CVE-2019-6129

Name of the Vulnerable Software and Affected Versions libpng version 1.6.36

Description The issue is related to a memory leak in the png create info struct function in libpng. This leak occurs as demonstrated by pngcp. A third party has stated that they do not think it is libpng's job to free this buffer. The vulnerability may allow a remote attacker to cause a denial of service using multiple network protocols.

Recommendations For libpng version 1.6.36, as a temporary workaround, consider disabling the png create info struct function until a patch is available. However, since the dispute regarding the responsibility for freeing the buffer exists, and no clear patch or update information is provided, the best course of action is to monitor for updates from the libpng developers regarding this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.