2.6
CVSSv2

CVE-2019-7317

Published: 04/02/2019 Updated: 01/08/2019
CVSS v2 Base Score: 2.6 | Impact Score: 2.9 | Exploitability Score: 4.9
CVSS v3 Base Score: 5.3 | Impact Score: 3.6 | Exploitability Score: 1.6
VMScore: 231
Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P

Vulnerability Summary

png_image_free in png.c in libpng 1.6.x prior to 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Vulnerability Trend

Affected Products

Vendor Product Versions
LibpngLibpng1.6.36
CanonicalUbuntu Linux18.04, 18.10
DebianDebian Linux9.0

Vendor Advisories

Debian Bug report logs - #921355 libpng16: CVE-2019-7317: use-after-free in png_image_free in pngc Package: src:libpng16; Maintainer for src:libpng16 is Maintainers of libpng16 packages <libpng16@packagesdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 4 Feb 2019 16:33:02 UTC Seve ...
libpng be made to crash or run programs if it opened a specially crafted file ...
A use-after-free vulnerability was discovered in the png_image_free() function in the libpng PNG library, which could lead to denial of service or potentially the execution of arbitrary code if a malformed image is processed For the stable distribution (stretch), this problem has been fixed in version 1628-1+deb9u1 We recommend that you upgrade ...
Synopsis Important: java-171-ibm security update Type/Severity Security Advisory: Important Topic An update for java-171-ibm is now available for Red Hat Enterprise Linux 7 SupplementaryRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scori ...
Synopsis Important: java-171-ibm security update Type/Severity Security Advisory: Important Topic An update for java-171-ibm is now available for Red Hat Enterprise Linux 6 SupplementaryRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scori ...
png_image_free in pngc in libpng 1636 has a use-after-free because png_image_free_function is called under png_safe_execute ...
Arch Linux Security Advisory ASA-201904-10 ========================================== Severity: Low Date : 2019-04-24 CVE-ID : CVE-2019-7317 Package : libpng Type : denial of service Remote : No Link : securityarchlinuxorg/AVG-868 Summary ======= The package libpng before version 1636-2 is vulnerable to denial of service ...
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...
Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) base score, wh ...
Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) base score, wh ...
Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...
png_image_free in pngc in libpng 1636 has a use-after-free because png_image_free_function is called under png_safe_execute ...
Several security issues were fixed in OpenJDK 11 ...
Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) base score, wh ...
Several security issues were fixed in OpenJDK ...
Several security issues were fixed in Thunderbird ...
USN-3991-2 caused a regression in Firefox ...
Multiple security issues have been found in Thunderbird: Multiple vulnerabilities may lead to the execution of arbitrary code or denial of service For the stable distribution (stretch), these problems have been fixed in version 1:6070-1~deb9u1 We recommend that you upgrade your thunderbird packages For the detailed security status of thunderbi ...
Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code For the stable distribution (stretch), these problems have been fixed in version 6070esr-1~deb9u1 We recommend that you upgrade your firefox-esr packages For the detailed security status of firefox-esr ...
USN-3991-1 caused a regression in Firefox ...
Firefox could be made to crash or run programs as your login if it opened a malicious website ...
Arch Linux Security Advisory ASA-201905-8 ========================================= Severity: Critical Date : 2019-05-23 CVE-ID : CVE-2019-5798 CVE-2019-7317 CVE-2019-9800 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693 CVE-2019-11698 CVE-2019-18511 Package : thunderbird Type : ...
Security vulnerabilities fixed in Firefox ESR 607 Announced May 21, 2019 Impact critical Products Firefox ESR Fixed in Firefox ESR 607 ...
There is a security vulnerability in versions of Mozilla Firefox that are shipped with versions 1510 to 15211 of IBM SONAS ...
Arch Linux Security Advisory ASA-201905-9 ========================================= Severity: Critical Date : 2019-05-23 CVE-ID : CVE-2019-7317 CVE-2019-9800 CVE-2019-9814 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819 CVE-2019-9820 CVE-2019-9821 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693 CVE-2019-11695 CVE-201 ...
OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786 ) OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769 ) libpng: png_image_free in pngc in libpng has a use-after-free because png_image_free_function is called under png_safe_execute (CV ...
Java SE issues disclosed in the Oracle July 2019 Critical Patch Update, plus four additional vulnerabilities ...
Security vulnerabilities fixed in Thunderbird 607 Announced May 21, 2019 Impact high Products Thunderbird Fixed in Thunderbird 607 ...
Security vulnerabilities fixed in Firefox 67 Announced May 21, 2019 Impact critical Products Firefox Fixed in Firefox 67 ...
Mozilla: Buffer overflow in WebGL bufferdata on Linux (CVE-2019-11693 ) Mozilla: Use-after-free in XMLHttpRequest (CVE-2019-11691 ) Cross-origin images can be read in violation of the same-origin policy by exporting an image after using createImageBitmap to read the image and then rendering the resulting bitmap image within a canvas element This v ...
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java contain the following vulnerabilities: CVE-2019-2745, CVE-2019-2762, CVE-2019-2766, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2842, CVE-2019-7317 Affected products and versions are listed below Please upgrade your version to the appropriate version These ...
Multiple vulnerabilities have been found in Hitachi Command Suite and Hitachi Infrastructure Analytics Advisor CVE-2019-2745, CVE-2019-2762, CVE-2019-2766, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2842, CVE-2019-7317 Affected products and versions are listed below Please upgrade your version to the appropriate version, or apply t ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4435-1 security () debian org wwwdebianorg/security/ Salvatore Bonaccorso April 27, 2019 wwwdebianorg/security/faq ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] libpng (SSA:2019-107-01) New libpng packages are available for Slackware 142 and -current to fix security issues Here are the details from the Slackware 142 ChangeLog: +--------------------------+ patches/packages/libpng-1637-i586-1_slack142txz: Upgraded This update ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4451-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff May 24, 2019 wwwdebianorg/security/faq ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4448-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff May 22, 2019 wwwdebianorg/security/faq ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2019-141-01) New mozilla-firefox packages are available for Slackware 142 and -current to fix security issues Here are the details from the Slackware 142 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-6070esr-i686-1_slack142 ...

