ID

VAR-201902-0855

CVE

CVE-2019-7317

TITLE

libpng CVE-2019-7317 Use After Free Denial of Service Vulnerability

DESCRIPTION

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute. libpng is prone to a denial-of-service vulnerability. An attacker may exploit this issue to crash the affected application, resulting in a denial-of-service condition. libpng version 1.6.36 is vulnerable; other versions may also be affected. The update caused an additional regression that resulted in Firefox failing to load correctly after executing it in safe mode. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Multiple security issues were discovered in Firefox. (CVE-2019-11691, CVE-2019-11692, CVE-2019-11693, CVE-2019-11695, CVE-2019-11696, CVE-2019-11699, CVE-2019-11701, CVE-2019-7317, CVE-2019-9800, CVE-2019-9814, CVE-2019-9817, CVE-2019-9819, CVE-2019-9820, CVE-2019-9821) It was discovered that pressing certain key combinations could bypass addon installation prompt delays. If a user opened a specially crafted website, an attacker could potentially exploit this to trick them in to installing a malicious extension. (CVE-2019-11697) It was discovered that history data could be exposed via drag and drop of hyperlinks to and from bookmarks. If a user were tricked in to dragging a specially crafted hyperlink to the bookmark toolbar or sidebar, and subsequently back in to the web content area, an attacker could potentially exploit this to obtain sensitive information. (CVE-2019-11698) A type confusion bug was discovered with object groups and UnboxedObjects. Description: IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. Security Fix(es): * IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/): 1672409 - CVE-2019-7317 libpng: use-after-free in png_image_free in png.c 1730056 - CVE-2019-2769 OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) 1730099 - CVE-2019-2816 OpenJDK: Missing URL format validation (Networking, 8221518) 1730415 - CVE-2019-2762 OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) 1738549 - CVE-2019-11775 IBM JDK: Failure to privatize a value pulled out of the loop by versioning 6. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201908-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libpng: Multiple vulnerabilities Date: August 03, 2019 Bugs: #683366 ID: 201908-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in libpng, the worst of which could result in a Denial of Service condition. Background ========== libpng is a standard library used to process PNG (Portable Network Graphics) images. It is used by several programs, including web browsers and potentially server processes. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All libpng users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.6.37" References ========== [ 1 ] CVE-2018-14048 https://nvd.nist.gov/vuln/detail/CVE-2018-14048 [ 2 ] CVE-2018-14550 https://nvd.nist.gov/vuln/detail/CVE-2018-14550 [ 3 ] CVE-2019-7317 https://nvd.nist.gov/vuln/detail/CVE-2019-7317 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201908-02 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================= Ubuntu Security Notice USN-4080-1 July 31, 2019 openjdk-8 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in OpenJDK. Software Description: - openjdk-8: Open Source Java implementation Details: Keegan Ryan discovered that the ECC implementation in OpenJDK was not sufficiently resilient to side-channel attacks. An attacker could possibly use this to expose sensitive information. (CVE-2019-2745) It was discovered that OpenJDK did not sufficiently validate serial streams before deserializing suppressed exceptions in some situations. An attacker could use this to specially craft an object that, when deserialized, would cause a denial of service. (CVE-2019-2762) It was discovered that in some situations OpenJDK did not properly bound the amount of memory allocated during object deserialization. An attacker could use this to specially craft an object that, when deserialized, would cause a denial of service (excessive memory consumption). (CVE-2019-2769) It was discovered that OpenJDK did not properly restrict privileges in certain situations. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2019-2786) Jonathan Birch discovered that the Networking component of OpenJDK did not properly validate URLs in some situations. An attacker could use this to bypass restrictions on characters in URLs. (CVE-2019-2816) Nati Nimni discovered that the Java Cryptography Extension component in OpenJDK did not properly perform array bounds checking in some situations. An attacker could use this to cause a denial of service. (CVE-2019-2842) It was discovered that OpenJDK incorrectly handled certain memory operations. If a user or automated system were tricked into opening a specially crafted PNG file, a remote attacker could use this issue to cause OpenJDK to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-7317) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: openjdk-8-jdk 8u222-b10-1ubuntu1~16.04.1 openjdk-8-jdk-headless 8u222-b10-1ubuntu1~16.04.1 openjdk-8-jre 8u222-b10-1ubuntu1~16.04.1 openjdk-8-jre-headless 8u222-b10-1ubuntu1~16.04.1 openjdk-8-jre-jamvm 8u222-b10-1ubuntu1~16.04.1 openjdk-8-jre-zero 8u222-b10-1ubuntu1~16.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4435-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 27, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libpng1.6 CVE ID : CVE-2019-7317 Debian Bug : 921355 A use-after-free vulnerability was discovered in the png_image_free() function in the libpng PNG library, which could lead to denial of service or potentially the execution of arbitrary code if a malformed image is processed. For the stable distribution (stretch), this problem has been fixed in version 1.6.28-1+deb9u1. We recommend that you upgrade your libpng1.6 packages. For the detailed security status of libpng1.6 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/libpng1.6 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzECBJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Txww//aZy+AZ6sloDpGd6f8r2C5/9DsbwGLdpNsJSVaA7jX6OWKWfb+UMb7vwz fz8jUhFZFrjD8DtF1fyrhO5yzbnFGMGSd8HpfOP7aNfBQBnud0jwnVlmTRiB4idq bKC5SEhjjU7SlGBNZ7vfrM2AbaPEp+ge08O6Pd7YpeV7JbwSHEEDLpLaPLFkLyik h2zb7efpHRew0QmVfi6HcIf5jAKBz2G4JTIKD9tHrfWcVBOpehmCGV8VJ9Hx0ean J+VkhDn1ix1M686spf+OuG8GGgdmWaR5IA3Mp9Arz52Mxq83660G4ji1cMcltZa/ Hlb9pntp8Mlz8uQ71FUcy/RZmZiqDXy49SHCA1Dt+EnE5vcHi1LXLopnOHdqo14B xjW88ME7gzAtHTyup2UFOS93mVmklGytmPUixXEiWo8GMazJvlPvvFqoAmB1igeY BD2wa1exgZgS6UpmOXmsKYfOeFjRYY3muqtF5zme4Az0OYxr5UzB5kvDuUm3SHhA WXysaVYyq7eFuhXT95gSQgKfUVZIC6AeOZ/jSJ7HcEex8oj71KyHjbbHFr5Lfx3g fsLeD59kj8ovTrx02/e2LcSpuXqZDLcbipJlhAiUItSQf0vJK+DUbgZ0r6GjdInO 78W1KDDUpmXk4uGEWae/bR/HuoAZV26Y5VX8Pd6TaU59oif8/sQ= =jInk -----END PGP SIGNATURE----- . 8) - ppc64le, x86_64 3. Description: Mozilla Thunderbird is a standalone mail and newsgroup client. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2019:1267-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:1267 Issue date: 2019-05-23 CVE Names: CVE-2018-18511 CVE-2019-5798 CVE-2019-7317 CVE-2019-9797 CVE-2019-9800 CVE-2019-9816 CVE-2019-9817 CVE-2019-9819 CVE-2019-9820 CVE-2019-11691 CVE-2019-11692 CVE-2019-11693 CVE-2019-11698 ==================================================================== 1. Summary: An update for firefox is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - x86_64 3. Description: Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 60.7.0 ESR. Security Fix(es): * Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 (CVE-2019-9800) * Mozilla: Cross-origin theft of images with createImageBitmap (CVE-2019-9797) * Mozilla: Type confusion with object groups and UnboxedObjects (CVE-2019-9816) * Mozilla: Stealing of cross-domain images using canvas (CVE-2019-9817) * Mozilla: Compartment mismatch with fetch API (CVE-2019-9819) * Mozilla: Use-after-free of ChromeEventHandler by DocShell (CVE-2019-9820) * Mozilla: Use-after-free in XMLHttpRequest (CVE-2019-11691) * Mozilla: Use-after-free removing listeners in the event listener manager (CVE-2019-11692) * Mozilla: Buffer overflow in WebGL bufferdata on Linux (CVE-2019-11693) * mozilla: Cross-origin theft of images with ImageBitmapRenderingContext (CVE-2018-18511) * chromium-browser: Out of bounds read in Skia (CVE-2019-5798) * Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks (CVE-2019-11698) * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Firefox must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1672409 - CVE-2019-7317 libpng: use-after-free in png_image_free in png.c 1676997 - CVE-2018-18511 mozilla: Cross-origin theft of images with ImageBitmapRenderingContext 1688200 - CVE-2019-5798 chromium-browser: Out of bounds read in Skia 1712617 - CVE-2019-11691 Mozilla: Use-after-free in XMLHttpRequest 1712618 - CVE-2019-11692 Mozilla: Use-after-free removing listeners in the event listener manager 1712619 - CVE-2019-11693 Mozilla: Buffer overflow in WebGL bufferdata on Linux 1712621 - CVE-2019-11698 Mozilla: Theft of user history data through drag and drop of hyperlinks to and from bookmarks 1712622 - CVE-2019-9797 Mozilla: Cross-origin theft of images with createImageBitmap 1712623 - CVE-2019-9800 Mozilla: Memory safety bugs fixed in Firefox 67 and Firefox ESR 60.7 1712625 - CVE-2019-9816 Mozilla: Type confusion with object groups and UnboxedObjects 1712626 - CVE-2019-9817 Mozilla: Stealing of cross-domain images using canvas 1712628 - CVE-2019-9819 Mozilla: Compartment mismatch with fetch API 1712629 - CVE-2019-9820 Mozilla: Use-after-free of ChromeEventHandler by DocShell 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: firefox-60.7.0-1.el6_10.src.rpm i386: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm x86_64: firefox-60.7.0-1.el6_10.x86_64.rpm firefox-debuginfo-60.7.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): x86_64: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: firefox-60.7.0-1.el6_10.src.rpm x86_64: firefox-60.7.0-1.el6_10.i686.rpm firefox-60.7.0-1.el6_10.x86_64.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: firefox-60.7.0-1.el6_10.src.rpm i386: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm ppc64: firefox-60.7.0-1.el6_10.ppc64.rpm firefox-debuginfo-60.7.0-1.el6_10.ppc64.rpm s390x: firefox-60.7.0-1.el6_10.s390x.rpm firefox-debuginfo-60.7.0-1.el6_10.s390x.rpm x86_64: firefox-60.7.0-1.el6_10.x86_64.rpm firefox-debuginfo-60.7.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): x86_64: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: firefox-60.7.0-1.el6_10.src.rpm i386: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm x86_64: firefox-60.7.0-1.el6_10.x86_64.rpm firefox-debuginfo-60.7.0-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): x86_64: firefox-60.7.0-1.el6_10.i686.rpm firefox-debuginfo-60.7.0-1.el6_10.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-18511 https://access.redhat.com/security/cve/CVE-2019-5798 https://access.redhat.com/security/cve/CVE-2019-7317 https://access.redhat.com/security/cve/CVE-2019-9797 https://access.redhat.com/security/cve/CVE-2019-9800 https://access.redhat.com/security/cve/CVE-2019-9816 https://access.redhat.com/security/cve/CVE-2019-9817 https://access.redhat.com/security/cve/CVE-2019-9819 https://access.redhat.com/security/cve/CVE-2019-9820 https://access.redhat.com/security/cve/CVE-2019-11691 https://access.redhat.com/security/cve/CVE-2019-11692 https://access.redhat.com/security/cve/CVE-2019-11693 https://access.redhat.com/security/cve/CVE-2019-11698 https://access.redhat.com/security/updates/classification/#critical https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXObA+NzjgjWX9erEAQhdLg//Y2Qy3oBF2JXo0FDIAlvxGC0bBSZ5kIpr 2aZqeaEIQDfHbm2mNa5fGidU+zFgvwuAxmCjrURuGYx0GAtje4XH+oEa09Ri5VQS Wdm2faaOLj36IsIawC8RUQLzm8jIlZiYyeEKGFZj/PY8oFRcTBoebqqyTUAin+oC cCXcGcckGLouKi5rj9Q1pUcCzjnVDAUmMb00dF+8KbTUGHnMwMYF43ogBggN0ril ePFEsAZQ5tcapBQ7nqBkUJNsMMuKoVRcLyI+DUdEPOsetEhaOzMmWBkMtEV1VAN1 RaGzw6Xp34jVHhhqMznhFNZ/rkLVfr5hRwwTkeA9a8uq6kEW1LdhfIch62iWb00H AgSrwURUfOuPUKO6lHqg1FJEtIxqfY3GlpSCxhSWwZ/tUpmQcGuYK97zIl4lw5m4 i5dxQKxnVk+U116iU7kl3M8YKsK+HG2dFxjEFNdvnsnM+KBHurM5ANpo/AwP3E5i EKj4gL2USYekfUykbWk5gERbj/Rn8hdChgBFDGL7h7BevTw+jGXxctXDqw6n0BR+ yDJV98Vl44mkdrTnYvrIcFQTtNVMNkoS3ZbGq+tR/8ZZIwo28+qXnor1KTUBchJ/ HC8+r9xE+SZy2fxxI9esbwVkSsN5TaxOFFzf4uYDy/dQExCULJbQSsyGyvxdz0b8 74xrhCg7IBo=PKHG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

Design Error

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-02-07T21:59:35.777000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE