[security-announce] libpng: CVE-2015-8472: Security Update

Sona Sarmadi sona.sarmadi at enea.com
Fri Mar 18 07:49:08 CET 2016

	Enea Linux Security Advisory

Product/package: libpng 1.6.13/ Enea Linux 5.0
Severity: Medium
CVE Name: CVE-2015-8472
Layer: meta

This security update fixes buffer overflow vulnerabilities in
png_get_PLTE/png_set_PLTE functions.

This patch fixes an incomplete patch in CVE-2015-8126.

Buffer overflow in the png_set_PLTE function in libpng before 1.0.65,
1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before
1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a
denial of service (application crash) or possibly have unspecified other
impact via a small bit-depth value in an IHDR (aka image header) chunk
in a PNG image. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2015-8126.


Reference to upstream patch:

Correction for Enea Linux 5.0:

How to get the latest patches
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-5.0/poky
git pull

- If you have not yet cloned needed repositories, do it as described
below. (All patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-
git -C $POKY clone -b dizzy
git -C $POKY/meta-enea clone -b dizzy

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20160318/eff2bb52/attachment-0002.sig>

More information about the security-announce mailing list