[3.0] libpng: Incomplete fix for CVE-2015-8126 (CVE-2015-8472)
It was discovered that the original fix for CVE-2015-8126 was incomplete
and did not detect
a potential overrun by applications using png_set_PLTE directly. A
remote attacker can take advantage
of this flaw to cause a denial of service (application crash).
Use CVE-2015-8472 for this remaining problem that existed in 1.6.19
Fixed in 1.6.20
References:
https://marc.info/?l=oss-security&m=144929077710907&w=2
https://bugzilla.novell.com/show\_bug.cgi?id=CVE-2015-8472
(from redmine: issue id 5023, created on 2016-01-14, closed on 2016-01-29)
- Relations:
- parent #5019 (closed)
- Changesets:
- Revision c1e9d0a8 on 2016-01-27T11:22:02Z:
main/libpng: security upgrade to 1.6.20 (CVE-2015-8472). Fixes #5023