1124211 CVE References: CVE-2018-13785,CVE-2019-7317 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): libpng16-1.6.34-3.9.1 SUSE Linux Enterprise Module for Basesystem 15 (src): libpng16-1.6.34-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1530-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (low) Bug References: 1100687,1121624,1124211 CVE References: CVE-2018-13785,CVE-2019-7317 Sources used: openSUSE Leap 15.1 (src): libpng16-1.6.34-lp151.3.3.1 openSUSE Leap 15.0 (src): libpng16-1.6.34-lp150.2.3.1
SUSE-SU-2019:1398-2: An update that solves two vulnerabilities and has one errata is now available. Category: security (low) Bug References: 1100687,1121624,1124211 CVE References: CVE-2018-13785,CVE-2019-7317 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): libpng16-1.6.34-3.9.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): libpng16-1.6.34-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1121624) was mentioned in https://build.opensuse.org/request/show/1138083 Factory / libpng16