SB2015020219 - Buffer overflow in libpng (Alpine package)
Published: February 2, 2015
Security Bulletin ID
SB2015020219
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Buffer overflow (CVE-ID: CVE-2015-0973)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=7a7c3dc1ee28d4241d5ef12fb033da839898f056
- https://git.alpinelinux.org/aports/commit/?id=1e8386cb736fd14d922b00487b5d853cb3a8cd37
- https://git.alpinelinux.org/aports/commit/?id=f7af94eb6c9bf83969fad2176e8adf3752060856
- https://git.alpinelinux.org/aports/commit/?id=d4d31395bc2167eb3fb90dc6d51f93c7fde47230