CVE-2015-7981

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172620.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172647.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172663.html

http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00033.html

http://lists.opensuse.org/opensuse-updates/2015-11/msg00160.html

http://rhn.redhat.com/errata/RHSA-2015-2594.html

http://rhn.redhat.com/errata/RHSA-2015-2595.html

http://sourceforge.net/p/libpng/bugs/241/

http://sourceforge.net/projects/libpng/files/libpng10/1.0.64/

http://sourceforge.net/projects/libpng/files/libpng12/1.2.54/

http://sourceforge.net/projects/libpng/files/libpng14/1.4.17/

http://www.debian.org/security/2015/dsa-3399

http://www.openwall.com/lists/oss-security/2015/10/26/1

http://www.openwall.com/lists/oss-security/2015/10/26/3

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

http://www.securityfocus.com/bid/77304

http://www.securitytracker.com/id/1034393

http://www.ubuntu.com/usn/USN-2815-1

https://access.redhat.com/errata/RHSA-2016:1430

https://security.gentoo.org/glsa/201611-08

Details

Source: MITRE

Published: 2015-11-24

Updated: 2017-07-01

Type: CWE-200

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:libpng:libpng:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.2:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.3:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.5:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.6:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.7:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.8:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.9:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.10:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.11:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.12:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.13:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.14:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.15:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.16:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.17:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.18:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.19:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.20:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.21:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.22:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.23:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.24:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.25:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.26:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.27:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.28:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.29:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.30:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.31:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.32:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.33:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.34:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.35:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.37:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.38:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.39:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.40:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.41:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.42:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.43:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.44:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.45:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.46:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.47:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.48:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.50:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.51:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.52:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.53:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.54:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.55:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.55:rc01:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.56:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.56:devel:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.57:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.57:rc01:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.58:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.59:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.60:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.61:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.62:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.0.63:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.0:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.1:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.2:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.3:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.4:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.5:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.6:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.7:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.8:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.9:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.10:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.11:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.12:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.13:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.14:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.15:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.16:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.17:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.18:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.19:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.20:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.21:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.22:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.23:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.24:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.25:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.26:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.27:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.28:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.29:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.30:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.31:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.32:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.33:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.34:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.35:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.36:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.37:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.38:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.39:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.40:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.41:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.42:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.43:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.43:devel:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.44:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.45:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.45:devel:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.46:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.46:devel:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.47:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.47:beta:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.48:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.48:betas:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.49:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.50:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.51:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.52:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.2.53:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.1:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.2:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.3:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.4:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.5:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.6:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.7:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.8:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.9:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.10:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.11:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.12:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.13:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.14:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.15:*:*:*:*:*:*:*

cpe:2.3:a:libpng:libpng:1.4.16:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:6.7.z:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

Tenable Plugins

View all (40 total)

IDNameProductFamilySeverity
124924EulerOS Virtualization 3.0.1.0 : libpng (EulerOS-SA-2019-1421)NessusHuawei Local Security Checks
high
124894EulerOS Virtualization for ARM 64 3.0.1.0 : libpng12 (EulerOS-SA-2019-1391)NessusHuawei Local Security Checks
high
119974SUSE SLES12 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0428-1) (SLOTH)NessusSuSE Local Security Checks
critical
94892GLSA-201611-08 : libpng: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
92400RHEL 5 / 6 : java-1.7.0-ibm and java-1.7.1-ibm (RHSA-2016:1430) (SLOTH)NessusRed Hat Local Security Checks
critical
91772openSUSE Security Update : vlc (openSUSE-2016-754)NessusSuSE Local Security Checks
critical
91434F5 Networks BIG-IP : libpng out-of-bounds read vulnerability (SOL21057235)NessusF5 Networks Local Security Checks
medium
9267VLC Media Player < 2.2.2 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
critical
89989SUSE SLES10 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0776-1) (SLOTH)NessusSuSE Local Security Checks
critical
89961SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0770-1) (SLOTH)NessusSuSE Local Security Checks
critical
89657SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:0636-1) (SLOTH)NessusSuSE Local Security Checks
critical
89449Fedora 22 : libpng10-1.0.64-1.fc22 (2015-ec2ddd15d7)NessusFedora Local Security Checks
high
89365Fedora 22 : libpng12-1.2.56-1.fc22 (2015-ac8100927a)NessusFedora Local Security Checks
high
89239Fedora 21 : libpng10-1.0.64-1.fc21 (2015-501493d853)NessusFedora Local Security Checks
high
89213Fedora 23 : libpng12-1.2.56-1.fc23 (2015-39499d9af8)NessusFedora Local Security Checks
high
89167Fedora 23 : libpng10-1.0.64-1.fc23 (2015-1d87313b7c)NessusFedora Local Security Checks
high
89053AIX Java Advisory : java_jan2016_advisory.asc (January 2016 CPU) (SLOTH)NessusAIX Local Security Checks
critical
88710SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2016:0433-1) (SLOTH)NessusSuSE Local Security Checks
critical
88709SUSE SLES11 Security Update : java-1_6_0-ibm (SUSE-SU-2016:0431-1) (SLOTH)NessusSuSE Local Security Checks
critical
88557RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2016:0101) (SLOTH)NessusRed Hat Local Security Checks
critical
88556RHEL 5 : java-1.7.0-ibm (RHSA-2016:0100) (SLOTH)NessusRed Hat Local Security Checks
critical
88555RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2016:0099) (SLOTH)NessusRed Hat Local Security Checks
critical
87584Scientific Linux Security Update : libpng12 on SL7.x x86_64 (20151209)NessusScientific Linux Local Security Checks
high
87341Amazon Linux AMI : libpng (ALAS-2015-615)NessusAmazon Linux Local Security Checks
high
87308Scientific Linux Security Update : libpng on SL6.x i386/x86_64 (20151209)NessusScientific Linux Local Security Checks
high
87306RHEL 7 : libpng12 (RHSA-2015:2595)NessusRed Hat Local Security Checks
high
87305RHEL 6 : libpng (RHSA-2015:2594)NessusRed Hat Local Security Checks
high
87303OracleVM 3.3 : libpng (OVMSA-2015-0153)NessusOracleVM Local Security Checks
high
87301Oracle Linux 7 : libpng12 (ELSA-2015-2595)NessusOracle Linux Local Security Checks
high
87300Oracle Linux 6 : libpng (ELSA-2015-2594)NessusOracle Linux Local Security Checks
high
87284CentOS 7 : libpng12 (CESA-2015:2595)NessusCentOS Local Security Checks
high
87283CentOS 6 : libpng (CESA-2015:2594)NessusCentOS Local Security Checks
high
87182Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : libpng (SSA:2015-337-01)NessusSlackware Local Security Checks
high
87087openSUSE Security Update : libpng12 (openSUSE-2015-826)NessusSuSE Local Security Checks
high
87082openSUSE Security Update : libpng12 (openSUSE-2015-802)NessusSuSE Local Security Checks
high
86993Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : libpng vulnerabilities (USN-2815-1)NessusUbuntu Local Security Checks
high
86942SUSE SLED12 / SLES12 Security Update : libpng12 (SUSE-SU-2015:2024-1)NessusSuSE Local Security Checks
high
86941SUSE SLED11 / SLES11 Security Update : libpng12-0 (SUSE-SU-2015:2017-1)NessusSuSE Local Security Checks
high
86921Debian DSA-3399-1 : libpng - security updateNessusDebian Local Security Checks
high
86907Debian DLA-343-1 : libpng security updateNessusDebian Local Security Checks
high