REDHAT-BUG-2451805: Medium severity libpng LIBPNG vulnerability
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, pngsettRNS and pngsetPLTE each alias a heap-allocated buffer between pngstruct and pnginfo, sharing a single allocation across two structs with independent lifetimes. The transalpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines pngsettRNS sets pngptr->transalpha = infoptr->transalpha (256-byte buffer) and pngsetPLTE sets infoptr->palette = pngptr->palette (768-byte buffer). In both cases, calling pngfreedata (with PNGFREETRNS or PNGFREEPLTE) frees the buffer through infoptr while the corresponding pngptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to pngsettRNS or pngsetPLTE has the same effect, because both functions call pngfreedata internally before reallocating the infoptr buffer. Version 1.6.56 fixes the issue.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2451805?
The severity of REDHAT-BUG-2451805 has been classified as important due to potential memory corruption issues.
How do I fix REDHAT-BUG-2451805?
To fix REDHAT-BUG-2451805, update the libpng library to versions 1.6.56 or later.
What systems are affected by REDHAT-BUG-2451805?
Affected systems include those running libpng versions 1.2.1 to 1.6.55.
What is the nature of the vulnerability in REDHAT-BUG-2451805?
The nature of the vulnerability in REDHAT-BUG-2451805 involves memory corruption due to improper handling of an aliasing buffer.
Is my application safe if it uses libpng version 1.6.55 or lower?
No, applications using libpng version 1.6.55 or lower are at risk and should be updated to the latest version.