LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, png_set_tRNS and png_set_PLTE each alias a heap-allocated buffer between png_struct and png_info, sharing a single allocation across two structs with independent lifetimes. The trans_alpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines png_set_tRNS sets png_ptr->trans_alpha = info_ptr->trans_alpha (256-byte buffer) and png_set_PLTE sets info_ptr->palette = png_ptr->palette (768-byte buffer). In both cases, calling png_free_data (with PNG_FREE_TRNS or PNG_FREE_PLTE) frees the buffer through info_ptr while the corresponding png_ptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to png_set_tRNS or png_set_PLTE has the same effect, because both functions call png_free_data internally before reallocating the info_ptr buffer. Version 1.6.56 fixes the issue.
Weakness
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libpng | Libpng | 1.2.1 (including) | 1.6.56 (excluding) |
| OPENJDK ELS 11.0.31 | RedHat | java-11-openjdk-portable | * |
| Red Hat Enterprise Linux 10 | RedHat | libpng-2:1.6.40-8.el10_1.4 | * |
| Red Hat Enterprise Linux 10 | RedHat | firefox-0:140.9.1-1.el10_1 | * |
| Red Hat Enterprise Linux 10 | RedHat | thunderbird-0:140.9.1-1.el10_1 | * |
| Red Hat Enterprise Linux 10 | RedHat | java-25-openjdk-1:25.0.3.0.9-1.el10_2 | * |
| Red Hat Enterprise Linux 10.0 Extended Update Support | RedHat | thunderbird-0:140.9.1-1.el10_0 | * |
| Red Hat Enterprise Linux 10.0 Extended Update Support | RedHat | firefox-0:140.9.1-1.el10_0 | * |
| Red Hat Enterprise Linux 10.0 Extended Update Support | RedHat | libpng-2:1.6.40-8.el10_0.4 | * |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | firefox-0:140.9.1-2.el7_9 | * |
| Red Hat Enterprise Linux 8 | RedHat | libpng15-0:1.5.30-9.el8_10 | * |
| Red Hat Enterprise Linux 8 | RedHat | libpng12-0:1.2.57-7.el8_10 | * |
| Red Hat Enterprise Linux 8 | RedHat | firefox-0:140.9.1-1.el8_10 | * |
| Red Hat Enterprise Linux 8 | RedHat | thunderbird-0:140.9.1-1.el8_10 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | firefox-0:140.9.1-1.el8_2 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | firefox-0:140.9.1-1.el8_4 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | thunderbird-0:140.9.1-1.el8_4 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | RedHat | firefox-0:140.9.1-1.el8_4 | * |
| Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On | RedHat | thunderbird-0:140.9.1-1.el8_4 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | firefox-0:140.9.1-1.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | thunderbird-0:140.9.1-1.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | firefox-0:140.9.1-1.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | thunderbird-0:140.9.1-1.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | firefox-0:140.9.1-1.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | thunderbird-0:140.9.1-1.el8_6 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | firefox-0:140.9.1-1.el8_8 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | thunderbird-0:140.9.1-1.el8_8 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | firefox-0:140.9.1-1.el8_8 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | thunderbird-0:140.9.1-1.el8_8 | * |
| Red Hat Enterprise Linux 9 | RedHat | libpng-2:1.6.37-12.el9_7.4 | * |
| Red Hat Enterprise Linux 9 | RedHat | firefox-0:140.9.1-1.el9_7 | * |
| Red Hat Enterprise Linux 9 | RedHat | thunderbird-0:140.9.1-1.el9_7 | * |
| Red Hat Enterprise Linux 9 | RedHat | java-25-openjdk-1:25.0.3.0.9-1.el9 | * |
| Red Hat Enterprise Linux 9 | RedHat | libpng-2:1.6.37-12.el9_7.4 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | thunderbird-0:140.9.1-1.el9_0 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | firefox-0:140.9.1-1.el9_0 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | thunderbird-0:140.9.1-1.el9_2 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | firefox-0:140.9.1-1.el9_2 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | libpng-2:1.6.37-12.el9_2.4 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | thunderbird-0:140.9.1-1.el9_4 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | firefox-0:140.9.1-1.el9_4 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | libpng-2:1.6.37-12.el9_4.4 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | thunderbird-0:140.9.1-1.el9_6 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | firefox-0:140.9.1-1.el9_6 | * |
| Red Hat Enterprise Linux 9.6 Extended Update Support | RedHat | libpng-2:1.6.37-12.el9_6.4 | * |
| Red Hat OpenJDK 11 els for RHEL 7 | RedHat | java-11-openjdk-1:11.0.31.0.11-1.el7_9 | * |
| Red Hat OpenJDK 11 els for RHEL 8 | RedHat | java-11-openjdk-1:11.0.31.0.11-1.el8 | * |
| Red Hat OpenJDK 11 els for RHEL 9 | RedHat | java-11-openjdk-1:11.0.31.0.11-1.el9 | * |
| Red Hat AI Inference Server 3.2 | RedHat | rhaiis/model-opt-cuda-rhel9:1780681984 | * |
| Red Hat Hardened Images | RedHat | libpng-main-1.6.56-1.hum1 | * |
| Chromium-browser | Ubuntu | upstream | * |
| Libpng | Ubuntu | esm-infra/xenial | * |
| Libpng1.6 | Ubuntu | esm-apps/xenial | * |
| Libpng1.6 | Ubuntu | jammy | * |
| Libpng1.6 | Ubuntu | noble | * |
| Libpng1.6 | Ubuntu | questing | * |
| Libpng1.6 | Ubuntu | upstream | * |
Potential Mitigations
References
- https://github.com/pnggroup/libpng/commit/23019269764e35ed8458e517f1897bd3c54820eb
- https://github.com/pnggroup/libpng/commit/7ea9eea884a2328cc7fdcb3c0c00246a50d90667
- https://github.com/pnggroup/libpng/commit/a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25
- https://github.com/pnggroup/libpng/commit/c1b0318b393c90679e6fa5bc1d329fd5d5012ec1
- https://github.com/pnggroup/libpng/pull/824
- https://github.com/pnggroup/libpng/security/advisories/GHSA-m4pc-p4q3-4c7j