ArchLinux: 201512-18: libpng: buffer overflow
Summary
It was discovered that the png_get_PLTE() and png_set_PLTE() functions
of libpng did not correctly calculate the maximum palette sizes for bit
depths of less than 8. In case an application tried to use these
functions in combination with properly calculated palette sizes, this
could lead to a buffer overflow or out-of-bounds reads. An attacker
could exploit this to cause a crash or potentially execute arbitrary
code by tricking an unsuspecting user into processing a specially
crafted PNG image. However, the exact impact is dependent on the
application using the library.
This issue is the result of an incomplete fix for CVE-2015-8126 in
libpng 1.6.19.
Resolution
Upgrade to 1.6.20-1.
# pacman -Syu "libpng>=1.6.20-1"
The problem has been fixed upstream in version 1.6.20.
References
https://access.redhat.com/security/cve/CVE-2015-8472 https://seclists.org/oss-sec/2015/q4/439
Workaround
None.