[3.9] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) (#10362) · Issues · alpine / aports

[3.9] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)

A vulnerability was found in libpng 1.6.36. The function png_image_free in png.c has
a use-after-free because png_image_free_function is called under png_safe_execute.

This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.

References:

https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317

Patch:

https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550

(from redmine: issue id 10362, created on 2019-04-29, closed on 2019-05-06)

Relations:
- parent #10360 (closed)
Changesets:
- Revision c6ea5654 by Leo Leo on 2019-05-06T07:42:25Z:

main/libpng: upgrade to 1.6.37

- Add secfixes
  CVE-2019-7317
  CVE-2018-14048
  CVE-2018-14550
- Remove pkg-config detected depends_dev
- Split $pkgname-static

fixes #10362

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.