diff -Nru libpng-1.2.54/debian/changelog libpng-1.2.54/debian/changelog --- libpng-1.2.54/debian/changelog 2015-11-18 17:20:30.000000000 +0000 +++ libpng-1.2.54/debian/changelog 2016-01-06 17:39:28.000000000 +0000 @@ -1,3 +1,16 @@ +libpng (1.2.54-1ubuntu1) xenial; urgency=medium + + * SECURITY UPDATE: overflows in png_handle_zTXt(), png_handle_sPLT(), + png_handle_pCAL(), and png_set_PLTE() + - debian/patches/CVE-2015-8472.patch: check lengths in pngrutil.c, + properly use info_ptr in pngset.c. + - CVE-2015-8472 + * SECURITY UPDATE: out-of-range read in png_check_keyword() + - debian/patches/CVE-2015-8540.patch: check key_len in pngwutil.c. + - CVE-2015-8540 + + -- Marc Deslauriers Wed, 06 Jan 2016 12:39:08 -0500 + libpng (1.2.54-1) unstable; urgency=medium * New upstream release. (Closes: #803078, #805113) diff -Nru libpng-1.2.54/debian/control libpng-1.2.54/debian/control --- libpng-1.2.54/debian/control 2015-11-18 17:20:30.000000000 +0000 +++ libpng-1.2.54/debian/control 2016-01-06 17:39:40.000000000 +0000 @@ -1,7 +1,8 @@ Source: libpng Section: libs Priority: optional -Maintainer: Anibal Monsalve Salazar +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Anibal Monsalve Salazar Uploaders: Nobuhiro Iwamatsu Build-Depends: debhelper (>= 8.1.3), libtool, automake, autoconf, zlib1g-dev, mawk Standards-Version: 3.9.6 diff -Nru libpng-1.2.54/debian/patches/CVE-2015-8472.patch libpng-1.2.54/debian/patches/CVE-2015-8472.patch --- libpng-1.2.54/debian/patches/CVE-2015-8472.patch 1970-01-01 00:00:00.000000000 +0000 +++ libpng-1.2.54/debian/patches/CVE-2015-8472.patch 2016-01-06 17:38:58.000000000 +0000 @@ -0,0 +1,72 @@ +Description: fix overflows in png_handle_zTXt(), png_handle_sPLT(), + png_handle_pCAL(), and png_set_PLTE() +Origin: upstream, https://github.com/glennrp/libpng/commit/7e1ca9ceba4e64259863efdd98bab9b55bdc0b9c +Origin: upstream, https://github.com/glennrp/libpng/commit/4488a96126bbefda51d07835411d8e847a88b2b7 +Origin: upstream, https://github.com/glennrp/libpng/commit/ad224c6907e8a274f2679eae4c2e3085fdc7e8c8 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807112 + +Index: libpng-1.2.54/pngrutil.c +=================================================================== +--- libpng-1.2.54.orig/pngrutil.c 2016-01-06 12:38:56.225420266 -0500 ++++ libpng-1.2.54/pngrutil.c 2016-01-06 12:38:56.217420190 -0500 +@@ -1114,7 +1114,7 @@ + /* There should be at least one zero (the compression type byte) + * following the separator, and we should be on it + */ +- if ( profile >= png_ptr->chunkdata + slength - 1) ++ if (slength < 1U || profile >= png_ptr->chunkdata + slength - 1U) + { + png_free(png_ptr, png_ptr->chunkdata); + png_ptr->chunkdata = NULL; +@@ -1242,7 +1242,8 @@ + ++entry_start; + + /* A sample depth should follow the separator, and we should be on it */ +- if (entry_start > (png_bytep)png_ptr->chunkdata + slength - 2) ++ if (slength < 2U || ++ entry_start > (png_bytep)png_ptr->chunkdata + slength - 2U) + { + png_free(png_ptr, png_ptr->chunkdata); + png_ptr->chunkdata = NULL; +@@ -1716,7 +1717,7 @@ + + /* We need to have at least 12 bytes after the purpose string + in order to get the parameter information. */ +- if (endptr <= buf + 12) ++ if (slength < 12U || endptr - buf <= 12) + { + png_warning(png_ptr, "Invalid pCAL data"); + png_free(png_ptr, png_ptr->chunkdata); +@@ -2172,7 +2173,7 @@ + /* Empty loop */ ; + + /* zTXt must have some text after the chunkdataword */ +- if (text >= png_ptr->chunkdata + slength - 2) ++ if (slength < 2U || text >= png_ptr->chunkdata + slength - 2U) + { + png_warning(png_ptr, "Truncated zTXt chunk"); + png_free(png_ptr, png_ptr->chunkdata); +@@ -2298,7 +2299,7 @@ + * keyword + */ + +- if (lang >= png_ptr->chunkdata + slength - 3) ++ if (slength < 3U || lang >= png_ptr->chunkdata + slength - 3U) + { + png_warning(png_ptr, "Truncated iTXt chunk"); + png_free(png_ptr, png_ptr->chunkdata); +Index: libpng-1.2.54/pngset.c +=================================================================== +--- libpng-1.2.54.orig/pngset.c 2016-01-06 12:38:56.225420266 -0500 ++++ libpng-1.2.54/pngset.c 2016-01-06 12:38:56.221420229 -0500 +@@ -456,8 +456,8 @@ + if (png_ptr == NULL || info_ptr == NULL) + return; + +- max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? +- (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; ++ max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? ++ (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + + if (num_palette < 0 || num_palette > (int) max_palette_length) + { diff -Nru libpng-1.2.54/debian/patches/CVE-2015-8540.patch libpng-1.2.54/debian/patches/CVE-2015-8540.patch --- libpng-1.2.54/debian/patches/CVE-2015-8540.patch 1970-01-01 00:00:00.000000000 +0000 +++ libpng-1.2.54/debian/patches/CVE-2015-8540.patch 2016-01-06 17:39:02.000000000 +0000 @@ -0,0 +1,26 @@ +From 520b373ee53e92dce93917fea5a609b2a0291472 Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson +Date: Wed, 9 Dec 2015 09:33:54 -0600 +Subject: [PATCH] [libpng12] Fixed an out-of-range read in png_check_keyword() + (Bug report from + +Qixue Xiao). +--- + ANNOUNCE | 48 ++++++++++++++++++++++-------------------------- + CHANGES | 8 ++++++-- + pngwutil.c | 2 +- + 3 files changed, 29 insertions(+), 29 deletions(-) + +diff --git a/pngwutil.c b/pngwutil.c +index bc6c986..182f8db 100644 +--- a/pngwutil.c ++++ b/pngwutil.c +@@ -1285,7 +1285,7 @@ png_check_keyword(png_structp png_ptr, png_charp key, png_charpp new_key) + { + png_warning(png_ptr, "trailing spaces removed from keyword"); + +- while (*kp == ' ') ++ while (key_len && *kp == ' ') + { + *(kp--) = '\0'; + key_len--; diff -Nru libpng-1.2.54/debian/patches/series libpng-1.2.54/debian/patches/series --- libpng-1.2.54/debian/patches/series 2015-11-18 17:20:30.000000000 +0000 +++ libpng-1.2.54/debian/patches/series 2016-01-06 17:39:02.000000000 +0000 @@ -1,2 +1,4 @@ # 01-legacy.patch libpng-config.diff +CVE-2015-8472.patch +CVE-2015-8540.patch