Security update for libpng15 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0950-1 Final 1 1 2017-04-06T09:36:47Z current 2017-04-06T09:36:47Z 2017-04-06T09:36:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libpng15 This update for libpng15 fixes the following issues: Security issues fixed: - CVE-2015-8540: read underflow in libpng (bsc#958791) - CVE-2016-10087: NULL pointer dereference in png_set_text_2() (bsc#1017646) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-SP1-2017-548,SUSE-SLE-DESKTOP-12-SP2-2017-548,SUSE-SLE-RPI-12-SP2-2017-548,SUSE-SLE-SERVER-12-SP1-2017-548,SUSE-SLE-SERVER-12-SP2-2017-548 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170950-1/ Link for SUSE-SU-2017:0950-1 https://lists.suse.com/pipermail/sle-security-updates/2017-April/002787.html E-Mail link for SUSE-SU-2017:0950-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1017646 SUSE Bug 1017646 https://bugzilla.suse.com/958791 SUSE Bug 958791 https://www.suse.com/security/cve/CVE-2015-8540/ SUSE CVE CVE-2015-8540 page https://www.suse.com/security/cve/CVE-2016-10087/ SUSE CVE CVE-2016-10087 page SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 libpng15-15-1.5.22-9.1 libpng15-15-1.5.22-9.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 libpng15-15-1.5.22-9.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 libpng15-15-1.5.22-9.1 as a component of SUSE Linux Enterprise Server 12 SP1 libpng15-15-1.5.22-9.1 as a component of SUSE Linux Enterprise Server 12 SP2 libpng15-15-1.5.22-9.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 libpng15-15-1.5.22-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 libpng15-15-1.5.22-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read. CVE-2015-8540 SUSE Linux Enterprise Desktop 12 SP1:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Desktop 12 SP2:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server 12 SP1:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server 12 SP2:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libpng15-15-1.5.22-9.1 low 4 AV:N/AC:H/Au:N/C:N/I:P/A:P 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170950-1/ https://www.suse.com/security/cve/CVE-2015-8540.html CVE-2015-8540 https://bugzilla.suse.com/1149680 SUSE Bug 1149680 https://bugzilla.suse.com/958791 SUSE Bug 958791 https://bugzilla.suse.com/963937 SUSE Bug 963937 The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure. CVE-2016-10087 SUSE Linux Enterprise Desktop 12 SP1:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Desktop 12 SP2:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server 12 SP1:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server 12 SP2:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:libpng15-15-1.5.22-9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:libpng15-15-1.5.22-9.1 low 1.9 AV:L/AC:M/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170950-1/ https://www.suse.com/security/cve/CVE-2016-10087.html CVE-2016-10087 https://bugzilla.suse.com/1017646 SUSE Bug 1017646 https://bugzilla.suse.com/1149680 SUSE Bug 1149680