libpng-1.2.49-2.AXS4

エラータID: AXSA:2015-917:01

Release date: 
Wednesday, December 9, 2015 - 21:49
Subject: 
libpng-1.2.49-2.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

Security issues fixed with this release:

CVE-2015-7981
The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before
1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote
attackers to obtain sensitive process memory information via crafted
tIME chunk data in an image file, which triggers an out-of-bounds
read.
CVE-2015-8126
Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE
functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54,
1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before
1.6.19 allow remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a
small bit-depth value in an IHDR (aka image header) chunk in a PNG
image.
CVE-2015-8472
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2015-7981
The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.
CVE-2015-8126
Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.
CVE-2015-8472
Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.
Additional Info: 

N/A

Download: 

SRPMS
  1. libpng-1.2.49-2.AXS4.src.rpm
    MD5: b112e5311d68f2683ea50a65f7d5ee6b
    SHA-256: 43f46cb3f281cf761a48ed36004ce9968cb5e31fb46137c42b4c873703fef6ab
    Size: 673.92 kB

Asianux Server 4 for x86
  1. libpng-1.2.49-2.AXS4.i686.rpm
    MD5: b553bd9500f3995157228b178a543c75
    SHA-256: 55a2b9d4c759a63718386a00bd0a615ca19364234c2be6e5ac78ba3f9033f672
    Size: 183.48 kB
  2. libpng-devel-1.2.49-2.AXS4.i686.rpm
    MD5: eeb477083807e343f570fe29f4f42408
    SHA-256: 3aeb572a4cc954fceb287b4ba26eed0afff37ed89d56a04e94681ee9d755cd85
    Size: 111.66 kB

Asianux Server 4 for x86_64
  1. libpng-1.2.49-2.AXS4.x86_64.rpm
    MD5: ce4bf0e1c97e8120d502964e9054c4be
    SHA-256: ffda82e2dd1f58541ca8cc5521c0d9645875e3f3e794b790db18083fcbe42433
    Size: 181.15 kB
  2. libpng-devel-1.2.49-2.AXS4.x86_64.rpm
    MD5: be983ec7a16983d21818e032f26ad224
    SHA-256: c29ec696fb38090e46454be24cf7d514931f022bcf97c8f7568ae225b6ac34cc
    Size: 111.22 kB
  3. libpng-1.2.49-2.AXS4.i686.rpm
    MD5: b553bd9500f3995157228b178a543c75
    SHA-256: 55a2b9d4c759a63718386a00bd0a615ca19364234c2be6e5ac78ba3f9033f672
    Size: 183.48 kB
  4. libpng-devel-1.2.49-2.AXS4.i686.rpm
    MD5: eeb477083807e343f570fe29f4f42408
    SHA-256: 3aeb572a4cc954fceb287b4ba26eed0afff37ed89d56a04e94681ee9d755cd85
    Size: 111.66 kB