CVE-2017-12652

Published: 10 July 2019

libpng before 1.6.32 does not properly check the length of chunks against the user limit.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
chromium-browser Launchpad, Ubuntu, Debian	bionic	Not vulnerable (uses system libpng)
	cosmic	Not vulnerable (uses system libpng)
	disco	Not vulnerable (uses system libpng)
	eoan	Not vulnerable (uses system libpng)
	focal	Not vulnerable (uses system libpng)
	groovy	Not vulnerable (uses system libpng)
	hirsute	Not vulnerable (uses system libpng)
	impish	Not vulnerable (uses system libpng)
	jammy	Not vulnerable (uses system libpng)
	kinetic	Not vulnerable (uses system libpng)
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Not vulnerable (uses system libpng)
firefox Launchpad, Ubuntu, Debian	bionic	Not vulnerable (73.0+build3-0ubuntu0.18.04.1)
	cosmic	Ignored (reached end-of-life)
	disco	Ignored (reached end-of-life)
	eoan	Not vulnerable (73.0+build3-0ubuntu0.19.10.1)
	focal	Not vulnerable (73.0.1+build1-0ubuntu1)
	groovy	Not vulnerable (73.0.1+build1-0ubuntu1)
	hirsute	Not vulnerable (73.0.1+build1-0ubuntu1)
	impish	Not vulnerable (73.0.1+build1-0ubuntu1)
	jammy	Not vulnerable (73.0.1+build1-0ubuntu1)
	kinetic	Not vulnerable (73.0.1+build1-0ubuntu1)
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Not vulnerable (72.0.2+build1-0ubuntu0.16.04.1)
libpng Launchpad, Ubuntu, Debian	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	precise	Ignored (end of ESM support, was needs-triage)
	trusty	Needs triage
	upstream	Needs triage
	xenial	Released (1.2.54-1ubuntu1.1+esm1)
libpng1.6 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (1.6.34-1ubuntu0.18.04.2)
	cosmic	Not vulnerable (1.6.34-2ubuntu0.1)
	disco	Not vulnerable (1.6.36-6)
	eoan	Not vulnerable (1.6.37-1)
	focal	Not vulnerable (1.6.37-1)
	groovy	Not vulnerable (1.6.37-1)
	hirsute	Not vulnerable (1.6.37-1)
	impish	Not vulnerable (1.6.37-1)
	jammy	Not vulnerable (1.6.37-1)
	kinetic	Not vulnerable (1.6.37-1)
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (1.6.32)
	xenial	Ignored (end of standard support, was needed)
	Patches: upstream: https://github.com/glennrp/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55 upstream: https://github.com/glennrp/libpng/commit/a1fe2c98489519d415b72bc0026f0c86d82278b7 upstream: https://github.com/glennrp/libpng/commit/095b4ce16bb46acb259ea1a4ca6562a623e58d93 upstream: https://github.com/glennrp/libpng/commit/2dbef2f2a9e759a80d2decb6862518acf4919c59 upstream: https://github.com/glennrp/libpng/commit/2dca15686fadb1b8951cb29b02bad4cae73448da upstream: https://github.com/glennrp/libpng/commit/fcd1bb93124d76059abef98216d8390f520c577b upstream: https://github.com/glennrp/libpng/commit/13bc0b6b1f8f2f2491fcc9f0c1c939ff06e13c15
thunderbird Launchpad, Ubuntu, Debian	bionic	Not vulnerable (1:68.4.1+build1-0ubuntu0.18.04.1)
	cosmic	Ignored (reached end-of-life)
	disco	Ignored (reached end-of-life)
	eoan	Not vulnerable (1:68.4.1+build1-0ubuntu0.19.10.1)
	focal	Not vulnerable (1:68.5.0+build1-0ubuntu1)
	groovy	Not vulnerable (1:68.5.0+build1-0ubuntu1)
	hirsute	Not vulnerable (1:68.5.0+build1-0ubuntu1)
	impish	Not vulnerable (1:68.5.0+build1-0ubuntu1)
	jammy	Not vulnerable (1:68.5.0+build1-0ubuntu1)
	kinetic	Not vulnerable (1:68.5.0+build1-0ubuntu1)
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Not vulnerable (1:60.9.0+build1-0ubuntu0.16.04.2)

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Security

CVE-2017-12652

Low

Status

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading