Red Hat Customer Portal

Skip to main content

Security Advisory Moderate: libpng security update

Advisory: RHSA-2015:2594-1
Type: Security Advisory
Severity: Moderate
Issued on: 2015-12-09
Last updated on: 2015-12-09
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.7.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2015-7981
CVE-2015-8126
CVE-2015-8472

Details

Updated libpng packages that fix three security issues are now available
for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which
give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The libpng packages contain a library of functions for creating and
manipulating PNG (Portable Network Graphics) image format files.

It was discovered that the png_get_PLTE() and png_set_PLTE() functions of
libpng did not correctly calculate the maximum palette sizes for bit depths
of less than 8. In case an application tried to use these functions in
combination with properly calculated palette sizes, this could lead to a
buffer overflow or out-of-bounds reads. An attacker could exploit this to
cause a crash or potentially execute arbitrary code by tricking an
unsuspecting user into processing a specially crafted PNG image. However,
the exact impact is dependent on the application using the library.
(CVE-2015-8126, CVE-2015-8472)

An array-indexing error was discovered in the png_convert_to_rfc1123()
function of libpng. An attacker could possibly use this flaw to cause an
out-of-bounds read by tricking an unsuspecting user into processing a
specially crafted PNG image. (CVE-2015-7981)

All libpng users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
libpng-1.2.49-2.el6_7.src.rpm     MD5: 50f613e4ffbc54e645480a0d800296df
SHA-256: 401e908cea6fe82e5b6805ae35c84032e07add043beca84131f6a45f7a05a5a2
 
IA-32:
libpng-1.2.49-2.el6_7.i686.rpm     MD5: b9df9a18763f24b5831679882fd6a378
SHA-256: 920f6b2834d7cd34c414d14a4609ee481725e32c2424be3c64be99587aa03e59
libpng-debuginfo-1.2.49-2.el6_7.i686.rpm     MD5: 5182e1ef737018bc319d9817e04641d2
SHA-256: d46c331f2e7d26deb7f01bb0348f54fb236710aa3ec24b99d51b5871562d1ae3
libpng-devel-1.2.49-2.el6_7.i686.rpm     MD5: a0fe05d1cebefb7ce9b037e0ffdcd6a1
SHA-256: b82e65b455be5fe0580661a65a4f46afeacd60f40a7c28e6c7f0eed1ff0b471c
libpng-static-1.2.49-2.el6_7.i686.rpm     MD5: a7128ba338f8dc96e930be343a4d6933
SHA-256: 83d551769b3735db8ecb3ffbd2079027a52485f85f9b5f999b2929f1908a5739
 
x86_64:
libpng-1.2.49-2.el6_7.i686.rpm     MD5: b9df9a18763f24b5831679882fd6a378
SHA-256: 920f6b2834d7cd34c414d14a4609ee481725e32c2424be3c64be99587aa03e59
libpng-1.2.49-2.el6_7.x86_64.rpm     MD5: 3c8a04d397e8fbf41c0a59340a299253
SHA-256: a80776e8294f29a63d44c18db0261c111ce67678a89d98af97803fff5948f7d0
libpng-debuginfo-1.2.49-2.el6_7.i686.rpm     MD5: 5182e1ef737018bc319d9817e04641d2
SHA-256: d46c331f2e7d26deb7f01bb0348f54fb236710aa3ec24b99d51b5871562d1ae3
libpng-debuginfo-1.2.49-2.el6_7.x86_64.rpm     MD5: 250bf35277d359373869ece58c34461b
SHA-256: e2106665c7569880d2260216b6793b0e820b4ef91f78e229cf89728ae5a96926
libpng-devel-1.2.49-2.el6_7.i686.rpm     MD5: a0fe05d1cebefb7ce9b037e0ffdcd6a1
SHA-256: b82e65b455be5fe0580661a65a4f46afeacd60f40a7c28e6c7f0eed1ff0b471c
libpng-devel-1.2.49-2.el6_7.x86_64.rpm     MD5: bd6459509ae99ea9dec1b45a2b3ab42f
SHA-256: af9b481e8a872c073a1c8bc2be032b14276d27cbd92f65c714bf953bddc07513
libpng-static-1.2.49-2.el6_7.x86_64.rpm     MD5: 19fd25283d40cbd7f003cf0088916e92
SHA-256: 528a5e67e5ae1c7048be602f98680df1698229b2ba84838bf8ca2aab38c93cda
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
libpng-1.2.49-2.el6_7.src.rpm     MD5: 50f613e4ffbc54e645480a0d800296df
SHA-256: 401e908cea6fe82e5b6805ae35c84032e07add043beca84131f6a45f7a05a5a2
 
