libpng12-0-1.2.56-1.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10184 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libpng12-0-1.2.56-1.5 on GA media These are all security issues fixed in the libpng12-0-1.2.56-1.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10184 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10184 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-1205/ SUSE CVE CVE-2010-1205 page https://www.suse.com/security/cve/CVE-2011-2501/ SUSE CVE CVE-2011-2501 page https://www.suse.com/security/cve/CVE-2011-3026/ SUSE CVE CVE-2011-3026 page https://www.suse.com/security/cve/CVE-2011-3045/ SUSE CVE CVE-2011-3045 page https://www.suse.com/security/cve/CVE-2011-3048/ SUSE CVE CVE-2011-3048 page https://www.suse.com/security/cve/CVE-2012-3386/ SUSE CVE CVE-2012-3386 page https://www.suse.com/security/cve/CVE-2013-7353/ SUSE CVE CVE-2013-7353 page https://www.suse.com/security/cve/CVE-2013-7354/ SUSE CVE CVE-2013-7354 page https://www.suse.com/security/cve/CVE-2014-9495/ SUSE CVE CVE-2014-9495 page https://www.suse.com/security/cve/CVE-2015-0973/ SUSE CVE CVE-2015-0973 page https://www.suse.com/security/cve/CVE-2015-8126/ SUSE CVE CVE-2015-8126 page https://www.suse.com/security/cve/CVE-2015-8540/ SUSE CVE CVE-2015-8540 page openSUSE Tumbleweed libpng12-0-1.2.56-1.5 libpng12-0-32bit-1.2.56-1.5 libpng12-compat-devel-1.2.56-1.5 libpng12-compat-devel-32bit-1.2.56-1.5 libpng12-devel-1.2.56-1.5 libpng12-devel-32bit-1.2.56-1.5 libpng12-0-1.2.56-1.5 as a component of openSUSE Tumbleweed libpng12-0-32bit-1.2.56-1.5 as a component of openSUSE Tumbleweed libpng12-compat-devel-1.2.56-1.5 as a component of openSUSE Tumbleweed libpng12-compat-devel-32bit-1.2.56-1.5 as a component of openSUSE Tumbleweed libpng12-devel-1.2.56-1.5 as a component of openSUSE Tumbleweed libpng12-devel-32bit-1.2.56-1.5 as a component of openSUSE Tumbleweed Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row. CVE-2010-1205 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-1205.html CVE-2010-1205 https://bugzilla.suse.com/1188284 SUSE Bug 1188284 https://bugzilla.suse.com/617866 SUSE Bug 617866 https://bugzilla.suse.com/622506 SUSE Bug 622506 https://bugzilla.suse.com/639941 SUSE Bug 639941 https://bugzilla.suse.com/854395 SUSE Bug 854395 The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources. CVE-2011-2501 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-2501.html CVE-2011-2501 https://bugzilla.suse.com/702578 SUSE Bug 702578 Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an integer truncation. CVE-2011-3026 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-3026.html CVE-2011-3026 https://bugzilla.suse.com/747311 SUSE Bug 747311 https://bugzilla.suse.com/747327 SUSE Bug 747327 https://bugzilla.suse.com/747328 SUSE Bug 747328 https://bugzilla.suse.com/773612 SUSE Bug 773612 https://bugzilla.suse.com/854395 SUSE Bug 854395 Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before 17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026. CVE-2011-3045 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-3045.html CVE-2011-3045 https://bugzilla.suse.com/752008 SUSE Bug 752008 https://bugzilla.suse.com/754456 SUSE Bug 754456 The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow. CVE-2011-3048 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-3048.html CVE-2011-3048 https://bugzilla.suse.com/754745 SUSE Bug 754745 https://bugzilla.suse.com/854395 SUSE Bug 854395 The "make distcheck" rule in GNU Automake before 1.11.6 and 1.12.x before 1.12.2 grants world-writable permissions to the extraction directory, which introduces a race condition that allows local users to execute arbitrary code via unspecified vectors. CVE-2012-3386 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-3386.html CVE-2012-3386 https://bugzilla.suse.com/770618 SUSE Bug 770618 https://bugzilla.suse.com/786745 SUSE Bug 786745 Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow. CVE-2013-7353 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-7353.html CVE-2013-7353 https://bugzilla.suse.com/873124 SUSE Bug 873124 Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow. CVE-2013-7354 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-7354.html CVE-2013-7354 https://bugzilla.suse.com/873123 SUSE Bug 873123 Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image. CVE-2014-9495 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9495.html CVE-2014-9495 https://bugzilla.suse.com/912076 SUSE Bug 912076 https://bugzilla.suse.com/912929 SUSE Bug 912929 Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495. CVE-2015-0973 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-0973.html CVE-2015-0973 https://bugzilla.suse.com/912929 SUSE Bug 912929 Multiple buffer overflows in the (1) png_set_PLTE and (2) png_get_PLTE functions in libpng before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. CVE-2015-8126 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate 4.3 AV:L/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8126.html CVE-2015-8126 https://bugzilla.suse.com/954980 SUSE Bug 954980 https://bugzilla.suse.com/958198 SUSE Bug 958198 https://bugzilla.suse.com/960402 SUSE Bug 960402 https://bugzilla.suse.com/962743 SUSE Bug 962743 https://bugzilla.suse.com/963937 SUSE Bug 963937 https://bugzilla.suse.com/969333 SUSE Bug 969333 Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read. CVE-2015-8540 openSUSE Tumbleweed:libpng12-0-1.2.56-1.5 openSUSE Tumbleweed:libpng12-0-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-compat-devel-32bit-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-1.2.56-1.5 openSUSE Tumbleweed:libpng12-devel-32bit-1.2.56-1.5 moderate 4 AV:N/AC:H/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8540.html CVE-2015-8540 https://bugzilla.suse.com/1149680 SUSE Bug 1149680 https://bugzilla.suse.com/958791 SUSE Bug 958791 https://bugzilla.suse.com/963937 SUSE Bug 963937