SB2019080303 - Gentoo update for libpng
Published: August 3, 2019 Updated: August 25, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Buffer overflow (CVE-ID: CVE-2018-14048)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing images within the png_free_data() function in png.c. A remote attacker can create a specially crafted image, pass it to the affected application, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Stack-based buffer overflow (CVE-ID: CVE-2018-14550)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing images within the get_token() function in pnm2png. A remote attacker can create a specially crafted image, pass it to the affected application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Use-after-free (CVE-ID: CVE-2019-7317)
The vulnerability allows a remote attacker to cause DoS condition.
The vulnerability exists due to a use-after-free memory error in the png_image_free function, as defined in the png.c source code file when calling on png_safe_execute. A remote attacker can send specially crafted data, trigger a call on png_safe_execute and trigger memory corruption, resulting in a DoS condition.
Remediation
Install update from vendor's website.