First published: Wed Dec 09 2015(Updated: )
The libpng packages contain a library of functions for creating and<br>manipulating PNG (Portable Network Graphics) image format files.<br>It was discovered that the png_get_PLTE() and png_set_PLTE() functions of<br>libpng did not correctly calculate the maximum palette sizes for bit depths<br>of less than 8. In case an application tried to use these functions in<br>combination with properly calculated palette sizes, this could lead to a<br>buffer overflow or out-of-bounds reads. An attacker could exploit this to<br>cause a crash or potentially execute arbitrary code by tricking an<br>unsuspecting user into processing a specially crafted PNG image. However,<br>the exact impact is dependent on the application using the library.<br>(CVE-2015-8126, CVE-2015-8472)<br>All libpng users are advised to upgrade to these updated packages, which<br>contain a backported patch to correct this issue.
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/libpng | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng-debuginfo | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng-debuginfo | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng-devel | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng-devel | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng-static | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng-static | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng-debuginfo | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng-devel | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
redhat/libpng-static | <1.5.13-7.el7_2 | 1.5.13-7.el7_2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.