CVE-2019-7317 - OpenCVE

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:H/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Enterprise Linux Satellite Enterprise Linux Desktop Enterprise Linux For Power Little Endian Enterprise Linux Workstation Enterprise Linux For Power Big Endian Enterprise Linux For Scientific Computing Enterprise Linux For Ibm Z Systems
Oracle	Jdk Mysql Java Se Hyperion Infrastructure Technology
Hp	Xp7 Command View
Netapp	E-series Santricity Management Active Iq Unified Manager E-series Santricity Web Services Cloud Backup Steelstore E-series Santricity Unified Manager Oncommand Insight Snapmanager Oncommand Workflow Automation Plug-in For Symantec Netbackup E-series Santricity Storage Manager
Libpng	Libpng
Opensuse	Leap Package Hub
Canonical	Ubuntu Linux
Mozilla	Thunderbird Firefox Esr
Debian	Debian Linux
Hpe	Xp7 Command View Advanced Edition Suite
Suse	Linux Enterprise

Configuration 1 [-]

cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.6.0:::::::*
	cpe:2.3:a:oracle:java_se:7u221:::::::*
	cpe:2.3:a:oracle:java_se:8u212:::::::*
	cpe:2.3:a:oracle:jdk:11.0.3:::::::*
	cpe:2.3:a:oracle:jdk:12.0.1:::::::*
	cpe:2.3:a:oracle:mysql::::::::

Configuration 5 [-]

OR	cpe:2.3:a:hp:xp7_command_view:::::advanced:::*
	cpe:2.3:a:hpe:xp7_command_view_advanced_edition_suite::::::::

Configuration 6 [-]

OR	cpe:2.3:a:mozilla:firefox_esr:-:::::::*
	cpe:2.3:a:mozilla:thunderbird:-:::::::*

Configuration 7 [-]

OR	cpe:2.3:o:opensuse:leap:15.0:::::::*
	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:42.3:::::::*

Configuration 8 [-]

AND

cpe:2.3:a:opensuse:package_hub:-:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*

Configuration 9 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*
	cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*
	cpe:2.3:a:netapp:active_iq_unified_manager:9.6:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:9.6:::::windows::
	cpe:2.3:a:netapp:cloud_backup:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_management:-:::::vcenter::
	cpe:2.3:a:netapp:e-series_santricity_storage_manager::::::::
	cpe:2.3:a:netapp:e-series_santricity_unified_manager::::::::
	cpe:2.3:a:netapp:e-series_santricity_web_services::::::web_services_proxy::*
	cpe:2.3:a:netapp:oncommand_insight::::::::
	cpe:2.3:a:netapp:oncommand_workflow_automation::::::::
	cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:::::::*
	cpe:2.3:a:netapp:snapmanager::::::oracle::*
	cpe:2.3:a:netapp:snapmanager::::::sap::*
	cpe:2.3:a:netapp:snapmanager:3.4.2:p1::::oracle::*
	cpe:2.3:a:netapp:snapmanager:3.4.2:p1::::sap::*
	cpe:2.3:a:netapp:steelstore:-:::::::*

Configuration 10 [-]

OR	cpe:2.3:a:redhat:satellite:5.8:::::::*
	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html	Mailing List Third Party Advisory
http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html	VDB Entry Third Party Advisory
http://www.securityfocus.com/bid/108098	Not Applicable Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:1265	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1267	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1269	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1308	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1309	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1310	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2494	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2495	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2585	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2590	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2592	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2737	Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803	Issue Tracking Mailing List Third Party Advisory
https://github.com/glennrp/libpng/issues/275	Exploit Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html	Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Apr/30	Issue Tracking Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Apr/36	Issue Tracking Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/May/56	Issue Tracking Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/May/59	Issue Tracking Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/May/67	Issue Tracking Mailing List Third Party Advisory
https://security.gentoo.org/glsa/201908-02	Third Party Advisory
https://security.netapp.com/advisory/ntap-20190719-0005/	Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us	Third Party Advisory
https://usn.ubuntu.com/3962-1/	Third Party Advisory
https://usn.ubuntu.com/3991-1/	Third Party Advisory
https://usn.ubuntu.com/3997-1/	Third Party Advisory
https://usn.ubuntu.com/4080-1/	Third Party Advisory
https://usn.ubuntu.com/4083-1/	Third Party Advisory
https://www.debian.org/security/2019/dsa-4435	Third Party Advisory
https://www.debian.org/security/2019/dsa-4448	Third Party Advisory
https://www.debian.org/security/2019/dsa-4451	Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory