CVE-2017-12652

Published: 10 July 2019

libpng before 1.6.32 does not properly check the length of chunks against the user limit.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
chromium-browser
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system libpng)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system libpng)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system libpng)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system libpng)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

firefox
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(73.0.1+build1-0ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(73.0.1+build1-0ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(73.0+build3-0ubuntu0.18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(72.0.2+build1-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

libpng
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

libpng1.6
Launchpad, Ubuntu, Debian
Upstream
Released (1.6.32)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1.6.37-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.6.37-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.6.34-1ubuntu0.18.04.2)
Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/glennrp/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55
Upstream: https://github.com/glennrp/libpng/commit/a1fe2c98489519d415b72bc0026f0c86d82278b7
Upstream: https://github.com/glennrp/libpng/commit/095b4ce16bb46acb259ea1a4ca6562a623e58d93
Upstream: https://github.com/glennrp/libpng/commit/2dbef2f2a9e759a80d2decb6862518acf4919c59
Upstream: https://github.com/glennrp/libpng/commit/2dca15686fadb1b8951cb29b02bad4cae73448da
Upstream: https://github.com/glennrp/libpng/commit/fcd1bb93124d76059abef98216d8390f520c577b
Upstream: https://github.com/glennrp/libpng/commit/13bc0b6b1f8f2f2491fcc9f0c1c939ff06e13c15
thunderbird
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1:68.5.0+build1-0ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1:68.5.0+build1-0ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:68.4.1+build1-0ubuntu0.18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(1:60.9.0+build1-0ubuntu0.16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist