[3.9] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) (#10362) · Issues · alpine / aports

[3.9] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)

A vulnerability was found in libpng 1.6.36. The function png_image_free in png.c has
a use-after-free because png_image_free_function is called under png_safe_execute.

This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.

References:

https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317

Patch:

https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550

(from redmine: issue id 10362, created on 2019-04-29, closed on 2019-05-06)

Relations:
- parent #10360 (closed)
Changesets:
- Revision c6ea5654 by Leo Leo on 2019-05-06T07:42:25Z:

main/libpng: upgrade to 1.6.37

- Add secfixes
  CVE-2019-7317
  CVE-2018-14048
  CVE-2018-14550
- Remove pkg-config detected depends_dev
- Split $pkgname-static

fixes #10362

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information