x86_64:
libpng-1.2.49-2.el6_7.i686.rpm     MD5: b9df9a18763f24b5831679882fd6a378
SHA-256: 920f6b2834d7cd34c414d14a4609ee481725e32c2424be3c64be99587aa03e59
libpng-1.2.49-2.el6_7.x86_64.rpm     MD5: 3c8a04d397e8fbf41c0a59340a299253
SHA-256: a80776e8294f29a63d44c18db0261c111ce67678a89d98af97803fff5948f7d0
libpng-debuginfo-1.2.49-2.el6_7.i686.rpm     MD5: 5182e1ef737018bc319d9817e04641d2
SHA-256: d46c331f2e7d26deb7f01bb0348f54fb236710aa3ec24b99d51b5871562d1ae3
libpng-debuginfo-1.2.49-2.el6_7.x86_64.rpm     MD5: 250bf35277d359373869ece58c34461b
SHA-256: e2106665c7569880d2260216b6793b0e820b4ef91f78e229cf89728ae5a96926
libpng-devel-1.2.49-2.el6_7.i686.rpm     MD5: a0fe05d1cebefb7ce9b037e0ffdcd6a1
SHA-256: b82e65b455be5fe0580661a65a4f46afeacd60f40a7c28e6c7f0eed1ff0b471c
libpng-devel-1.2.49-2.el6_7.x86_64.rpm     MD5: bd6459509ae99ea9dec1b45a2b3ab42f
SHA-256: af9b481e8a872c073a1c8bc2be032b14276d27cbd92f65c714bf953bddc07513
libpng-static-1.2.49-2.el6_7.x86_64.rpm     MD5: 19fd25283d40cbd7f003cf0088916e92
SHA-256: 528a5e67e5ae1c7048be602f98680df1698229b2ba84838bf8ca2aab38c93cda
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
libpng-1.2.49-2.el6_7.src.rpm     MD5: 50f613e4ffbc54e645480a0d800296df
SHA-256: 401e908cea6fe82e5b6805ae35c84032e07add043beca84131f6a45f7a05a5a2
 
IA-32:
libpng-1.2.49-2.el6_7.i686.rpm     MD5: b9df9a18763f24b5831679882fd6a378
SHA-256: 920f6b2834d7cd34c414d14a4609ee481725e32c2424be3c64be99587aa03e59
libpng-debuginfo-1.2.49-2.el6_7.i686.rpm     MD5: 5182e1ef737018bc319d9817e04641d2
SHA-256: d46c331f2e7d26deb7f01bb0348f54fb236710aa3ec24b99d51b5871562d1ae3
libpng-devel-1.2.49-2.el6_7.i686.rpm     MD5: a0fe05d1cebefb7ce9b037e0ffdcd6a1
SHA-256: b82e65b455be5fe0580661a65a4f46afeacd60f40a7c28e6c7f0eed1ff0b471c
libpng-static-1.2.49-2.el6_7.i686.rpm     MD5: a7128ba338f8dc96e930be343a4d6933
SHA-256: 83d551769b3735db8ecb3ffbd2079027a52485f85f9b5f999b2929f1908a5739
 
