[SECURITY] [DLA 375-1] libpng security update

2015-12-2721:02:26

lists.debian.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.022 Low

EPSS

Percentile

89.4%

JSON

Package : libpng
Version : 1.2.44-1+squeeze6
CVE ID : CVE-2012-3425 CVE-2015-8472 CVE-2015-8540

CVE-2015-8472
update incomplete patch for CVE-2015-8126

CVE-2015-8540
underflow read in png_check_keyword in pngwutil.c

CVE-2012-3425
The png_push_read_zTXt function in pngpread.c in libpng 1.0.x
before 1.0.58, 1.2.x before 1.2.48, 1.4.x before 1.4.10, and
1.5.x before 1.5.10 allows remote attackers to cause a denial
of service (out-of-bounds read) via a large avail_in field value
in a PNG image.

OSVersionArchitecturePackageVersionFilename
Debian7powerpclibpng12-0< 1.2.49-1+deb7u2libpng12-0_1.2.49-1+deb7u2_powerpc.deb
Debian6i386libpng12-dev< 1.2.44-1+squeeze6libpng12-dev_1.2.44-1+squeeze6_i386.deb
Debian8s390xlibpng12-0< 1.2.50-2+deb8u2libpng12-0_1.2.50-2+deb8u2_s390x.deb
Debian7kfreebsd-amd64libpng12-0-udeb< 1.2.49-1+deb7u2libpng12-0-udeb_1.2.49-1+deb7u2_kfreebsd-amd64.deb
Debian7s390xlibpng3< 1.2.49-1+deb7u2libpng3_1.2.49-1+deb7u2_s390x.deb
Debian7sparclibpng12-0< 1.2.49-1+deb7u2libpng12-0_1.2.49-1+deb7u2_sparc.deb
Debian7i386libpng12-0-udeb< 1.2.49-1+deb7u2libpng12-0-udeb_1.2.49-1+deb7u2_i386.deb
Debian7powerpclibpng3< 1.2.49-1+deb7u2libpng3_1.2.49-1+deb7u2_powerpc.deb
Debian8amd64libpng3< 1.2.50-2+deb8u2libpng3_1.2.50-2+deb8u2_amd64.deb
Debian7amd64libpng12-0< 1.2.49-1+deb7u2libpng12-0_1.2.49-1+deb7u2_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	powerpc	libpng12-0	< 1.2.49-1+deb7u2	libpng12-0_1.2.49-1+deb7u2_powerpc.deb
Debian	6	i386	libpng12-dev	< 1.2.44-1+squeeze6	libpng12-dev_1.2.44-1+squeeze6_i386.deb
Debian	8	s390x	libpng12-0	< 1.2.50-2+deb8u2	libpng12-0_1.2.50-2+deb8u2_s390x.deb
Debian	7	kfreebsd-amd64	libpng12-0-udeb	< 1.2.49-1+deb7u2	libpng12-0-udeb_1.2.49-1+deb7u2_kfreebsd-amd64.deb
Debian	7	s390x	libpng3	< 1.2.49-1+deb7u2	libpng3_1.2.49-1+deb7u2_s390x.deb
Debian	7	sparc	libpng12-0	< 1.2.49-1+deb7u2	libpng12-0_1.2.49-1+deb7u2_sparc.deb
Debian	7	i386	libpng12-0-udeb	< 1.2.49-1+deb7u2	libpng12-0-udeb_1.2.49-1+deb7u2_i386.deb
Debian	7	powerpc	libpng3	< 1.2.49-1+deb7u2	libpng3_1.2.49-1+deb7u2_powerpc.deb
Debian	8	amd64	libpng3	< 1.2.50-2+deb8u2	libpng3_1.2.50-2+deb8u2_amd64.deb
Debian	7	amd64	libpng12-0	< 1.2.49-1+deb7u2	libpng12-0_1.2.49-1+deb7u2_amd64.deb