Debian Bug report logs -
#849799
libpng1.6: CVE-2016-10087: NULL pointer dereference in png_set_text_2()
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 31 Dec 2016 07:15:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version libpng1.6/1.6.26-6
Fixed in version libpng1.6/1.6.27-1
Done: Gianfranco Costamagna <locutusofborg@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#849799; Package src:libpng1.6.
(Sat, 31 Dec 2016 07:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>.
(Sat, 31 Dec 2016 07:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpng1.6
Version: 1.6.26-6
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for libpng1.6.
CVE-2016-10087[0]:
NULL pointer dereference
Upstream commits referenced in security-tracker.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087
Regards,
Salvatore
Reply sent
to Gianfranco Costamagna <locutusofborg@debian.org>:
You have taken responsibility.
(Sat, 31 Dec 2016 09:09:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 31 Dec 2016 09:09:09 GMT) (full text, mbox, link).
Message #10 received at 849799-close@bugs.debian.org (full text, mbox, reply):
Source: libpng1.6
Source-Version: 1.6.27-1
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 849799@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofborg@debian.org> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 31 Dec 2016 08:51:32 +0100
Source: libpng1.6
Binary: libpng16-16 libpng-dev libpng-tools libpng16-16-udeb
Architecture: source
Version: 1.6.27-1
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg@debian.org>
Description:
libpng-dev - PNG library - development (version 1.6)
libpng-tools - PNG library - tools (version 1.6)
libpng16-16 - PNG library - runtime (version 1.6)
libpng16-16-udeb - PNG library - minimal runtime library (version 1.6) (udeb)
Closes: 849799
Changes:
libpng1.6 (1.6.27-1) unstable; urgency=medium
.
* New upstream release (Closes: #849799)
- Fix for CVE-2016-10087
Checksums-Sha1:
82fb102d64fb7c10b0d4dfd714835f955c304cae 2206 libpng1.6_1.6.27-1.dsc
af5d742f5d0a6492133aed7790bb43e8854cca64 984316 libpng1.6_1.6.27.orig.tar.xz
2b630b5ed551b9d77b0439eed409211a68b6a97f 22580 libpng1.6_1.6.27-1.debian.tar.xz
Checksums-Sha256:
bd1e5e93d4d3e9d9d1557182090b8fad46f0d2608b7ddd8068aea632e5a82ce4 2206 libpng1.6_1.6.27-1.dsc
fca2ffd97336356cdab9bfa8936b9d6dfd580a70205e5dfead3ac42cb054b57b 984316 libpng1.6_1.6.27.orig.tar.xz
17275f59a541ccef912265ef4e8716fe003a8fd73eeecc477ab99ed130a491ec 22580 libpng1.6_1.6.27-1.debian.tar.xz
Files:
0d388577f2edee20d3197bab895602f4 2206 libs optional libpng1.6_1.6.27-1.dsc
90099cb7dfb36bf223f4791429d45c6a 984316 libs optional libpng1.6_1.6.27.orig.tar.xz
437bea63121b043c4bee03d301bba489 22580 libs optional libpng1.6_1.6.27-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYZ2PBAAoJEPNPCXROn13Z0CIP/iy6GxFOrOPQr+/mHqLiH+yQ
7FXOnztXkIGk5o2pR1IyRrRudpIInI4P03QyYY8f0S1h96hor9kwbCld182GWYMg
Ukh4zL1nhh4Quy2l71v+rFAu4h0BAtiZN6irD5eijIZD6g84iFBs2VJlrVRP+0tj
loF6un+VQYM6oW+9kYadP+kaUXU/3A+qFMjWjya5bB74WGt3abX3kdVesK53A8gT
S5/990AW7FbwdckVetWKe+Ub1j/5HGJ/jfDqIO+wBNV7twfLtnkYIxcyvB7wSY4l
BlYOPOtO/19dsBpYRh5IuEmU3sUtOhsFEzvn+IN8vXOAo+mCefQa5rWBjQOAfBCS
4+7Ic7+JD0O3npFUkl9VaQhnQby9ILpUh7AhdkyPXNEoCLH8Qu3RbLOmO/UJZMCR
cp0OGN685W26zz9KzDVmsS8YLMWGyuXYALWngF0b+/xnIz5CWVsc8VfSSyq+orO5
7yYdcA0jsIS7sA+pWlEbs3H9qISCAHwbY/Ls44m36b7n7DGUxxPKLnYgtX5IxXLM
3MIjQL4o3sClpaUrS6FGRyr/zimiLWTa8nuafDJea3W1wLFdEACc28mnG0yyR1ax
692CcP3t1jvX4BDSrmMY0TP7KxVuH+RGw7j/Ywnp2mzhfBHz/BLBigu8UGRwqWSh
uPlOSMbUJk19Q8FsOICD
=/rOB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 07 Feb 2017 07:40:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:35:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon