Bug 1017646 – VUL-1: CVE-2016-10087: libpng,libpng12,libpng12-0,libpng15,libpng16: NULL pointer dereference in png_set_text_2()

Bug 1017646 - (CVE-2016-10087) VUL-1: CVE-2016-10087: libpng,libpng12,libpng12-0,libpng15,libpng16: NULL pointer dereference in png_set_text_2()

(CVE-2016-10087)
Summary:	VUL-1: CVE-2016-10087: libpng,libpng12,libpng12-0,libpng15,libpng16: NULL poi...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	unspecified
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-10087:1.9:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-12-30 18:26 UTC by Mikhail Kasimov
Modified:	2018-10-04 22:49 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2016-12-30 18:26:33 UTC

Ref: http://seclists.org/oss-sec/2016/q4/777
============================================
libpng-1.6.27 has been released to fix an old NULL pointer dereference
bug in png_set_text_2() discovered and patched by Patrick  Keshishian.

New releases of legacy branches (1.0.67, 1.2.57, 1.4.20, and 1.5.28) have
also been released.  Other versions can be patched by adding a single
line

      info_ptr->max_text = 0;

at the appropriate spot in png.c.

The potential "NULL dereference" bug that has existed in libpng
since version 0.71 of June 26, 1995.  To be vulnerable, an application
has to load a text chunk into the png structure, then delete all text, then
add another text chunk to the same png structure, which seems to be
an unlikely sequence, but it has happened.

Applications that I have looked at (firefox, imagemagick, graphicsmagick,
pngcrush) do not appear to be vulnerable.

I reported the bug using CERT's online reporting system several days
ago but have not received any response.

Glenn Randers-Pehrson
libpng custodian
============================================

https://software.opensuse.org/package/libpng16 : 1.6.26 for TW.

Comment 1 Andreas Stieger 2016-12-30 22:19:36 UTC

https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb

Comment 2 Swamp Workflow Management 2016-12-30 23:00:50 UTC

bugbot adjusting priority

Comment 3 Andreas Stieger 2017-01-02 09:59:23 UTC

https://sourceforge.net/p/libpng/code/ci/794a15fad6add4d636369d0b46f603a02995b2e2
https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb
https://sourceforge.net/p/libpng/code/ci/243d4e5f3fe71740d52a53cf3dd77cc83a3430ba

The application would need to perform very specific behavior, and then it's only a DoS. Setting VUL-1 for this fix to be included in a future update.

Comment 4 Petr Gajdos 2017-01-02 11:51:18 UTC

So setting also P4.

Comment 5 Petr Gajdos 2017-03-24 10:39:31 UTC

12/libpng16
12sp1/libpng15
12/libpng12
11/libpng12-0
10sp3/libpng

submitted.

Comment 7 Swamp Workflow Management 2017-03-29 16:13:07 UTC

SUSE-SU-2017:0853-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1017646
CVE References: CVE-2016-10087
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Server 12-SP2 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Server 12-SP1 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libpng16-1.6.8-14.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libpng16-1.6.8-14.1

Comment 8 Swamp Workflow Management 2017-03-29 19:11:36 UTC

SUSE-SU-2017:0860-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Server 12-SP2 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Server 12-SP1 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libpng12-1.2.50-19.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libpng12-1.2.50-19.1

Comment 9 Swamp Workflow Management 2017-03-31 16:14:36 UTC

SUSE-SU-2017:0901-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    libpng12-0-1.2.31-5.43.1
SUSE Linux Enterprise Server 11-SP4 (src):    libpng12-0-1.2.31-5.43.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    libpng12-0-1.2.31-5.43.1

Comment 10 Swamp Workflow Management 2017-04-05 16:14:03 UTC

openSUSE-SU-2017:0937-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1017646
CVE References: CVE-2016-10087
Sources used:
openSUSE Leap 42.2 (src):    libpng16-1.6.8-9.3.1
openSUSE Leap 42.1 (src):    libpng16-1.6.8-10.1

Comment 11 Swamp Workflow Management 2017-04-05 16:21:49 UTC

openSUSE-SU-2017:0942-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
openSUSE Leap 42.2 (src):    libpng12-1.2.50-10.3.1
openSUSE Leap 42.1 (src):    libpng12-1.2.50-11.1

Comment 12 Swamp Workflow Management 2017-04-06 13:12:04 UTC

SUSE-SU-2017:0950-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libpng15-1.5.22-9.1
SUSE Linux Enterprise Server 12-SP2 (src):    libpng15-1.5.22-9.1
SUSE Linux Enterprise Server 12-SP1 (src):    libpng15-1.5.22-9.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libpng15-1.5.22-9.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libpng15-1.5.22-9.1

Comment 13 Swamp Workflow Management 2017-04-18 10:15:25 UTC

openSUSE-SU-2017:1037-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017646,958791
CVE References: CVE-2015-8540,CVE-2016-10087
Sources used:
openSUSE Leap 42.2 (src):    libpng15-1.5.22-5.3.1
openSUSE Leap 42.1 (src):    libpng15-1.5.22-7.1

Comment 14 Marcus Meissner 2017-06-15 20:06:47 UTC

released