ALAS2-2023-1904


Amazon Linux 2 Security Advisory: ALAS-2023-1904
Advisory Release Date: 2023-01-18 00:16 Pacific
Advisory Updated Date: 2023-01-20 23:30 Pacific
Severity: Important

Issue Overview:

Integer underflow in the png_check_keyword function in pngwutil.c in libpng 0.90 through 0.99, 1.0.x before 1.0.66, 1.1.x and 1.2.x before 1.2.56, 1.3.x and 1.4.x before 1.4.19, and 1.5.x before 1.5.26 allows remote attackers to have unspecified impact via a space character as a keyword in a PNG image, which triggers an out-of-bounds read. (CVE-2015-8540)


Affected Packages:

libpng


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update libpng to update your system.

New Packages:
aarch64:
    libpng-1.5.13-8.amzn2.0.1.aarch64
    libpng-devel-1.5.13-8.amzn2.0.1.aarch64
    libpng-static-1.5.13-8.amzn2.0.1.aarch64
    libpng-debuginfo-1.5.13-8.amzn2.0.1.aarch64

i686:
    libpng-1.5.13-8.amzn2.0.1.i686
    libpng-devel-1.5.13-8.amzn2.0.1.i686
    libpng-static-1.5.13-8.amzn2.0.1.i686
    libpng-debuginfo-1.5.13-8.amzn2.0.1.i686

src:
    libpng-1.5.13-8.amzn2.0.1.src

x86_64:
    libpng-1.5.13-8.amzn2.0.1.x86_64
    libpng-devel-1.5.13-8.amzn2.0.1.x86_64
    libpng-static-1.5.13-8.amzn2.0.1.x86_64
    libpng-debuginfo-1.5.13-8.amzn2.0.1.x86_64