id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 7297,libpng-1.6.20,Fernando de Oliveira,Fernando de Oliveira," == Security Release == [http://sourceforge.net/p/png-mng/mailman/message/34667265/] '''These are security releases The fix for CVE-8126 was incomplete in the previous versions.''' [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126] {{{ Vulnerability Summary for CVE-2015-8126 Original release date: 11/12/2015 Last revised: 11/12/2015 Source: US-CERT/NIST This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary. Overview Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.20 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. }}} There is a '''regression''' in test suite (see at the end, below). [http://downloads.sourceforge.net/libpng/libpng-1.6.20.tar.xz] [http://downloads.sourceforge.net/libpng/libpng-1.6.20.tar.xz.asc] [http://downloads.sourceforge.net/libpng-apng/libpng-1.6.20-apng.patch.gz] [http://sourceforge.net/p/png-mng/mailman/message/34667265/] {{{ [png-mng-implement] libpng-1.6.20, 1.5.25, 1.4.18, 1.2.55, and 1.0.65 are available From: Glenn Randers-Pehrson - 2015-12-03 14:21:33 Attachments: Message as HTML libpng-1.6.20, 1.5.25, 1.4.18, 1.2.55, and 1.0.65 are available from ftp://ftp.simplesystems.org/pub/png/src/ and from http://libpng.sf.net These are security releases The fix for CVE-8126 was incomplete in the previous versions. Glenn Randers-Pehrson libpng custodian ... Changes since the last public release (1.6.19): • Avoid potential pointer overflow/underflow in png_handle_sPLT() and png_handle_pCAL() (Bug report by John Regehr). • Fixed incorrect implementation of png_set_PLTE() that uses png_ptr not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 vulnerability. • Backported tests from libpng-1.7.0beta69. • Fixed an error in handling of bad zlib CMINFO field in pngfix, found by American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't immediately fault a bad CMINFO field; instead a 'too far back' error happens later (at least some times). pngfix failed to limit CMINFO to the allowed values but then assumed that window_bits was in range, triggering an assert. The bug is mostly harmless; the PNG file cannot be fixed. • In libpng 1.6 zlib initialization was changed to use the window size in the zlib stream, not a fixed value. This causes some invalid images, where CINFO is too large, to display 'correctly' if the rest of the data is valid. This provides a workaround for zlib versions where the error arises (ones that support the API change to use the window size in the stream). }}} [http://downloads.sourceforge.net/libpng/libpng-1.6.20-README.txt] {{{ Libpng 1.6.20 - December 3, 2015 This is a public release of libpng, intended for use in production codes. Changes since the last public release (1.6.19): • Avoid potential pointer overflow/underflow in png_handle_sPLT() and png_handle_pCAL() (Bug report by John Regehr). • Fixed incorrect implementation of png_set_PLTE() that uses png_ptr not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 vulnerability. • Backported tests from libpng-1.7.0beta69. • Fixed an error in handling of bad zlib CMINFO field in pngfix, found by American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't immediately fault a bad CMINFO field; instead a 'too far back' error happens later (at least some times). pngfix failed to limit CMINFO to the allowed values but then assumed that window_bits was in range, triggering an assert. The bug is mostly harmless; the PNG file cannot be fixed. • In libpng 1.6 zlib initialization was changed to use the window size in the zlib stream, not a fixed value. This causes some invalid images, where CINFO is too large, to display 'correctly' if the rest of the data is valid. This provides a workaround for zlib versions where the error arises (ones that support the API change to use the window size in the stream). Glenn R-P }}} [http://downloads.sourceforge.net/libpng-apng/libpng-1.6.20-apng.patch.README.txt] {{{ Updated to libpng-1.6.20 codebase }}} [http://sourceforge.net/p/png-mng/mailman/message/34680313/] {{{ [png-mng-implement] Test regression between 1.6.19 and 1.6.20 on sparc64 From: Antoine Brodin - 2015-12-08 07:26:09 Hi, We see a regression between version 1.6.19 and version 1.6.20 on FreeBSD/Sparc64 (big endian): With version 1.6.19 all tests were succeeding. With version 1.6.20: ============================================================================ Testsuite summary for libpng 1.6.20 ============================================================================ # TOTAL: 32 # PASS: 31 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 FAIL: tests/pngvalid-transform ============================== pngvalid: read: truecolour with alpha 8 bit: transform: +rgb_to_gray^0.34483[overridden]: rgb_to_gray error 0.166824 exceeds limit 0.165976 pngvalid: 1 errors, 0 warnings FAIL: pngvalid --strict --transform (floating point arithmetic) FAIL tests/pngvalid-transform (exit status: 1) Cheers, Antoine }}}",enhancement,closed,high,7.9,BOOK,SVN,normal,fixed,,