Bug 1017646 (CVE-2016-10087)

Summary: VUL-1: CVE-2016-10087: libpng,libpng12,libpng12-0,libpng15,libpng16: NULL pointer dereference in png_set_text_2()
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: astieger, pgajdos
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-10087:1.9:(AV:L/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2016-10087:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) maint:released:sle10-sp3:63526 CVSSv3:RedHat:CVE-2016-10087:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2016-12-30 18:26:33 UTC
Ref: http://seclists.org/oss-sec/2016/q4/777
============================================
libpng-1.6.27 has been released to fix an old NULL pointer dereference
bug in png_set_text_2() discovered and patched by Patrick  Keshishian.

New releases of legacy branches (1.0.67, 1.2.57, 1.4.20, and 1.5.28) have
also been released.  Other versions can be patched by adding a single
line

      info_ptr->max_text = 0;

at the appropriate spot in png.c.

The potential "NULL dereference" bug that has existed in libpng
since version 0.71 of June 26, 1995.  To be vulnerable, an application
has to load a text chunk into the png structure, then delete all text, then
add another text chunk to the same png structure, which seems to be
an unlikely sequence, but it has happened.

Applications that I have looked at (firefox, imagemagick, graphicsmagick,
pngcrush) do not appear to be vulnerable.

I reported the bug using CERT's online reporting system several days
ago but have not received any response.

Glenn Randers-Pehrson
libpng custodian
============================================

https://software.opensuse.org/package/libpng16 : 1.6.26 for TW.
Comment 2 Swamp Workflow Management 2016-12-30 23:00:50 UTC
bugbot adjusting priority
Comment 3 Andreas Stieger 2017-01-02 09:59:23 UTC
https://sourceforge.net/p/libpng/code/ci/794a15fad6add4d636369d0b46f603a02995b2e2
https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb
https://sourceforge.net/p/libpng/code/ci/243d4e5f3fe71740d52a53cf3dd77cc83a3430ba

The application would need to perform very specific behavior, and then it's only a DoS. Setting VUL-1 for this fix to be included in a future update.
Comment 4 Petr Gajdos 2017-01-02 11:51:18 UTC
So setting also P4.
Comment 5 Petr Gajdos 2017-03-24 10:39:31 UTC
12/libpng16
12sp1/libpng15
12/libpng12
11/libpng12-0
10sp3/libpng

submitted.
Comment 7 Swamp Workflow Management 2017-03-29 16:13:07 UTC
SUSE-SU-2017:0853-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1017646
CVE References: CVE-2016-10087
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Server 12-SP2 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Server 12-SP1 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libpng16-1.6.8-14.1
Comment 8 Swamp Workflow Management 2017-03-29 19:11:36 UTC
SUSE-SU-2017:0860-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Server 12-SP2 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Server 12-SP1 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libpng12-1.2.50-19.1
Comment 9 Swamp Workflow Management 2017-03-31 16:14:36 UTC
SUSE-SU-2017:0901-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libpng12-0-1.2.31-5.43.1
SUSE Linux Enterprise Server 11-SP4 (src):    libpng12-0-1.2.31-5.43.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libpng12-0-1.2.31-5.43.1
Comment 10 Swamp Workflow Management 2017-04-05 16:14:03 UTC
openSUSE-SU-2017:0937-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1017646
CVE References: CVE-2016-10087
Sources used:
openSUSE Leap 42.2 (src):    libpng16-1.6.8-9.3.1
openSUSE Leap 42.1 (src):    libpng16-1.6.8-10.1
Comment 11 Swamp Workflow Management 2017-04-05 16:21:49 UTC
openSUSE-SU-2017:0942-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
openSUSE Leap 42.2 (src):    libpng12-1.2.50-10.3.1
openSUSE Leap 42.1 (src):    libpng12-1.2.50-11.1
Comment 12 Swamp Workflow Management 2017-04-06 13:12:04 UTC
SUSE-SU-2017:0950-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libpng15-1.5.22-9.1
SUSE Linux Enterprise Server 12-SP2 (src):    libpng15-1.5.22-9.1
SUSE Linux Enterprise Server 12-SP1 (src):    libpng15-1.5.22-9.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libpng15-1.5.22-9.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libpng15-1.5.22-9.1
Comment 13 Swamp Workflow Management 2017-04-18 10:15:25 UTC
openSUSE-SU-2017:1037-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
openSUSE Leap 42.2 (src):    libpng15-1.5.22-5.3.1
openSUSE Leap 42.1 (src):    libpng15-1.5.22-7.1
Comment 14 Marcus Meissner 2017-06-15 20:06:47 UTC
released