CVE-2015-8472

Name of the Vulnerable Software and Affected Versions libpng versions 1.0.0 through 1.0.64 libpng versions 1.1.x libpng versions 1.2.x through 1.2.54 libpng versions 1.3.x libpng versions 1.4.x through 1.4.17 libpng versions 1.5.x through 1.5.24 libpng versions 1.6.x through 1.6.19

Description The issue is caused by a buffer overflow in the png set PLTE function in libpng, allowing remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image. This vulnerability exists because of an incomplete fix for a previous issue.

Recommendations For libpng versions 1.0.0 through 1.0.64, update to version 1.0.65 or later. For libpng versions 1.1.x, update to version 1.2.55 or later. For libpng versions 1.2.x through 1.2.54, update to version 1.2.55 or later. For libpng versions 1.3.x, update to version 1.4.18 or later. For libpng versions 1.4.x through 1.4.17, update to version 1.4.18 or later. For libpng versions 1.5.x through 1.5.24, update to version 1.5.25 or later. For libpng versions 1.6.x through 1.6.19, update to version 1.6.20 or later. As a temporary workaround, consider disabling the png set PLTE function until a patch is available.