Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 671
    • Issues 671
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 182
    • Merge Requests 182
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • alpine
  • aportsaports
  • Issues
  • #10364

Closed
Open
Opened Apr 29, 2019 by Alicha CH@alichaReporter

[3.7] libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)

A vulnerability was found in libpng 1.6.36. The function png_image_free in png.c has
a use-after-free because png_image_free_function is called under png_safe_execute.

This flaw is in the PNG Simplified API, which was introduced
upstream in libpng-1.6.0. Previous versions of libpng are not affected.

References:

https://github.com/glennrp/libpng/issues/275
https://nvd.nist.gov/vuln/detail/CVE-2019-7317

Patch:

https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550

(from redmine: issue id 10364, created on 2019-04-29, closed on 2019-05-06)

  • Relations:
    • parent #10360 (closed)
  • Changesets:
    • Revision 7343860d by Leo Leo on 2019-05-06T08:41:55Z:
main/libpng: upgrade to 1.6.37

- Add secfixes
  CVE-2019-7317
  CVE-2018-14048
  CVE-2018-14550
- Remove pkg-config detected depends_dev

fixes #10364
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
3.7.4
Milestone
3.7.4
Assign milestone
Time tracking
None
Due date
None
Reference: alpine/aports#10364