References

CWE-416http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.htmlhttp://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.htmlhttp://www.securityfocus.com/bid/108098https://access.redhat.com/errata/RHSA-2019:1265https://access.redhat.com/errata/RHSA-2019:1267https://access.redhat.com/errata/RHSA-2019:1269https://access.redhat.com/errata/RHSA-2019:1308https://access.redhat.com/errata/RHSA-2019:1309https://access.redhat.com/errata/RHSA-2019:1310https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803https://github.com/glennrp/libpng/issues/275https://lists.debian.org/debian-lts-announce/2019/05/msg00032.htmlhttps://lists.debian.org/debian-lts-announce/2019/05/msg00038.htmlhttps://seclists.org/bugtraq/2019/Apr/30https://seclists.org/bugtraq/2019/Apr/36https://seclists.org/bugtraq/2019/May/56https://seclists.org/bugtraq/2019/May/59https://seclists.org/bugtraq/2019/May/67https://security.gentoo.org/glsa/201908-02https://security.netapp.com/advisory/ntap-20190719-0005/https://usn.ubuntu.com/3962-1/https://usn.ubuntu.com/3991-1/https://usn.ubuntu.com/3997-1/https://usn.ubuntu.com/4080-1/https://usn.ubuntu.com/4083-1/https://www.debian.org/security/2019/dsa-4435https://www.debian.org/security/2019/dsa-4448https://www.debian.org/security/2019/dsa-4451https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921355https://usn.ubuntu.com/3962-1/https://tools.cisco.com/security/center/viewAlert.x?alertId=59551https://nvd.nist.govhttps://www.securityfocus.com/bid/108098