Security update for libpng12-0 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0901-1 Final 1 1 2017-03-31T09:47:51Z current 2017-03-31T09:47:51Z 2017-03-31T09:47:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libpng12-0 This update for libpng12-0 fixes the following issues: Security issues fixed: - CVE-2015-8540: read underflow in libpng (bsc#958791) - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sdksp4-libpng12-0-13045,slessp4-libpng12-0-13045 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170901-1/ Link for SUSE-SU-2017:0901-1 https://lists.suse.com/pipermail/sle-security-updates/2017-March/002778.html E-Mail link for SUSE-SU-2017:0901-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1017646 SUSE Bug 1017646 https://bugzilla.suse.com/958791 SUSE Bug 958791 https://www.suse.com/security/cve/CVE-2015-8540/ SUSE CVE CVE-2015-8540 page https://www.suse.com/security/cve/CVE-2016-10087/ SUSE CVE CVE-2016-10087 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4 libpng-devel-1.2.31-5.43.1 libpng-devel-32bit-1.2.31-5.43.1 libpng12-0-1.2.31-5.43.1 libpng12-0-32bit-1.2.31-5.43.1 libpng12-0-x86-1.2.31-5.43.1 libpng12-0-1.2.31-5.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 libpng12-0-32bit-1.2.31-5.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 libpng12-0-x86-1.2.31-5.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 libpng12-0-1.2.31-5.43.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libpng12-0-32bit-1.2.31-5.43.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libpng12-0-x86-1.2.31-5.43.1 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 libpng-devel-1.2.31-5.43.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 libpng-devel-32bit-1.2.31-5.43.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read. CVE-2015-8540 SUSE Linux Enterprise Server 11 SP4:libpng12-0-1.2.31-5.43.1 SUSE Linux Enterprise Server 11 SP4:libpng12-0-32bit-1.2.31-5.43.1 SUSE Linux Enterprise Server 11 SP4:libpng12-0-x86-1.2.31-5.43.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libpng12-0-1.2.31-5.43.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libpng12-0-32bit-1.2.31-5.43.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libpng12-0-x86-1.2.31-5.43.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libpng-devel-1.2.31-5.43.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libpng-devel-32bit-1.2.31-5.43.1 low 4 AV:N/AC:H/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170901-1/ https://www.suse.com/security/cve/CVE-2015-8540.html CVE-2015-8540 https://bugzilla.suse.com/1149680 SUSE Bug 1149680 https://bugzilla.suse.com/958791 SUSE Bug 958791 https://bugzilla.suse.com/963937 SUSE Bug 963937 The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure. CVE-2016-10087 SUSE Linux Enterprise Server 11 SP4:libpng12-0-1.2.31-5.43.1 SUSE Linux Enterprise Server 11 SP4:libpng12-0-32bit-1.2.31-5.43.1 SUSE Linux Enterprise Server 11 SP4:libpng12-0-x86-1.2.31-5.43.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libpng12-0-1.2.31-5.43.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libpng12-0-32bit-1.2.31-5.43.1 SUSE Linux Enterprise Server for SAP Applications 11 SP4:libpng12-0-x86-1.2.31-5.43.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libpng-devel-1.2.31-5.43.1 SUSE Linux Enterprise Software Development Kit 11 SP4:libpng-devel-32bit-1.2.31-5.43.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170901-1/ https://www.suse.com/security/cve/CVE-2016-10087.html CVE-2016-10087 https://bugzilla.suse.com/1017646 SUSE Bug 1017646 https://bugzilla.suse.com/1149680 SUSE Bug 1149680