Security update for libpng12 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0942-1 Final 1 1 2017-04-05T13:09:10Z current 2017-04-05T13:09:10Z 2017-04-05T13:09:10Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libpng12 This update for libpng12 fixes the following issues: Security issues fixed: - CVE-2015-8540: read underflow in libpng (bsc#958791) - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-04/msg00026.html E-Mail link for openSUSE-SU-2017:0942-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 libpng12-1.2.50-10.3.1 libpng12-0-1.2.50-10.3.1 libpng12-0-32bit-1.2.50-10.3.1 libpng12-compat-devel-1.2.50-10.3.1 libpng12-compat-devel-32bit-1.2.50-10.3.1 libpng12-devel-1.2.50-10.3.1 libpng12-devel-32bit-1.2.50-10.3.1 libpng12-1.2.50-10.3.1 as a component of openSUSE Leap 42.1 libpng12-0-1.2.50-10.3.1 as a component of openSUSE Leap 42.1 libpng12-0-32bit-1.2.50-10.3.1 as a component of openSUSE Leap 42.1 libpng12-compat-devel-1.2.50-10.3.1 as a component of openSUSE Leap 42.1 libpng12-compat-devel-32bit-1.2.50-10.3.1 as a component of openSUSE Leap 42.1 libpng12-devel-1.2.50-10.3.1 as a component of openSUSE Leap 42.1 libpng12-devel-32bit-1.2.50-10.3.1 as a component of openSUSE Leap 42.1 libpng12-1.2.50-10.3.1 as a component of openSUSE Leap 42.2 libpng12-0-1.2.50-10.3.1 as a component of openSUSE Leap 42.2 libpng12-0-32bit-1.2.50-10.3.1 as a component of openSUSE Leap 42.2 libpng12-compat-devel-1.2.50-10.3.1 as a component of openSUSE Leap 42.2 libpng12-compat-devel-32bit-1.2.50-10.3.1 as a component of openSUSE Leap 42.2 libpng12-devel-1.2.50-10.3.1 as a component of openSUSE Leap 42.2 libpng12-devel-32bit-1.2.50-10.3.1 as a component of openSUSE Leap 42.2 Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read. CVE-2015-8540 openSUSE Leap 42.1:libpng12-0-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-0-32bit-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-compat-devel-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-compat-devel-32bit-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-devel-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-devel-32bit-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-0-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-0-32bit-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-compat-devel-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-compat-devel-32bit-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-devel-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-devel-32bit-1.2.50-10.3.1 moderate 4 AV:N/AC:H/Au:N/C:N/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00026.html https://www.suse.com/security/cve/CVE-2015-8540.html CVE-2015-8540 https://bugzilla.suse.com/1149680 SUSE Bug 1149680 https://bugzilla.suse.com/958791 SUSE Bug 958791 https://bugzilla.suse.com/963937 SUSE Bug 963937 The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure. CVE-2016-10087 openSUSE Leap 42.1:libpng12-0-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-0-32bit-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-compat-devel-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-compat-devel-32bit-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-devel-1.2.50-10.3.1 openSUSE Leap 42.1:libpng12-devel-32bit-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-0-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-0-32bit-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-compat-devel-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-compat-devel-32bit-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-devel-1.2.50-10.3.1 openSUSE Leap 42.2:libpng12-devel-32bit-1.2.50-10.3.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00026.html https://www.suse.com/security/cve/CVE-2016-10087.html CVE-2016-10087 https://bugzilla.suse.com/1017646 SUSE Bug 1017646 https://bugzilla.suse.com/1149680 SUSE Bug 1149680