PPC:
libpng-1.2.49-2.el6_7.ppc.rpm     MD5: c5baa48a3d649a9bc9ed9f15640ec817
SHA-256: a789426f1de4f87ca855cf6b6273bfc0d2f66158c1b0ce919e30284d1894f8a2
libpng-1.2.49-2.el6_7.ppc64.rpm     MD5: 089482ca1836b8ef06cb5efb777ce60c
SHA-256: f59a8661260bdf274600c3a64ec31370b6d41eda74aaafb0540fac50e6d0ad90
libpng-debuginfo-1.2.49-2.el6_7.ppc.rpm     MD5: 6da1fe27a6d473fd57aac82d4a918d9e
SHA-256: a927c03ca33883b05bde01c4874648ce6376f84643bf545775ff7482698f672e
libpng-debuginfo-1.2.49-2.el6_7.ppc64.rpm     MD5: d81cac5265daeb58d4575afa907b759f
SHA-256: 88966ade48ea9c68633fd8e7ffac7c19fc12958d9f99a8e8ee3095786cd014fc
libpng-devel-1.2.49-2.el6_7.ppc.rpm     MD5: 24da0d490c8bf48fcec9d725d075c8e2
SHA-256: 50cea2264fa43698d8f352c74c35feb4f8963045acb2b0e58f23de54f2559b4a
libpng-devel-1.2.49-2.el6_7.ppc64.rpm     MD5: c789ce2603a6b0b86b28b35a9f8bcbf8
SHA-256: 231b2e03ff18abd37e45e4a6c583beeaa0eef0488bf4ac9e98ddfb1ec5f335d0
libpng-static-1.2.49-2.el6_7.ppc64.rpm     MD5: c3aeef383781094c511ead3f1ed73e3d
SHA-256: 031f0178072e2f94eccb580f17d274351c0ff2ad7e4528b3c181f134fc72f329
 
s390x:
libpng-1.2.49-2.el6_7.s390.rpm     MD5: 73b4335d2ae8c9f52cf1cac0fbd34966
SHA-256: a3af7843881e07a46d3f00856449590636b7b72c00fec5a0a6537debefd93757
libpng-1.2.49-2.el6_7.s390x.rpm     MD5: a8670841756406010a325ee0a95e3829
SHA-256: 952ff6671b0860a6a6d4ed0006a1759dad4c23f5d2b95e7747c2bc292e8d5e7d
libpng-debuginfo-1.2.49-2.el6_7.s390.rpm     MD5: d742186f4d289d3d2121d90682c283ff
SHA-256: 2fee6622546b6d26ce84dc7e5535001e6221893604472f9d9e5b2d87b4ce7de6
libpng-debuginfo-1.2.49-2.el6_7.s390x.rpm     MD5: 8915618101245630e87d0430a723e8f5
SHA-256: 6786060283128fcd4d134d643792e8f77247413a5817c7252221ffed84b83ff9
libpng-devel-1.2.49-2.el6_7.s390.rpm     MD5: fbe2ef3662cb3f22396f7eefe1b2f58a
SHA-256: fa730cb8eebef8bed3d40c9d8c4f26c0ee85617010951a85813605caafbfeb46
libpng-devel-1.2.49-2.el6_7.s390x.rpm     MD5: eee0ff20a3a44327e3778349de65d7c6
SHA-256: 1f59c73ebaa5ba3ff8b6190e1d18553f51ffc99dafecc30445a65873d0f49646
libpng-static-1.2.49-2.el6_7.s390x.rpm     MD5: a3a5c7121ab823daae34a408c72c06f2
SHA-256: 631646389f3a7bc9f9aa50f95cb1495e1e6940ac656087a7c3f66e39f11876f9
 
x86_64:
libpng-1.2.49-2.el6_7.i686.rpm     MD5: b9df9a18763f24b5831679882fd6a378
SHA-256: 920f6b2834d7cd34c414d14a4609ee481725e32c2424be3c64be99587aa03e59
libpng-1.2.49-2.el6_7.x86_64.rpm     MD5: 3c8a04d397e8fbf41c0a59340a299253
SHA-256: a80776e8294f29a63d44c18db0261c111ce67678a89d98af97803fff5948f7d0
libpng-debuginfo-1.2.49-2.el6_7.i686.rpm     MD5: 5182e1ef737018bc319d9817e04641d2
SHA-256: d46c331f2e7d26deb7f01bb0348f54fb236710aa3ec24b99d51b5871562d1ae3
libpng-debuginfo-1.2.49-2.el6_7.x86_64.rpm     MD5: 250bf35277d359373869ece58c34461b
SHA-256: e2106665c7569880d2260216b6793b0e820b4ef91f78e229cf89728ae5a96926
libpng-devel-1.2.49-2.el6_7.i686.rpm     MD5: a0fe05d1cebefb7ce9b037e0ffdcd6a1
SHA-256: b82e65b455be5fe0580661a65a4f46afeacd60f40a7c28e6c7f0eed1ff0b471c
libpng-devel-1.2.49-2.el6_7.x86_64.rpm     MD5: bd6459509ae99ea9dec1b45a2b3ab42f
SHA-256: af9b481e8a872c073a1c8bc2be032b14276d27cbd92f65c714bf953bddc07513
libpng-static-1.2.49-2.el6_7.x86_64.rpm     MD5: 19fd25283d40cbd7f003cf0088916e92
SHA-256: 528a5e67e5ae1c7048be602f98680df1698229b2ba84838bf8ca2aab38c93cda
 
Red Hat Enterprise Linux Server EUS (v. 6.7.z)

SRPMS:
libpng-1.2.49-2.el6_7.src.rpm     MD5: 50f613e4ffbc54e645480a0d800296df
SHA-256: 401e908cea6fe82e5b6805ae35c84032e07add043beca84131f6a45f7a05a5a2
 
IA-32:
libpng-1.2.49-2.el6_7.i686.rpm     MD5: b9df9a18763f24b5831679882fd6a378
SHA-256: 920f6b2834d7cd34c414d14a4609ee481725e32c2424be3c64be99587aa03e59
libpng-debuginfo-1.2.49-2.el6_7.i686.rpm     MD5: 5182e1ef737018bc319d9817e04641d2
SHA-256: d46c331f2e7d26deb7f01bb0348f54fb236710aa3ec24b99d51b5871562d1ae3
libpng-devel-1.2.49-2.el6_7.i686.rpm     MD5: a0fe05d1cebefb7ce9b037e0ffdcd6a1
SHA-256: b82e65b455be5fe0580661a65a4f46afeacd60f40a7c28e6c7f0eed1ff0b471c
libpng-static-1.2.49-2.el6_7.i686.rpm     MD5: a7128ba338f8dc96e930be343a4d6933
SHA-256: 83d551769b3735db8ecb3ffbd2079027a52485f85f9b5f999b2929f1908a5739
 
PPC:
libpng-1.2.49-2.el6_7.ppc.rpm     MD5: c5baa48a3d649a9bc9ed9f15640ec817
SHA-256: a789426f1de4f87ca855cf6b6273bfc0d2f66158c1b0ce919e30284d1894f8a2
libpng-1.2.49-2.el6_7.ppc64.rpm     MD5: 089482ca1836b8ef06cb5efb777ce60c
SHA-256: f59a8661260bdf274600c3a64ec31370b6d41eda74aaafb0540fac50e6d0ad90
libpng-debuginfo-1.2.49-2.el6_7.ppc.rpm     MD5: 6da1fe27a6d473fd57aac82d4a918d9e
SHA-256: a927c03ca33883b05bde01c4874648ce6376f84643bf545775ff7482698f672e
libpng-debuginfo-1.2.49-2.el6_7.ppc64.rpm     MD5: d81cac5265daeb58d4575afa907b759f
SHA-256: 88966ade48ea9c68633fd8e7ffac7c19fc12958d9f99a8e8ee3095786cd014fc
libpng-devel-1.2.49-2.el6_7.ppc.rpm     MD5: 24da0d490c8bf48fcec9d725d075c8e2
SHA-256: 50cea2264fa43698d8f352c74c35feb4f8963045acb2b0e58f23de54f2559b4a
libpng-devel-1.2.49-2.el6_7.ppc64.rpm     MD5: c789ce2603a6b0b86b28b35a9f8bcbf8
SHA-256: 231b2e03ff18abd37e45e4a6c583beeaa0eef0488bf4ac9e98ddfb1ec5f335d0
libpng-static-1.2.49-2.el6_7.ppc64.rpm     MD5: c3aeef383781094c511ead3f1ed73e3d
SHA-256: 031f0178072e2f94eccb580f17d274351c0ff2ad7e4528b3c181f134fc72f329
 
