png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
Weakness
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libpng | Libpng | 1.6.0 (including) | 1.6.37 (excluding) |
| Red Hat Enterprise Linux 6 | RedHat | firefox-0:60.7.0-1.el6_10 | * |
| Red Hat Enterprise Linux 6 | RedHat | thunderbird-0:60.7.0-1.el6_10 | * |
| Red Hat Enterprise Linux 6 Supplementary | RedHat | java-1.7.1-ibm-1:1.7.1.4.50-1jpp.1.el6_10 | * |
| Red Hat Enterprise Linux 6 Supplementary | RedHat | java-1.8.0-ibm-1:1.8.0.5.40-1jpp.1.el6_10 | * |
| Red Hat Enterprise Linux 7 | RedHat | firefox-0:60.7.0-1.el7_6 | * |
| Red Hat Enterprise Linux 7 | RedHat | thunderbird-0:60.7.0-1.el7_6 | * |
| Red Hat Enterprise Linux 7 Supplementary | RedHat | java-1.7.1-ibm-1:1.7.1.4.50-1jpp.1.el7 | * |
| Red Hat Enterprise Linux 7 Supplementary | RedHat | java-1.8.0-ibm-1:1.8.0.5.40-1jpp.1.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | firefox-0:60.7.0-1.el8_0 | * |
| Red Hat Enterprise Linux 8 | RedHat | thunderbird-0:60.7.0-1.el8_0 | * |
| Red Hat Enterprise Linux 8 | RedHat | java-1.8.0-ibm-1:1.8.0.5.40-3.el8_0 | * |
| Red Hat Satellite 5.8 | RedHat | java-1.8.0-ibm-1:1.8.0.5.40-1jpp.1.el6_10 | * |
| Firefox | Ubuntu | bionic | * |
| Firefox | Ubuntu | cosmic | * |
| Firefox | Ubuntu | devel | * |
| Firefox | Ubuntu | disco | * |
| Firefox | Ubuntu | eoan | * |
| Firefox | Ubuntu | focal | * |
| Firefox | Ubuntu | groovy | * |
| Firefox | Ubuntu | hirsute | * |
| Firefox | Ubuntu | impish | * |
| Firefox | Ubuntu | jammy | * |
| Firefox | Ubuntu | kinetic | * |
| Firefox | Ubuntu | lunar | * |
| Firefox | Ubuntu | mantic | * |
| Firefox | Ubuntu | noble | * |
| Firefox | Ubuntu | oracular | * |
| Firefox | Ubuntu | plucky | * |
| Firefox | Ubuntu | questing | * |
| Firefox | Ubuntu | trusty | * |
| Firefox | Ubuntu | upstream | * |
| Firefox | Ubuntu | xenial | * |
| Libpng1.6 | Ubuntu | bionic | * |
| Libpng1.6 | Ubuntu | cosmic | * |
| Libpng1.6 | Ubuntu | esm-apps/xenial | * |
| Libpng1.6 | Ubuntu | esm-infra/bionic | * |
| Libpng1.6 | Ubuntu | upstream | * |
| Libpng1.6 | Ubuntu | xenial | * |
| Openjdk-12 | Ubuntu | disco | * |
| Openjdk-8 | Ubuntu | bionic | * |
| Openjdk-8 | Ubuntu | disco | * |
| Openjdk-8 | Ubuntu | esm-apps/bionic | * |
| Openjdk-8 | Ubuntu | esm-infra/xenial | * |
| Openjdk-8 | Ubuntu | xenial | * |
| Openjdk-9 | Ubuntu | esm-apps/xenial | * |
| Openjdk-9 | Ubuntu | xenial | * |
| Openjdk-lts | Ubuntu | bionic | * |
| Openjdk-lts | Ubuntu | disco | * |
| Openjdk-lts | Ubuntu | esm-infra/bionic | * |
| Thunderbird | Ubuntu | bionic | * |
| Thunderbird | Ubuntu | cosmic | * |
| Thunderbird | Ubuntu | devel | * |
| Thunderbird | Ubuntu | disco | * |
| Thunderbird | Ubuntu | eoan | * |
| Thunderbird | Ubuntu | focal | * |
| Thunderbird | Ubuntu | groovy | * |
| Thunderbird | Ubuntu | hirsute | * |
| Thunderbird | Ubuntu | impish | * |
| Thunderbird | Ubuntu | jammy | * |
| Thunderbird | Ubuntu | kinetic | * |
| Thunderbird | Ubuntu | lunar | * |
| Thunderbird | Ubuntu | mantic | * |
| Thunderbird | Ubuntu | noble | * |
| Thunderbird | Ubuntu | oracular | * |
| Thunderbird | Ubuntu | plucky | * |
| Thunderbird | Ubuntu | questing | * |
| Thunderbird | Ubuntu | upstream | * |
| Thunderbird | Ubuntu | xenial | * |
