Description
Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Oracle Java for Red Hat Enterprise Linux 5 | |||
| java-1.7.0-oracle-1:1.7.0.95-1jpp.1.el5_11 | cpe:/a:redhat:rhel_extras_oracle_java:5 | RHSA-2016:0056 | 2016-01-21T00:00:00Z |
| java-1.6.0-sun-1:1.6.0.111-1jpp.3.el5_11 | cpe:/a:redhat:rhel_extras_oracle_java:5 | RHSA-2016:0057 | 2016-01-21T00:00:00Z |
| Oracle Java for Red Hat Enterprise Linux 6 | |||
| java-1.8.0-oracle-1:1.8.0.71-1jpp.1.el6_7 | cpe:/a:redhat:rhel_extras_oracle_java:6 | RHSA-2016:0055 | 2016-01-21T00:00:00Z |
| java-1.7.0-oracle-1:1.7.0.95-1jpp.1.el6_7 | cpe:/a:redhat:rhel_extras_oracle_java:6 | RHSA-2016:0056 | 2016-01-21T00:00:00Z |
| java-1.6.0-sun-1:1.6.0.111-1jpp.3.el6_7 | cpe:/a:redhat:rhel_extras_oracle_java:6 | RHSA-2016:0057 | 2016-01-21T00:00:00Z |
| Oracle Java for Red Hat Enterprise Linux 7 | |||
| java-1.8.0-oracle-1:1.8.0.71-1jpp.1.el7 | cpe:/a:redhat:rhel_extras_oracle_java:7 | RHSA-2016:0055 | 2016-01-21T00:00:00Z |
| java-1.7.0-oracle-1:1.7.0.95-1jpp.2.el7 | cpe:/a:redhat:rhel_extras_oracle_java:7 | RHSA-2016:0056 | 2016-01-21T00:00:00Z |
| java-1.6.0-sun-1:1.6.0.111-1jpp.1.el7 | cpe:/a:redhat:rhel_extras_oracle_java:7 | RHSA-2016:0057 | 2016-01-21T00:00:00Z |
| Red Hat Enterprise Linux 5 Supplementary | |||
| java-1.7.0-ibm-1:1.7.0.9.30-1jpp.1.el5 | cpe:/a:redhat:rhel_extras:5 | RHSA-2016:0100 | 2016-02-02T00:00:00Z |
| java-1.6.0-ibm-1:1.6.0.16.20-1jpp.1.el5 | cpe:/a:redhat:rhel_extras:5 | RHSA-2016:0101 | 2016-02-02T00:00:00Z |
| Red Hat Enterprise Linux 6 | |||
| libpng-2:1.2.49-2.el6_7 | cpe:/o:redhat:enterprise_linux:6 | RHSA-2015:2594 | 2015-12-09T00:00:00Z |
| Red Hat Enterprise Linux 6 Supplementary | |||
| java-1.7.1-ibm-1:1.7.1.3.30-1jpp.2.el6_7 | cpe:/a:redhat:rhel_extras:6 | RHSA-2016:0099 | 2016-02-02T00:00:00Z |
| java-1.6.0-ibm-1:1.6.0.16.20-1jpp.1.el6_7 | cpe:/a:redhat:rhel_extras:6 | RHSA-2016:0101 | 2016-02-02T00:00:00Z |
| Red Hat Enterprise Linux 7 | |||
| libpng12-0:1.2.50-7.el7_2 | cpe:/o:redhat:enterprise_linux:7 | RHSA-2015:2595 | 2015-12-09T00:00:00Z |
| libpng-2:1.5.13-7.el7_2 | cpe:/o:redhat:enterprise_linux:7 | RHSA-2015:2596 | 2015-12-09T00:00:00Z |
| Red Hat Enterprise Linux 7 Supplementary | |||
| java-1.8.0-ibm-1:1.8.0.2.10-1jpp.1.el7 | cpe:/a:redhat:rhel_extras:7 | RHSA-2016:0098 | 2016-02-02T00:00:00Z |
| java-1.7.1-ibm-1:1.7.1.3.30-1jpp.1.el7 | cpe:/a:redhat:rhel_extras:7 | RHSA-2016:0099 | 2016-02-02T00:00:00Z |
| Red Hat Satellite 5.6 | |||
| java-1.7.0-ibm-1:1.7.0.9.40-1jpp.1.el5 | cpe:/a:redhat:network_satellite:5.6::el5 | RHSA-2016:1430 | 2016-07-18T00:00:00Z |
| java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7 | cpe:/a:redhat:network_satellite:5.6::el5 | RHSA-2016:1430 | 2016-07-18T00:00:00Z |
| spacewalk-java-0:2.0.2-109.el5sat | cpe:/a:redhat:network_satellite:5.6::el5 | RHSA-2016:1430 | 2016-07-18T00:00:00Z |
| Red Hat Satellite 5.7 | |||
| java-1.7.1-ibm-1:1.7.1.3.40-1jpp.1.el6_7 | cpe:/a:redhat:network_satellite:5.7::el6 | RHSA-2016:1430 | 2016-07-18T00:00:00Z |
| spacewalk-java-0:2.3.8-146.el6sat | cpe:/a:redhat:network_satellite:5.7::el6 | RHSA-2016:1430 | 2016-07-18T00:00:00Z |
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 Debian DLA |
DLA-375-1 | libpng security update |
| Debian DLA |
DLA-410-1 | openjdk-6 security update |
 Debian DSA |
DSA-3443-1 | libpng security update |
 EUVD |
EUVD-2015-8354 | Buffer overflow in the png_set_PLTE function in libpng before 1.0.65, 1.1.x and 1.2.x before 1.2.55, 1.3.x, 1.4.x before 1.4.18, 1.5.x before 1.5.25, and 1.6.x before 1.6.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8126. |
 Ubuntu USN |
USN-2861-1 | libpng vulnerabilities |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-06T08:20:41.892Z
Reserved: 2015-12-04T00:00:00.000Z
Link: CVE-2015-8472
Vulnrichment
No data.
NVD
Status : Modified
Published: 2016-01-21T15:59:00.117
Modified: 2026-05-06T22:30:45.220
Link: CVE-2015-8472
Redhat
OpenCVE Enrichment
No data.