Subject: [ASA-201904-10] libpng: denial of service Arch Linux Security Advisory ASA-201904-10 ========================================== Severity: Low Date : 2019-04-24 CVE-ID : CVE-2019-7317 Package : libpng Type : denial of service Remote : No Link : https://security.archlinux.org/AVG-868 Summary ======= The package libpng before version 1.6.37-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.6.37-1. # pacman -Syu "libpng>=1.6.37-1" The problem has been fixed upstream in version 1.6.37. Workaround ========== None. Description =========== png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute. Impact ====== A remote attacker can crash an application using libpng via a crafted image. References ========== https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803 https://github.com/glennrp/libpng/issues/275 https://security.archlinux.org/CVE-2019-7317