Debian Bug report logs -
#921355
libpng1.6: CVE-2019-7317: use-after-free in png_image_free in png.c
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#921355; Package src:libpng1.6.
(Mon, 04 Feb 2019 16:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Anibal Monsalve Salazar <anibal@debian.org>.
(Mon, 04 Feb 2019 16:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libpng1.6
Version: 1.6.36-3
Severity: grave
Tags: security upstream
Forwarded: https://github.com/glennrp/libpng/issues/275
Control: found -1 1.6.28-1
Control: found -1 1.6.36-2
Hi,
The following vulnerability was published for libpng1.6.
CVE-2019-7317[0]:
| png_image_free in png.c in libpng 1.6.36 has a use-after-free because
| png_image_free_function is called under png_safe_execute.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-7317
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7317
[1] https://github.com/glennrp/libpng/issues/275
Regards,
Salvatore
Marked as found in versions libpng1.6/1.6.28-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 04 Feb 2019 16:33:05 GMT) (full text, mbox, link).
Marked as found in versions libpng1.6/1.6.36-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 04 Feb 2019 16:33:06 GMT) (full text, mbox, link).
Reply sent
to Gianfranco Costamagna <locutusofborg@debian.org>:
You have taken responsibility.
(Tue, 05 Feb 2019 11:09:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 05 Feb 2019 11:09:09 GMT) (full text, mbox, link).
Message #14 received at 921355-close@bugs.debian.org (full text, mbox, reply):
Source: libpng1.6
Source-Version: 1.6.36-4
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921355@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gianfranco Costamagna <locutusofborg@debian.org> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 05 Feb 2019 11:43:24 +0100
Source: libpng1.6
Binary: libpng16-16 libpng-dev libpng-tools libpng16-16-udeb
Architecture: source
Version: 1.6.36-4
Distribution: unstable
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Gianfranco Costamagna <locutusofborg@debian.org>
Description:
libpng-dev - PNG library - development (version 1.6)
libpng-tools - PNG library - tools (version 1.6)
libpng16-16 - PNG library - runtime (version 1.6)
libpng16-16-udeb - PNG library - minimal runtime library (version 1.6) (udeb)
Closes: 921355
Changes:
libpng1.6 (1.6.36-4) unstable; urgency=high
.
* debian/patches/70d122aac42933ab8a708c538f973c3307853212.patch,
debian/patches/8439534daa1d3a5705ba92e653eda9251246dd61.patch:
- new fixes for arm64 and general test failures (and leaks)
* debian/patches/CVE-2019-7317.patch:
- fix for CVE 2019-7317 (Closes: #921355)
Thanks Salvatore Bonaccorso for your report!
Checksums-Sha1:
f3ebd3ec7b267f2a3b431b24e32df7dfc8449384 2197 libpng1.6_1.6.36-4.dsc
8c73a75f17fd757cbc792b6ca060c0e4f02d82d8 37216 libpng1.6_1.6.36-4.debian.tar.xz
44a559b61f469799a75334ffa69825cb286ff156 6360 libpng1.6_1.6.36-4_source.buildinfo
Checksums-Sha256:
ff9bb26af634d9eb6a158a6b61183b6038d1ef81e03ba567b471902c9f58a2e2 2197 libpng1.6_1.6.36-4.dsc
040a1ba72164d91e7a2e821a4cc2eea7fc16948f4891b02ed6e1ce6e5b6cf96d 37216 libpng1.6_1.6.36-4.debian.tar.xz
bd2c57897358e5f218e02958081c4e8a54c26ca6296f7256661bd06d30c7a15a 6360 libpng1.6_1.6.36-4_source.buildinfo
Files:
21b1c30ef9acea00f1530e632c2e8b43 2197 libs optional libpng1.6_1.6.36-4.dsc
be1aaceffdaee5b62f05d54250541ad7 37216 libs optional libpng1.6_1.6.36-4.debian.tar.xz
3dbe855428e1b86485b2778fa051af34 6360 libs optional libpng1.6_1.6.36-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAlxZae0ACgkQ808JdE6f
Xdk8qhAAnAUkzNu/fo44ZaAegrCayJpeuYzyJX8lG5HAyio9Ip5wooIDFESyA/em
wbS3fL5+A6FJpHRJe9b4+jOzh7PazEy3Vnt4Ze8Rg5UosEdN030RuTpuYQsy2Koy
irHjXRJ2TyAEamDet/7WZ9ZXNWe3a8L8OH53GWNzCQVZ7c4dKWCl2+eyRt9sdVYc
Q7XcmB5emZYR/AFZTRdyUYjT6D4jAo2hXbEili9m6smaXewTlMyItFbSwsHJKHpD
na3untgFyHgVIycuazWOiQeAYaNt3PDVAF8N3y5yWCjADeeu1C4fKzDuT4Fmi+tN
aOYaTl+InfRa7F7GTUMprPh7CYu2Nfa3dVBM4q/ivK3Sp0Fx5noFkyJlzbXNDo9Z
bcMyA30NJLgjZG45okQIhZC7nGl+2s7nhZq/xCQkxmviI9OQAgJp1wQ7Co2iBVYU
7kscrLzsq32LtZnA3EmEqsRr3QKewfC9yvf9nZS33WOHWehHFfxGa3b8jJU3GHZg
judjG0kox8CuBz2DC6Dg1/NzM7NeDlTdKBow4EeaNFbX2Nl3vLfkM09Nsg0UuOOf
YR5muPYpa3uRvWkiN50EzwwwKaDttegQeOQWWTP/00o8JqtcrHgzAkbWvNjFvhTe
iECQjNRA42ZKr3/jVXgXDrLNZb/Ja40Nz0I6ZKZjoR7M+l0T7rs=
=VxFV
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 05 May 2019 18:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 05 May 2019 18:51:07 GMT) (full text, mbox, link).
