PublicDateAtUSN: 2017-01-30 Candidate: CVE-2016-10087 PublicDate: 2017-01-30 22:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10087 https://sourceforge.net/p/libpng/code/ci/243d4e5f3fe71740d52a53cf3dd77cc83a3430ba https://sourceforge.net/p/libpng/code/ci/812768d7a9c973452222d454634496b25ed415eb (libpng16) https://sourceforge.net/p/libpng/code/ci/794a15fad6add4d636369d0b46f603a02995b2e2/ (libpng12) http://www.openwall.com/lists/oss-security/2016/12/30/4 https://ubuntu.com/security/notices/USN-3712-1 https://ubuntu.com/security/notices/USN-3712-2 Description: The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure. Ubuntu-Description: Notes: ratliff> "has existed in libpng since version 0.71 of June 26, 1995" chrisccoulson> Looks like this code is #ifdef'd out of Firefox and Thunderbirdhidden because it's behind a PNG_TEXT_SUPPORTED define, which isn't enabled Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849799 Priority: low Discovered-by: Patrick Keshishian Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] Patches_libpng: upstream_libpng: needs-triage precise_libpng: ignored (reached end-of-life) precise/esm_libpng: released (1.2.46-3ubuntu4.3) trusty_libpng: released (1.2.50-1ubuntu2.14.04.3) trusty/esm_libpng: released (1.2.50-1ubuntu2.14.04.3) vivid/ubuntu-core_libpng: ignored (reached end-of-life) vivid/stable-phone-overlay_libpng: ignored (reached end-of-life) xenial_libpng: released (1.2.54-1ubuntu1.1) esm-infra/xenial_libpng: released (1.2.54-1ubuntu1.1) yakkety_libpng: DNE zesty_libpng: DNE artful_libpng: DNE bionic_libpng: DNE cosmic_libpng: DNE disco_libpng: DNE eoan_libpng: DNE focal_libpng: DNE groovy_libpng: DNE hirsute_libpng: DNE impish_libpng: DNE jammy_libpng: DNE devel_libpng: DNE Patches_firefox: upstream_firefox: not-affected precise_firefox: not-affected precise/esm_firefox: DNE (precise was not-affected) trusty_firefox: not-affected trusty/esm_firefox: DNE (trusty was not-affected) vivid/ubuntu-core_firefox: DNE vivid/stable-phone-overlay_firefox: DNE xenial_firefox: not-affected esm-infra/xenial_firefox: not-affected yakkety_firefox: not-affected zesty_firefox: not-affected artful_firefox: not-affected bionic_firefox: not-affected cosmic_firefox: not-affected disco_firefox: not-affected eoan_firefox: not-affected focal_firefox: not-affected groovy_firefox: not-affected hirsute_firefox: not-affected impish_firefox: not-affected jammy_firefox: not-affected devel_firefox: not-affected Patches_thunderbird: upstream_thunderbird: not-affected precise_thunderbird: not-affected precise/esm_thunderbird: DNE (precise was not-affected) trusty_thunderbird: not-affected trusty/esm_thunderbird: DNE (trusty was not-affected) vivid/ubuntu-core_thunderbird: DNE vivid/stable-phone-overlay_thunderbird: DNE xenial_thunderbird: not-affected esm-infra/xenial_thunderbird: not-affected yakkety_thunderbird: not-affected zesty_thunderbird: not-affected artful_thunderbird: not-affected bionic_thunderbird: not-affected cosmic_thunderbird: not-affected disco_thunderbird: not-affected eoan_thunderbird: not-affected focal_thunderbird: not-affected groovy_thunderbird: not-affected hirsute_thunderbird: not-affected impish_thunderbird: not-affected jammy_thunderbird: not-affected devel_thunderbird: not-affected Patches_chromium-browser: upstream_chromium-browser: needs-triage precise_chromium-browser: not-affected (uses system libpng) precise/esm_chromium-browser: DNE (precise was not-affected [uses system libpng]) trusty_chromium-browser: not-affected (uses system libpng) trusty/esm_chromium-browser: DNE (trusty was not-affected [uses system libpng]) vivid/ubuntu-core_chromium-browser: DNE vivid/stable-phone-overlay_chromium-browser: DNE xenial_chromium-browser: not-affected (uses system libpng) yakkety_chromium-browser: not-affected (uses system libpng) zesty_chromium-browser: not-affected (uses system libpng) artful_chromium-browser: not-affected (uses system libpng) bionic_chromium-browser: not-affected (uses system libpng) cosmic_chromium-browser: not-affected (uses system libpng) disco_chromium-browser: not-affected (uses system libpng) eoan_chromium-browser: not-affected (uses system libpng) focal_chromium-browser: not-affected (uses system libpng) groovy_chromium-browser: not-affected (uses system libpng) hirsute_chromium-browser: not-affected (uses system libpng) impish_chromium-browser: not-affected (uses system libpng) jammy_chromium-browser: not-affected (uses system libpng) devel_chromium-browser: not-affected (uses system libpng) Patches_libpng1.6: upstream_libpng1.6: released (1.6.27-1) precise_libpng1.6: DNE precise/esm_libpng1.6: DNE trusty_libpng1.6: DNE trusty/esm_libpng1.6: DNE vivid/stable-phone-overlay_libpng1.6: DNE vivid/ubuntu-core_libpng1.6: DNE xenial_libpng1.6: ignored (end of standard support, was needed) yakkety_libpng1.6: ignored (reached end-of-life) zesty_libpng1.6: not-affected (1.6.27-1) artful_libpng1.6: not-affected (1.6.27-1) bionic_libpng1.6: not-affected (1.6.27-1) cosmic_libpng1.6: not-affected (1.6.27-1) disco_libpng1.6: not-affected (1.6.27-1) eoan_libpng1.6: not-affected (1.6.27-1) focal_libpng1.6: not-affected (1.6.27-1) groovy_libpng1.6: not-affected (1.6.27-1) hirsute_libpng1.6: not-affected (1.6.27-1) impish_libpng1.6: not-affected (1.6.27-1) jammy_libpng1.6: not-affected (1.6.27-1) devel_libpng1.6: not-affected (1.6.27-1)