libpng12-1.2.50-7.el7

エラータID: AXSA:2015-919:01

Release date: 
Wednesday, December 9, 2015 - 22:51
Subject: 
libpng12-1.2.50-7.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

The libpng12 package provides libpng 1.2, an older version of the libpng
library for manipulating PNG (Portable Network Graphics) image format files.
This version should be used only if you are unable to use the current
version of libpng.

Security issues fixed with this release:

CVE-2015-7981
The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before
1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote
attackers to obtain sensitive process memory information via crafted
tIME chunk data in an image file, which triggers an out-of-bounds
read.
CVE-2015-8126
Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE
functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54,
1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before
1.6.19 allow remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a
small bit-depth value in an IHDR (aka image header) chunk in a PNG
image.
CVE-2015-8472
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2015-7981
The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.
CVE-2015-8126
Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.
CVE-2015-8472
Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.
Additional Info: 

N/A

Download: 

SRPMS
  1. libpng12-1.2.50-7.el7.src.rpm
    MD5: af016fad40f1b8ca128b802873da0dca
    SHA-256: 761dbeb4d85a40c939dbaa52a0313e1a61d07ff561da90d42d06ab2feac678d3
    Size: 658.27 kB

Asianux Server 7 for x86_64
  1. libpng12-1.2.50-7.el7.x86_64.rpm
    MD5: a0c6ee08ec6ba4abe8953e8e6aea030f
    SHA-256: f0e6f59b8a02ec250ecb70d60e280ae7a18eba071a59d733b1b60be5bebc0834
    Size: 177.85 kB
  2. libpng12-1.2.50-7.el7.i686.rpm
    MD5: 726fa4f8897f40988f49d3dadbd616a3
    SHA-256: 6a2139c98eda0a0dff542ffb3637c9c0c92ce973aa63aac2a669536bf927992e
    Size: 180.54 kB