touch-packages team mailing list archive

Thread
Date

[Bug 1516651] Re: buffer overflows in libpng (CVE-2015-8126)

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Seth Arnold <1516651@xxxxxxxxxxxxxxxxxx>
Date: Mon, 16 Nov 2015 22:19:12 -0000
Reply-to: Bug 1516651 <1516651@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1516592 ***
    https://bugs.launchpad.net/bugs/1516592

** Information type changed from Private Security to Public Security

** This bug has been marked a duplicate of bug 1516592
   Multiple buffer overflows

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libpng in Ubuntu.
https://bugs.launchpad.net/bugs/1516651

Title:
  buffer overflows in libpng (CVE-2015-8126)

Status in libpng package in Ubuntu:
  New

Bug description:
  "Multiple buffer overflows in the (1) png_set_PLTE and (2)
  png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before
  1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x
  before 1.6.19 allow remote attackers to cause a denial of service
  (application crash) or possibly have unspecified other impact via a
  small bit-depth value in an IHDR (aka image header) chunk in a PNG
  image."

  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126

  http://www.openwall.com/lists/oss-security/2015/11/12/2

  It seems that the used libpng versions are vulnerable to buffer
  overflow (possibly even RCE) and I would recommend patching them.

  If I got this wrong I apologize -- Relative Ubuntu newbie here. :)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpng/+bug/1516651/+subscriptions