Bug #1516592 “CVE-2015-8126: Multiple buffer overflows” : Bugs : libpng package : Ubuntu

Seth Arnold (seth-arnold) on 2015-11-16

information type:	Private Security → Public Security
Changed in libpng (Ubuntu):
status:	New → Triaged

Revision history for this message

Andrew Starr-Bochicchio (andrewsomething) wrote on 2015-11-18:

#1

For libpng12, it looks like these are the needed commits:

https://github.com/glennrp/libpng/commit/216dbf7f7eef5d999f2e3ba054407917098e9f85
https://github.com/glennrp/libpng/commit/3939689e7d9d06ee05411210bc8e605adcff294e
https://github.com/glennrp/libpng/commit/475bab6170f651b9863e9fc1b8ffd6cd89a45aa0

Andrew Starr-Bochicchio (andrewsomething) on 2015-11-19

summary:

- Multiple buffer overflows
+ CVE-2015-8126: Multiple buffer overflows

Revision history for this message

Andrew Starr-Bochicchio (andrewsomething) wrote on 2015-11-19:

#2

libpng_1.2.51-0ubuntu4.debdiff Edit (5.4 KiB, text/plain)

Debdiff for xenial incorporating the above upstream commits. Successfully builds in a clean xenial pbuilder.

Revision history for this message

Andrew Starr-Bochicchio (andrewsomething) wrote on 2015-11-19:

#3

libpng_1.2.51-0ubuntu3.15.10.1.debdiff Edit (5.5 KiB, text/plain)

debdiff for 15.10 security update

Revision history for this message

Andrew Starr-Bochicchio (andrewsomething) wrote on 2015-11-19:

#4

libpng_1.2.51-0ubuntu3.15.04.1.debdiff Edit (5.5 KiB, text/plain)

debdiff for 15.04 security update

Revision history for this message

Andrew Starr-Bochicchio (andrewsomething) wrote on 2015-11-19:

#5

libpng_1.2.50-1ubuntu2.14.04.1.debdiff Edit (5.6 KiB, text/plain)

debdiff for 14.04 security update

Revision history for this message

Andrew Starr-Bochicchio (andrewsomething) wrote on 2015-11-19:

#6

All of the above have been test build successfully with pbuilder for their respective releases. There doesn't seem to be any public POC yet...

Mathew Hodson (mhodson) on 2015-11-19

Changed in libpng (Ubuntu):
importance:	Undecided → High
Changed in libpng (Ubuntu Trusty):
importance:	Undecided → High
Changed in libpng (Ubuntu Vivid):
importance:	Undecided → High
Changed in libpng (Ubuntu Wily):
importance:	Undecided → High
tags:	added: patch

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2015-11-19:

#7

Thanks for the debdiffs, building now for a security update!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-11-19:

#8

This bug was fixed in the package libpng - 1.2.50-1ubuntu2.14.04.1

---------------
libpng (1.2.50-1ubuntu2.14.04.1) trusty-security; urgency=medium

  [ Andrew Starr-Bochicchio ]
  * SECURITY UPDATE: Multiple buffer overflows in the (1) png_set_PLTE
    and (2) png_get_PLTE (LP: #1516592).
    - debian/patches/CVE-2015-8126.diff: Prevent writing over-length
      PLTE chunk and silently truncate over-length PLTE chunk while reading.
      Backported from upstream patch.
    - CVE-2015-8126

  [ Marc Deslauriers ]
  * SECURITY UPDATE: out of bounds read in png_set_tIME
    - debian/patches/CVE-2015-7981.patch: check bounds in png.c and
      pngset.c.
    - CVE-2015-7981

-- Marc Deslauriers <email address hidden> Thu, 19 Nov 2015 08:02:50 -0500

Changed in libpng (Ubuntu Trusty):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-11-19:

#9

This bug was fixed in the package libpng - 1.2.51-0ubuntu3.15.10.1

---------------
libpng (1.2.51-0ubuntu3.15.10.1) wily-security; urgency=medium

  [ Andrew Starr-Bochicchio ]
  * SECURITY UPDATE: Multiple buffer overflows in the (1) png_set_PLTE
    and (2) png_get_PLTE (LP: #1516592).
    - debian/patches/CVE-2015-8126.diff: Prevent writing over-length
      PLTE chunk and silently truncate over-length PLTE chunk while reading.
      Backported from upstream patch.
    - CVE-2015-8126

  [ Marc Deslauriers ]
  * SECURITY UPDATE: out of bounds read in png_set_tIME
    - debian/patches/CVE-2015-7981.patch: check bounds in png.c and
      pngset.c.
    - CVE-2015-7981

-- Marc Deslauriers <email address hidden> Thu, 19 Nov 2015 07:56:29 -0500

Changed in libpng (Ubuntu Wily):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-11-19:

#10

This bug was fixed in the package libpng - 1.2.51-0ubuntu3.15.04.1

---------------
libpng (1.2.51-0ubuntu3.15.04.1) vivid-security; urgency=medium

  [ Andrew Starr-Bochicchio ]
  * SECURITY UPDATE: Multiple buffer overflows in the (1) png_set_PLTE
    and (2) png_get_PLTE (LP: #1516592).
    - debian/patches/CVE-2015-8126.diff: Prevent writing over-length
      PLTE chunk and silently truncate over-length PLTE chunk while reading.
      Backported from upstream patch.
    - CVE-2015-8126

  [ Marc Deslauriers ]
  * SECURITY UPDATE: out of bounds read in png_set_tIME
    - debian/patches/CVE-2015-7981.patch: check bounds in png.c and
      pngset.c.
    - CVE-2015-7981

-- Marc Deslauriers <email address hidden> Thu, 19 Nov 2015 07:59:38 -0500

Changed in libpng (Ubuntu Vivid):
status:	New → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-11-19:

#11

This bug was fixed in the package libpng - 1.2.46-3ubuntu4.1

---------------
libpng (1.2.46-3ubuntu4.1) precise-security; urgency=medium

  [ Andrew Starr-Bochicchio ]
  * SECURITY UPDATE: Multiple buffer overflows in the (1) png_set_PLTE
    and (2) png_get_PLTE (LP: #1516592).
    - debian/patches/CVE-2015-8126.diff: Prevent writing over-length
      PLTE chunk and silently truncate over-length PLTE chunk while reading.
      Backported from upstream patch.
    - CVE-2015-8126

  [ Marc Deslauriers ]
  * SECURITY UPDATE: out of bounds read in png_set_tIME
    - debian/patches/CVE-2015-7981.patch: check bounds in png.c and
      pngset.c.
    - CVE-2015-7981
  * SECURITY UPDATE: out of bounds read in png_push_read_zTXt
    - debian/patches/CVE-2012-3425.patch: check for truncated chunk in
      pngpread.c.
    - CVE-2012-3425

-- Marc Deslauriers <email address hidden> Thu, 19 Nov 2015 08:05:59 -0500

Changed in libpng (Ubuntu Precise):
status:	New → Fix Released

Marc Deslauriers (mdeslaur) on 2015-11-19

Changed in libpng (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

Andrew Starr-Bochicchio (andrewsomething) wrote on 2015-11-19:

#12

Thanks Marc!

Mathew Hodson (mhodson) on 2015-11-19

Changed in libpng (Ubuntu Precise):
importance:	Undecided → High

Ubuntu
libpng package

CVE-2015-8126: Multiple buffer overflows

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Remote bug watches

	Status	Importance	Assigned to
libpng (Ubuntu)	Fix Released	High	Unassigned
Precise	Fix Released	High	Unassigned
Trusty	Fix Released	High	Unassigned
Vivid	Fix Released	High	Unassigned
Wily	Fix Released	High	Unassigned

Ubuntulibpng package

CVE-2015-8126: Multiple buffer overflows

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Remote bug watches

Ubuntu
libpng package