Message #19 received at 921355-close@bugs.debian.org (full text, mbox, reply):
Source: libpng1.6
Source-Version: 1.6.28-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
libpng1.6, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921355@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated libpng1.6 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Apr 2019 22:12:35 +0200
Source: libpng1.6
Architecture: source
Version: 1.6.28-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 921355
Changes:
libpng1.6 (1.6.28-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Call png_image_free_function without guarding it with png_safe_execute
(CVE-2019-7317) (Closes: #921355)
Checksums-Sha1:
8d4f4d28d498bb28a015abc2efc4faa6093d3457 2403 libpng1.6_1.6.28-1+deb9u1.dsc
ff4dceadb15e2c929ad26283118d56f66f4a6cff 984536 libpng1.6_1.6.28.orig.tar.xz
e7a0aa21b188e30c3bf9718cac54b511774e66bd 22844 libpng1.6_1.6.28-1+deb9u1.debian.tar.xz
Checksums-Sha256:
e33f21a69c0406eaee4ca7157c7234c3a078bab83f57c399cd2ddc8d7c868ddf 2403 libpng1.6_1.6.28-1+deb9u1.dsc
d8d3ec9de6b5db740fefac702c37ffcf96ae46cb17c18c1544635a3852f78f7a 984536 libpng1.6_1.6.28.orig.tar.xz
c082fb471028f37bfb9510057f7d4854e1200b5115d2c308da9c2837375585e9 22844 libpng1.6_1.6.28-1+deb9u1.debian.tar.xz
Files:
eeba1b6579f93b8aa41a3327609253e3 2403 libs optional libpng1.6_1.6.28-1+deb9u1.dsc
425354f86c392318d31aedca71019372 984536 libs optional libpng1.6_1.6.28.orig.tar.xz
eca3b8effc6335ba72e35efe23194692 22844 libs optional libpng1.6_1.6.28-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAly42whfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EH04QAJhyUtrcml2BCE+7I5vfrxCzbnqqpKti
/MvLQO5pVvQvaOrMshT0sAIAHYNTfc3wtOYsyqm/4ETZQe6YthY7HJMFVuMY0oaT
clfTAygq3X/P8vHQO5ZCj1Vmcnr3mpgXhpVwpuzlIuhLHbDLINk+DMV2VvvHOsEb
Xg4v1+n8bz1fAqv2tBGIhTubD8MjgxmMnMUnRkZegjHKjWBPxfSr+B4QgQ81+LWJ
2rMeunI9BislV4dJYRkQ6eECBShNou8D17v8L1EZ/wc0Hbx1pN9jXIpa0/CeEbHo
RZXel0qkb3rLXQtSGxC05yr8x52+Fv9hgcvm0NeNlmdKB78QxFVWlwZau+qg2Mk4
qn4dwlae95M/hVXgXzQkbR7tJR8auZIEDtPkdYIvO8K8YDx/sXYU4ZSP2BWL/B0l
9cdxs1XMW8rsnR0j27/xcZx+bukY1N5U8g+/26VlKQCQag6Mr86JIz90nb+fOEqj
L1wuA4hKOJtA2NXP8HM3r5iKNq4g2oJ8ScOPVhHc14orgZuDY3YhT/mRsMdyEPlC
vcLZlj/Fr8OL4ZXn0i5xLrRDRDwKvfLAqabdA5tpZ3HjNCnYJpno1Hbl8JxDLEm8
ggZ/f6w9IJ+m8UO7mZgxoSx4xwJQi+DykeQtPoDSdcEyxl0EGi+En+ZAetJQ0yEH
iThv0C0MIcm2
=Ce9j
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:13:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon