Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libpng1.6: CVE-2018-13785

Related Vulnerabilities: CVE-2018-13785  

Source

Debian Bug report logs - #903430
libpng1.6: CVE-2018-13785

version graph

Package: src:libpng1.6; Maintainer for src:libpng1.6 is Maintainers of libpng1.6 packages <libpng1.6@packages.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 9 Jul 2018 20:39:01 UTC

Severity: important

Tags: patch, security, upstream

Found in version libpng1.6/1.6.34-1

Fixed in version libpng1.6/1.6.34-2

Done: Gianfranco Costamagna <locutusofborg@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://sourceforge.net/p/libpng/bugs/278/

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#903430; Package src:libpng1.6. (Mon, 09 Jul 2018 20:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Anibal Monsalve Salazar <anibal@debian.org>. (Mon, 09 Jul 2018 20:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpng1.6: CVE-2018-13785
Date: Mon, 09 Jul 2018 22:37:29 +0200
Source: libpng1.6
Version: 1.6.34-1
Severity: important
Tags: patch security upstream
Forwarded: https://sourceforge.net/p/libpng/bugs/278/

Hi,

The following vulnerability was published for libpng1.6.

CVE-2018-13785[0]:
| In libpng 1.6.34, a wrong calculation of row_factor in the
| png_check_chunk_length function (pngrutil.c) may trigger an integer
| overflow and resultant divide-by-zero while processing a crafted PNG
| file, leading to a denial of service.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-13785
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13785
[1] https://sourceforge.net/p/libpng/bugs/278/
[2] https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Gianfranco Costamagna <locutusofborg@debian.org>:
You have taken responsibility. (Tue, 10 Jul 2018 11:39:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 10 Jul 2018 11:39:07 GMT) (full text, mbox, link).

Message #10 received at 903430-close@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>
To: 903430-close@bugs.debian.org
Subject: Bug#903430: fixed in libpng1.6 1.6.34-2
Date: Tue, 10 Jul 2018 11:35:15 +0000
Source: libpng1.6
Source-Version: 1.6.34-2

We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofborg@debian.org> (supplier of updated libpng1.6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 10 Jul 2018 13:17:30 +0200
Source: libpng1.6
Binary: libpng16-16 libpng-dev libpng-tools libpng16-16-udeb
Architecture: source
Version: 1.6.34-2
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg@debian.org>
Description:
 libpng-dev - PNG library - development (version 1.6)
 libpng-tools - PNG library - tools (version 1.6)
 libpng16-16 - PNG library - runtime (version 1.6)
 libpng16-16-udeb - PNG library - minimal runtime library (version 1.6) (udeb)
Closes: 903430
Changes:
 libpng1.6 (1.6.34-2) unstable; urgency=medium
 .
   [ Salvatore Bonaccorso ]
   * debian/patches/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2.patch:
     Closes: #903430
     CVE-2018-13785
 .
   [ Gianfranco Costamagna ]
   * Upload to unstable
   * Switch VCS fields to salsa.d.o
   * Bump std-version to 4.1.5, no changes required
   * Switch copyright in https mode
Checksums-Sha1:
 61adc1fda22df268da81dd168deb471942dcc682 2194 libpng1.6_1.6.34-2.dsc
 8eaf137137a4630e8447729b354631dbd566e87d 24036 libpng1.6_1.6.34-2.debian.tar.xz
 5c864a6842283628f19632377942a5040a8bc5e4 6107 libpng1.6_1.6.34-2_source.buildinfo
Checksums-Sha256:
 b4d875fa27ce7a682ec0a5b078d71d1353b745e8b12a79af21e7478538ffbb87 2194 libpng1.6_1.6.34-2.dsc
 f722a0cbd93b2a37d9d7471e36a82996a1c86f23bb9f646bb88caac2f87660ec 24036 libpng1.6_1.6.34-2.debian.tar.xz
 7ad1a7cd849b313772b7a096610171d5f8e4671d6d13cd99bb0c03d39ef9e5a3 6107 libpng1.6_1.6.34-2_source.buildinfo
Files:
 840c5a4648c85655c3f4d89c038581fa 2194 libs optional libpng1.6_1.6.34-2.dsc
 8bb9ebf327e93606df7ded91c7117a2f 24036 libs optional libpng1.6_1.6.34-2.debian.tar.xz
 8cd1cef2f11af6feeb8909d905877a76 6107 libs optional libpng1.6_1.6.34-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAltElkgACgkQ808JdE6f
XdmFvQ//S4K2klOv+EfP4H9QHuBh7hsJ8exflw85egBragSxahua0Ra3XSbzUn+S
Q4SYHRAGXjk/WatQ57poGjxFlimKRExq16oqLw0zUT/R8QrH4c+b34/lqG/LgIvL
Ws6u9RnNMtq+VydgYzyAINPxCP8wEN2UUKfM3RXj9wXKu1Sh4QH/9AIKK+Re06xi
2Tf1rFY29BiBh8mUDgP7XttC6y7W3Q4NOdvzVxd28h9Fz9n2pUIBffCxxVNPQmd9
x/6jHlC+C6YnjCg+ynYg6sk0z3YKGfs8DSIA8nZgF07eSDwkjwNxuxa9Fwz0lQft
SfsidZrVP3N7f+qTdSN6NRe8O/WREvOzJ0bQ3P1W0u0zIoCLfBXPrUr2mM+Cs/Ae
mZRa+aVNo5fFjR+0uUUE4gpH/RkeTX1lGpV0ZRZqN93a4/MRRl6t7EHHPJFXKgsK
/jIDyPCMjDaARo7RIvMBfXrarhyzcOYe2/9yjuoRea7kpUGXZ68HmJvA2cs4R8+i
ZRedrxvRrEQdz0Z2Z3H+9wvgpISFEBVoaXTxwPBk4/VbTVaHjZD9eFbkvXKenGu3
sWh+BJMpm/BalnFYbaG3l5Bi4jldmH3qsjuAtg9PeMtb9rB3QjNgpJX5u0p3K/6u
Qofvc6Y8IprHbHECjfLnYl5VxhklodKm43oZ+0EkWSh6ZppsNaU=
=ReEg
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 08 Aug 2018 07:35:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:18:09 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started