s390x:
libpng-1.2.49-2.el6_7.s390.rpm     MD5: 73b4335d2ae8c9f52cf1cac0fbd34966
SHA-256: a3af7843881e07a46d3f00856449590636b7b72c00fec5a0a6537debefd93757
libpng-1.2.49-2.el6_7.s390x.rpm     MD5: a8670841756406010a325ee0a95e3829
SHA-256: 952ff6671b0860a6a6d4ed0006a1759dad4c23f5d2b95e7747c2bc292e8d5e7d
libpng-debuginfo-1.2.49-2.el6_7.s390.rpm     MD5: d742186f4d289d3d2121d90682c283ff
SHA-256: 2fee6622546b6d26ce84dc7e5535001e6221893604472f9d9e5b2d87b4ce7de6
libpng-debuginfo-1.2.49-2.el6_7.s390x.rpm     MD5: 8915618101245630e87d0430a723e8f5
SHA-256: 6786060283128fcd4d134d643792e8f77247413a5817c7252221ffed84b83ff9
libpng-devel-1.2.49-2.el6_7.s390.rpm     MD5: fbe2ef3662cb3f22396f7eefe1b2f58a
SHA-256: fa730cb8eebef8bed3d40c9d8c4f26c0ee85617010951a85813605caafbfeb46
libpng-devel-1.2.49-2.el6_7.s390x.rpm     MD5: eee0ff20a3a44327e3778349de65d7c6
SHA-256: 1f59c73ebaa5ba3ff8b6190e1d18553f51ffc99dafecc30445a65873d0f49646
libpng-static-1.2.49-2.el6_7.s390x.rpm     MD5: a3a5c7121ab823daae34a408c72c06f2
SHA-256: 631646389f3a7bc9f9aa50f95cb1495e1e6940ac656087a7c3f66e39f11876f9
 
x86_64:
libpng-1.2.49-2.el6_7.i686.rpm     MD5: b9df9a18763f24b5831679882fd6a378
SHA-256: 920f6b2834d7cd34c414d14a4609ee481725e32c2424be3c64be99587aa03e59
libpng-1.2.49-2.el6_7.x86_64.rpm     MD5: 3c8a04d397e8fbf41c0a59340a299253
SHA-256: a80776e8294f29a63d44c18db0261c111ce67678a89d98af97803fff5948f7d0
libpng-debuginfo-1.2.49-2.el6_7.i686.rpm     MD5: 5182e1ef737018bc319d9817e04641d2
SHA-256: d46c331f2e7d26deb7f01bb0348f54fb236710aa3ec24b99d51b5871562d1ae3
libpng-debuginfo-1.2.49-2.el6_7.x86_64.rpm     MD5: 250bf35277d359373869ece58c34461b
SHA-256: e2106665c7569880d2260216b6793b0e820b4ef91f78e229cf89728ae5a96926
libpng-devel-1.2.49-2.el6_7.i686.rpm     MD5: a0fe05d1cebefb7ce9b037e0ffdcd6a1
SHA-256: b82e65b455be5fe0580661a65a4f46afeacd60f40a7c28e6c7f0eed1ff0b471c
libpng-devel-1.2.49-2.el6_7.x86_64.rpm     MD5: bd6459509ae99ea9dec1b45a2b3ab42f
SHA-256: af9b481e8a872c073a1c8bc2be032b14276d27cbd92f65c714bf953bddc07513
libpng-static-1.2.49-2.el6_7.x86_64.rpm     MD5: 19fd25283d40cbd7f003cf0088916e92
SHA-256: 528a5e67e5ae1c7048be602f98680df1698229b2ba84838bf8ca2aab38c93cda
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
libpng-1.2.49-2.el6_7.src.rpm     MD5: 50f613e4ffbc54e645480a0d800296df
SHA-256: 401e908cea6fe82e5b6805ae35c84032e07add043beca84131f6a45f7a05a5a2
 
