The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of libpng: unreachable memory reading via png_convert_to_rfc1123

Synthesis of the vulnerability 

An attacker can force a read at an invalid address in the png_convert_to_rfc1123() function of libpng, in order to trigger a denial of service.
Vulnerable systems: Debian, BIG-IP Hardware, TMOS, Fedora, AIX, Domino by IBM, Notes by IBM, libpng, openSUSE, openSUSE Leap, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu, VLC.
Severity of this threat: 1/4.
Creation date: 26/10/2015.
Références of this weakness: 1975365, 1976200, 1976262, 1977405, bulletinjul2016, CERTFR-2015-AVI-488, CVE-2015-7981, DSA-3399-1, FEDORA-2015-1d87313b7c, FEDORA-2015-39499d9af8, FEDORA-2015-501493d853, FEDORA-2015-ac8100927a, FEDORA-2015-ec2ddd15d7, openSUSE-SU-2015:2099-1, openSUSE-SU-2015:2136-1, openSUSE-SU-2016:0103-1, RHSA-2015:2594-01, RHSA-2015:2595-01, RHSA-2016:0099-01, RHSA-2016:0100-01, RHSA-2016:0101-01, SOL21057235, SSA:2015-337-01, SUSE-SU-2016:0399-1, SUSE-SU-2016:0401-1, SUSE-SU-2016:0428-1, SUSE-SU-2016:0431-1, SUSE-SU-2016:0433-1, SUSE-SU-2016:0636-1, SUSE-SU-2016:0770-1, SUSE-SU-2016:0776-1, USN-2815-1, VIGILANCE-VUL-18176.

Description of the vulnerability 

The RFC 1123 defines the format of dates using 4 digits for years.

The png_convert_to_rfc1123() function of libpng converts a time to a text string. However, if the month number is greater than 11, this function tries to read an unreachable memory area, which triggers a fatal error.

An attacker can therefore force a read at an invalid address in the png_convert_to_rfc1123() function of libpng, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability bulletin impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, AIX, Domino by IBM, Notes by IBM, libpng, openSUSE, openSUSE Leap, Solaris, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu, VLC.

Our Vigil@nce team determined that the severity of this security note is low.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this cybersecurity note.

Solutions for this threat 

libpng: versions 1.0.64, 1.2.54, 1.4.17, 1.5.24 and 1.6.19.
Versions 1.0.64, 1.2.54, 1.4.17, 1.5.24 and 1.6.19 are fixed:
  http://libpng.sf.net
  ftp://ftp.simplesystems.org/pub/png/src/

libpng: version 1.6.
The version 1.6 is fixed:
  http://sourceforge.net/p/libpng/

AIX: fixed versions for IBM Java.
Fixed versions are indicated in information sources.

Debian: new libpng packages.
New packages are available:
  Debian 7: libpng 1.2.49-1+deb7u1
  Debian 8: libpng 1.2.50-2+deb8u1

F5 BIG-IP: fixed versions for libpng.
Fixed versions are indicated in information sources.

Fedora: new libpng10 packages.
New packages are available:
  Fedora 21: libpng10 1.0.64-1.fc21
  Fedora 22: libpng10 1.0.64-1.fc22
  Fedora 23: libpng10 1.0.64-1.fc23

Fedora: new libpng12 packages.
New packages are available:
  Fedora 22: libpng12 1.2.56-1.fc22
  Fedora 23: libpng12 1.2.56-1.fc23

IBM Domino, Notes: patch for Java.
A patch is available:
  For the version 9.0.1 Fix Pack 5: http://www.ibm.com/support/docview.wss?uid=swg21657963
  For the version 8.5.3 Fix Pack 6: http://www-01.ibm.com/support/docview.wss?uid=swg21663874

IBM Notes: patch for libpng.
A patch is indicated in information sources.

IBM TADDM: solution for Java.
The solution is indicated in information sources.

openSUSE: new libpng12 packages.
New packages are available:
  openSUSE 13.1: libpng12 0-1.2.50-6.7.1
  openSUSE 13.2: libpng12 0-1.2.51-3.3.1
  openSUSE Leap 42.1: libpng12 0-1.2.50-8.1

RHEL 6.7: new libpng packages.
New packages are available:
  RHEL 6: libpng 1.2.49-2.el6_7

RHEL 7.2: new libpng12 packages.
New packages are available:
  RHEL 7: libpng12 1.2.50-7.el7_2

RHEL: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.20-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.20-1jpp.1.el6_7

RHEL: new java-1.7.x-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.3.30-1jpp.2.el6_7
  RHEL 5: java-1.7.0-ibm 1.7.0.9.30-1jpp.1.el5

Slackware: new libpng packages.
New packages are available:
  Slackware 13.0: libpng 1.2.54-*-1_slack13.0
  Slackware 13.1: libpng 1.4.17-*-1_slack13.1
  Slackware 13.37: libpng 1.4.17-*-1_slack13.37
  Slackware 14.0: libpng 1.4.17-*-1_slack14.0
  Slackware 14.1: libpng 1.4.17-*-1_slack14.1

Solaris: patch for third party software of July 2016 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE 10 SP4: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 10 SP4: java-1_6_0-ibm 1.6.0_sr16.20-0.8.1

SUSE LE 11 SP3: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP3: java-1_7_0-ibm 1.7.0_sr9.30-47.1

SUSE LE: new java-1_6_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_6_0-ibm 1.6.0_sr16.20-49.1
  SUSE LE 11 SP3: java-1_6_0-ibm 1.6.0_sr16.20-51.1
  SUSE LE 12 RTM: java-1_6_0-ibm 1.6.0_sr16.20-30.1

SUSE LE: new java-1_7_0-ibm packages.
New packages are available:
  SUSE LE 11 SP2: java-1_7_0-ibm 1.7.0_sr9.30-45.1

SUSE LE: new java-1_7_1-ibm packages.
New packages are available:
  SUSE LE 11 SP4: java-1_7_1-ibm 1.7.1_sr3.30-9.1
  SUSE LE 12 RTM: java-1_7_1-ibm 1.7.1_sr3.30-21.1
  SUSE LE 12 SP1: java-1_7_1-ibm 1.7.1_sr3.30-21.1

Ubuntu: new libpng packages.
New packages are available:
  Ubuntu 15.10: libpng12-0 1.2.51-0ubuntu3.15.10.1
  Ubuntu 15.04: libpng12-0 1.2.51-0ubuntu3.15.04.1
  Ubuntu 14.04 LTS: libpng12-0 1.2.50-1ubuntu2.14.04.1
  Ubuntu 12.04 LTS: libpng12-0 1.2.46-3ubuntu4.1

VideoLAN VLC: version 2.2.2.
The version 2.2.2 is fixed:
  http://www.videolan.org/vlc/releases/2.2.2.html
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a cybersecurity watch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.