Potential Mitigations
References
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html
- http://www.securityfocus.com/bid/108098
- https://access.redhat.com/errata/RHSA-2019:1265
- https://access.redhat.com/errata/RHSA-2019:1267
- https://access.redhat.com/errata/RHSA-2019:1269
- https://access.redhat.com/errata/RHSA-2019:1308
- https://access.redhat.com/errata/RHSA-2019:1309
- https://access.redhat.com/errata/RHSA-2019:1310
- https://access.redhat.com/errata/RHSA-2019:2494
- https://access.redhat.com/errata/RHSA-2019:2495
- https://access.redhat.com/errata/RHSA-2019:2585
- https://access.redhat.com/errata/RHSA-2019:2590
- https://access.redhat.com/errata/RHSA-2019:2592
- https://access.redhat.com/errata/RHSA-2019:2737
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
- https://github.com/glennrp/libpng/issues/275
- https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html
- https://seclists.org/bugtraq/2019/Apr/30
- https://seclists.org/bugtraq/2019/Apr/36
- https://seclists.org/bugtraq/2019/May/56
- https://seclists.org/bugtraq/2019/May/59
- https://seclists.org/bugtraq/2019/May/67
- https://security.gentoo.org/glsa/201908-02
- https://security.netapp.com/advisory/ntap-20190719-0005/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03977en_us
- https://usn.ubuntu.com/3962-1/
- https://usn.ubuntu.com/3991-1/
- https://usn.ubuntu.com/3997-1/
- https://usn.ubuntu.com/4080-1/
- https://usn.ubuntu.com/4083-1/
- https://www.debian.org/security/2019/dsa-4435
- https://www.debian.org/security/2019/dsa-4448
- https://www.debian.org/security/2019/dsa-4451
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html
- http://www.securityfocus.com/bid/108098
- https://access.redhat.com/errata/RHSA-2019:1265
- https://access.redhat.com/errata/RHSA-2019:1267
- https://access.redhat.com/errata/RHSA-2019:1269
- https://access.redhat.com/errata/RHSA-2019:1308
- https://access.redhat.com/errata/RHSA-2019:1309
- https://access.redhat.com/errata/RHSA-2019:1310
- https://access.redhat.com/errata/RHSA-2019:2494
- https://access.redhat.com/errata/RHSA-2019:2495
- https://access.redhat.com/errata/RHSA-2019:2585
- https://access.redhat.com/errata/RHSA-2019:2590
- https://access.redhat.com/errata/RHSA-2019:2592
- https://access.redhat.com/errata/RHSA-2019:2737
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
- https://github.com/glennrp/libpng/issues/275
- https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html
- https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html
- https://seclists.org/bugtraq/2019/Apr/30
- https://seclists.org/bugtraq/2019/Apr/36
- https://seclists.org/bugtraq/2019/May/56
- https://seclists.org/bugtraq/2019/May/59
- https://seclists.org/bugtraq/2019/May/67
- https://security.gentoo.org/glsa/201908-02
- https://security.netapp.com/advisory/ntap-20190719-0005/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03977en_us
- https://usn.ubuntu.com/3962-1/
- https://usn.ubuntu.com/3991-1/
- https://usn.ubuntu.com/3997-1/
- https://usn.ubuntu.com/4080-1/
- https://usn.ubuntu.com/4083-1/
- https://www.debian.org/security/2019/dsa-4435
- https://www.debian.org/security/2019/dsa-4448
- https://www.debian.org/security/2019/dsa-4451
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html