IA-32:
libpng-1.2.49-2.el6_7.i686.rpm     MD5: b9df9a18763f24b5831679882fd6a378
SHA-256: 920f6b2834d7cd34c414d14a4609ee481725e32c2424be3c64be99587aa03e59
libpng-debuginfo-1.2.49-2.el6_7.i686.rpm     MD5: 5182e1ef737018bc319d9817e04641d2
SHA-256: d46c331f2e7d26deb7f01bb0348f54fb236710aa3ec24b99d51b5871562d1ae3
libpng-devel-1.2.49-2.el6_7.i686.rpm     MD5: a0fe05d1cebefb7ce9b037e0ffdcd6a1
SHA-256: b82e65b455be5fe0580661a65a4f46afeacd60f40a7c28e6c7f0eed1ff0b471c
libpng-static-1.2.49-2.el6_7.i686.rpm     MD5: a7128ba338f8dc96e930be343a4d6933
SHA-256: 83d551769b3735db8ecb3ffbd2079027a52485f85f9b5f999b2929f1908a5739
 
x86_64:
libpng-1.2.49-2.el6_7.i686.rpm     MD5: b9df9a18763f24b5831679882fd6a378
SHA-256: 920f6b2834d7cd34c414d14a4609ee481725e32c2424be3c64be99587aa03e59
libpng-1.2.49-2.el6_7.x86_64.rpm     MD5: 3c8a04d397e8fbf41c0a59340a299253
SHA-256: a80776e8294f29a63d44c18db0261c111ce67678a89d98af97803fff5948f7d0
libpng-debuginfo-1.2.49-2.el6_7.i686.rpm     MD5: 5182e1ef737018bc319d9817e04641d2
SHA-256: d46c331f2e7d26deb7f01bb0348f54fb236710aa3ec24b99d51b5871562d1ae3
libpng-debuginfo-1.2.49-2.el6_7.x86_64.rpm     MD5: 250bf35277d359373869ece58c34461b
SHA-256: e2106665c7569880d2260216b6793b0e820b4ef91f78e229cf89728ae5a96926
libpng-devel-1.2.49-2.el6_7.i686.rpm     MD5: a0fe05d1cebefb7ce9b037e0ffdcd6a1
SHA-256: b82e65b455be5fe0580661a65a4f46afeacd60f40a7c28e6c7f0eed1ff0b471c
libpng-devel-1.2.49-2.el6_7.x86_64.rpm     MD5: bd6459509ae99ea9dec1b45a2b3ab42f
SHA-256: af9b481e8a872c073a1c8bc2be032b14276d27cbd92f65c714bf953bddc07513
libpng-static-1.2.49-2.el6_7.x86_64.rpm     MD5: 19fd25283d40cbd7f003cf0088916e92
SHA-256: 528a5e67e5ae1c7048be602f98680df1698229b2ba84838bf8ca2aab38c93cda
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1276416 - CVE-2015-7981 libpng: Out-of-bounds read in png_convert_to_rfc1123
1281756 - CVE-2015-8126 CVE-2015-8472 libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/