RHSA-2015:2596: Moderate: libpng security update

First published: Wed Dec 09 2015(Updated: )

The libpng packages contain a library of functions for creating and<br>manipulating PNG (Portable Network Graphics) image format files.<br>It was discovered that the png_get_PLTE() and png_set_PLTE() functions of<br>libpng did not correctly calculate the maximum palette sizes for bit depths<br>of less than 8. In case an application tried to use these functions in<br>combination with properly calculated palette sizes, this could lead to a<br>buffer overflow or out-of-bounds reads. An attacker could exploit this to<br>cause a crash or potentially execute arbitrary code by tricking an<br>unsuspecting user into processing a specially crafted PNG image. However,<br>the exact impact is dependent on the application using the library.<br>(CVE-2015-8126, CVE-2015-8472)<br>All libpng users are advised to upgrade to these updated packages, which<br>contain a backported patch to correct this issue.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2015:2596
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/tags
• agent/title
• agent/type
• agent/weakness
• package-manager/redhat