Описание
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
An out of bounds read vulnerability has been discovered in libpng. This vulnerability is in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management.
Отчет
The Red Hat Product Security team has rated this vulnerability as Important as it affects libpng, a widely used library for PNG image processing. The flaw is due to an out-of-bounds read in libpng’s simplified API when handling specially crafted PNG images containing partial transparency and gamma correction data. Successful exploitation could result in information disclosure or cause application crashes in applications processing untrusted PNG content.
For java-17-openjdk-headless and java-21-openjdk-headless, while the affected code is present in the bundled sources, it is not exercised by these headless packages.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of OpenJDK 11 ELS | java-11-openjdk | Affected | ||
| Red Hat build of OpenJDK 11 ELS | java-11-openjdk-portable | Affected | ||
| Red Hat build of OpenJDK 11 ELS | java-21-openjdk-portable | Not affected | ||
| Red Hat build of OpenJDK 17 | java-17-openjdk-portable | Affected | ||
| Red Hat build of OpenJDK 17 | java-21-openjdk-portable | Not affected | ||
| Red Hat build of OpenJDK 1.8 | java-1.8.0-openjdk-portable | Affected | ||
| Red Hat build of OpenJDK 21 | java-21-openjdk-portable | Affected | ||
| Red Hat build of OpenJDK 21 | java-21-openjdk-portable-rhel7 | Not affected | ||
| Red Hat build of OpenJDK 25 | java-21-openjdk-vanilla | Not affected | ||
| Red Hat build of OpenJDK 25 | java-25-openjdk-portable | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
LIBPNG has an out-of-bounds read in png_image_read_composite
LIBPNG is a reference library for use in applications that read, creat ...
EPSS
7.1 High
CVSS3