Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 677
    • Issues 677
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 216
    • Merge Requests 216
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #10362

Closed
Open
Opened Apr 29, 2019 by Alicha CH@alichaReporter

[3.9] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)

A vulnerability was found in libpng 1.6.36. The function png_image_free in png.c has
a use-after-free because png_image_free_function is called under png_safe_execute.

This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.

References:

https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317

Patch:

https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550

(from redmine: issue id 10362, created on 2019-04-29, closed on 2019-05-06)

  • Relations:
    • parent #10360 (closed)
  • Changesets:
    • Revision c6ea5654 by Leo Leo on 2019-05-06T07:42:25Z:
main/libpng: upgrade to 1.6.37

- Add secfixes
  CVE-2019-7317
  CVE-2018-14048
  CVE-2018-14550
- Remove pkg-config detected depends_dev
- Split $pkgname-static

fixes #10362
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.9.4
Milestone
3.9.4 (Past due)
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#10362