Bug#805113: marked as done (CVE-2015-8126: buffer overflow)

Debian Bug Tracking System Thu, 19 Nov 2015 12:01:33 -0800

Your message dated Thu, 19 Nov 2015 19:57:30 +0000
with message-id <e1zzvkk-0000wq...@franck.debian.org>
and subject line Bug#805113: fixed in libpng 1.2.49-1+deb7u1
has caused the Debian Bug report #805113,
regarding CVE-2015-8126: buffer overflow
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805113: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805113
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libpng12-0
Version: 1.2.50-2+b2
Severity: critical
Tags: security upstream

Quoting https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8126
> Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE
> functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and
> 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote
> attackers to cause a denial of service (application crash) or possibly have
> unspecified other impact via a small bit-depth value in an IHDR (aka image
> header) chunk in a PNG image.

In particular, "1.1.x and 1.2.x before 1.2.54".

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpng12-0 depends on:
ii  libc6              2.19-22
ii  multiarch-support  2.19-22
ii  zlib1g             1:1.2.8.dfsg-2+b1

libpng12-0 recommends no packages.

libpng12-0 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libpng
Source-Version: 1.2.49-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 805...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated libpng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Nov 2015 19:31:24 +0100
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source amd64
Version: 1.2.49-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <ani...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description: 
 libpng12-0 - PNG library - runtime
 libpng12-0-udeb - PNG library - minimal runtime library (udeb)
 libpng12-dev - PNG library - development
 libpng3    - PNG library - runtime
Closes: 803078 805113
Changes: 
 libpng (1.2.49-1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2015-7981.patch patch.
     CVE-2015-7981: Out-of-bounds read in png_convert_to_rfc1123.
     (Closes: #803078)
   * Add Prevent-writing-over-length-PLTE-chunk-Cosm.patch patch.
     CVE-2015-8126: Multiple buffer overflows in the png_set_PLTE and
     png_get_PLTE functions. (Closes: #805113)
   * Add Fixed-new-bug-with-CRC-error-after-reading-.patch patch.
     Fixed new bug with CRC error after reading an over-length palette.
Checksums-Sha1: 
 2934aa4cc73fe37280f8c5623d13898c6c27ec92 1987 libpng_1.2.49-1+deb7u1.dsc
 93cdd7e4fe01b490cf045e3f354ab38f0200c540 669011 libpng_1.2.49.orig.tar.bz2
 e9061afc87f2a68ce12eefa61b5ff4cd5a0c4fac 18111 
libpng_1.2.49-1+deb7u1.debian.tar.bz2
 04c71ca3c81152aa6b434ad94c5ad10d83159a21 190692 
libpng12-0_1.2.49-1+deb7u1_amd64.deb
 b775b9354a73ed8e8a419b8d7964a3213a75d0d6 267326 
libpng12-dev_1.2.49-1+deb7u1_amd64.deb
 4db3f15a6f9f71b9fe1d2c7e4d7a61eacf082610 958 libpng3_1.2.49-1+deb7u1_amd64.deb
 3d3426bb51b7ff20420e7aefc3c350a15e0fb49d 63896 
libpng12-0-udeb_1.2.49-1+deb7u1_amd64.udeb
Checksums-Sha256: 
 3f39b5b17b75d1a390b05d0c7169560bd15e621a204a8ff0d5814f3dff441288 1987 
libpng_1.2.49-1+deb7u1.dsc
 fbf8faa70ebca2ed2ee6df6f2249f4722517b581af5b6c3c71bbdaf925d5954e 669011 
libpng_1.2.49.orig.tar.bz2
 82a191df9f4430cc9dc4372201e2dd16f294031dcc492116e6d4f765279bf0dd 18111 
libpng_1.2.49-1+deb7u1.debian.tar.bz2
 dd0b8620227148f32903a50b60b78612c99e68a4166ae7f5f149a281566995c5 190692 
libpng12-0_1.2.49-1+deb7u1_amd64.deb
 3b85742458c119c7c4ba0aeab6b1b9425acf0d5cb3b3732736c99554c9bab2dd 267326 
libpng12-dev_1.2.49-1+deb7u1_amd64.deb
 84781eaf148632a54c81bc34c00b1946aa2b7acda835018a689e08c9ddeebd5d 958 
libpng3_1.2.49-1+deb7u1_amd64.deb
 3ebdcc2e886f871dc18f34cdaa5917546ad1fc393e60c33405d5070f5b6bad76 63896 
libpng12-0-udeb_1.2.49-1+deb7u1_amd64.udeb
Files: 
 5fd562ec548a798eb94825a15aee94b8 1987 libs optional libpng_1.2.49-1+deb7u1.dsc
 d5106b70b4f8b464a7da66bffe4565fb 669011 libs optional 
libpng_1.2.49.orig.tar.bz2
 a1a69c7a7c312064f60e9c6e7840e755 18111 libs optional 
libpng_1.2.49-1+deb7u1.debian.tar.bz2
 b8cb22e8f7d8dbe4c57630c096e78bd4 190692 libs optional 
libpng12-0_1.2.49-1+deb7u1_amd64.deb
 b67174ad000d1fe9c93d28ed52c4bc4d 267326 libdevel optional 
libpng12-dev_1.2.49-1+deb7u1_amd64.deb
 66b63e967b20aa836632fd9f289fcc66 958 oldlibs optional 
libpng3_1.2.49-1+deb7u1_amd64.deb
 5f36e83d58e6d0084585b95db650fad4 63896 debian-installer extra 
libpng12-0-udeb_1.2.49-1+deb7u1_amd64.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWTA2YAAoJEAVMuPMTQ89EbOMQAJ7WoqvyXo8mQ4kYP0TMwN3z
LNASZWAXe9ULAuHWc/Ep5BYboNGLeslQx0e6IRuOk6ODzb/RkctOIPoNRzc0kFyG
u2II+o74oqA2OtVMo/SXpykpKZofKYDsn6lD5+ZvBM6rl6Y9r2ai+YgmrXaXMwiU
phB4etLFLXZcZyOJxwYRjKLlybWu0rkD5zd2UJ54Aapue0tqHxo2FnHlzZHN34qs
u8Yggh276tcWkSaCVqxoGkcuiDUMKkY8NCiZInXKkE8fO1QUpRkpMhWJr5AT1gHm
Zj/Ucgk1p+a1iAdTTPfohHdvNrZ/cuOZEn2j7Tt2F8dj0LwNy9hZ2chJDUZ3liiT
3ih4zIZ/lEcfL3sBgjL/qW1MM/Klu3SjinCpZXBljHTjSBZQ3wg/CsYXbTWbasHS
ZhuLF1wsJdEEIaW4QsZ/svI2k2Dqcfkv0KSJnIsKmTzT0f7idfhF+/KjD2f9PwSC
QfwP64VgNvP7A8/sdGyKK3RypF+zZMXNp6NJMhjI6JPylPpYMnc5xgiZ7wq7VJOW
n3jhNuPI0g7iHlUDhU25UvR4QHwjQ2om9WDnRBPchU8b3unXCmPn8cqoZkd67SD2
xPIXfJ8aDDVwMiCkWcU06ZmJO01Zg/YBHu15vElWnLBYrUfv7jxl2ks61nrujQPD
3vgRetuM0b78K62jFnut
=QARm
-----END PGP SIGNATURE-----

--- End Message ---

Bug#805113: marked as done (CVE-2015-8126: buffer overflow)

Reply via email to