libpng 'pngwutil.c' 远程代码执行漏洞(CVE-2015-8540)

libpng是适用于多种应用程序的PNG图形解析函数库。

 

libpng某些版本，pngwutil.c/png_check_keyword函数存在整数溢出漏洞。远程攻击者通过触发越界读，可执行任意代码。

 

 

 

 

解决方法

以下是各Linux/Unix发行版系统针对此漏洞发布的安全公告，可以参考对应系统的安全公告修复该漏洞:

 

Ubuntu

----------------

USN-2861-1: [USN-2861-1] libpng vulnerabilities

链接: https://www.ubuntu.com/usn/usn-2861-1

 

Red Hat Enterprise Linux

----------------

链接: https://access.redhat.com/security/cve/CVE-2015-8540

 

Gentoo

----------------

GLSA-201611-08: libpng: Multiple vulnerabilities

链接: https://security.gentoo.org/glsa/201611-08

 

Slackware

----------------

SSA:2015-351-02: [slackware-security] libpng (SSA:2015-351-02)

链接: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.498464

 

openSUSE

----------------

openSUSE-SU-2017:1037-1: openSUSE Security Update: Security update for libpng15

链接: https://lists.opensuse.org/opensuse-updates/2017-04/msg00063.html

openSUSE-SU-2017:0942-1: openSUSE Security Update: Security update for libpng12

链接: https://lists.opensuse.org/opensuse-updates/2017-04/msg00026.html

openSUSE-SU-2016:2672-1: openSUSE Security Update: Security update for libpng12

链接: https://lists.opensuse.org/opensuse-updates/2016-10/msg00108.html

 

SUSE

----------------

链接: https://www.suse.com/security/cve/CVE-2015-8540/

 

Fedora

----------------

FEDORA-2015-39499d9af8: Fedora 23 Update: libpng12-1.2.56-1.fc23

链接: https://lists.fedoraproject.org/pipermail/package-announce/2016-January/174810.html

FEDORA-2015-ac8100927a: Fedora 22 Update: libpng12-1.2.56-1.fc22

链接: https://lists.fedoraproject.org/pipermail/package-announce/2016-January/174816.html

FEDORA-2015-3868cfa17b: Fedora 23 Update: libpng10-1.0.66-1.fc23

链接: https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174435.html

FEDORA-2015-0a543024bf: Fedora 22 Update: libpng10-1.0.66-1.fc22

链接: https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174762.html

 

Debian

----------------

DSA-3443: DSA-3443-1 libpng -- security update

链接: https://www.debian.org/security/2016/dsa-3443

 

EulerOS

----------------

链接: http://developer.huawei.com/ict/cn/site-euleros/euleros/cve/CVE-2015-8540