2015-11-16 libpng security issue (CVE-2015-8126)
A recent vulnerability was discovered that affect several libpng versions: before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19. This issue allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.
Check the libpng version that you are currently using with the following command:
$ installdir/common/bin/libpng-config --version
This issue affects libpng versions before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19.
How to patch it
Patch the library located in the installdir directory, by downloading and installing an update for your platform.
For 64-bit Linux systems: https://downloads.bitnami.com/files/libpngfixer/1.5.24-0/bitnami-libpngfixer-1.5.24-0-linux-x64-installer.run md5: 2420aebb0817519851bb344348960aa7
For 32-bit Linux systems: https://downloads.bitnami.com/files/libpngfixer/1.5.24-0/bitnami-libpngfixer-1.5.24-0-linux-installer.run md5: 3b1574f952434b5d5a1a4cbedc1c9ebc
For Mac OS X: https://downloads.bitnami.com/files/libpngfixer/1.5.24-0/bitnami-libpngfixer-1.5.24-0-osx-x86_64-installer.app.zip md5: b03fd388e60d4c4cae33d380fc72cf53
Install the patch using the commands below:
$ chmod +x ./bitnami-libpngfixer-1.5.24-0-linux-x64-installer.run $ sudo ./bitnami-libpngfixer-1.5.24-0-linux-x64-installer.run
The patch will check if your installation is vulnerable and if so, update the library version to a safe one. It will also save all the updated files in the installdir/libpngfix directory and the replaced files (in case they are needed to perform a rollback) in the installdir/libpngfix/backup/ directory.
Apache fails to start after applying this patch
This usually happens because of some binary incompatibility. The installer will allow you to restore the installation back to its previous state, as shown below:
Apache configuration seems to fail after applying the patch. Do you want to restore to the previous state? [Y/n]:
Select “Y” to go back to the working (but vulnerable) version. If the rollback process fails, manually copy the files from the backup directory, as shown below:
$ cp -rp installdir/libpngfix/backup/* installdir/common $ installdir/ctlscript.sh restart apache
Post a question in the community so we can help you troubleshoot the issue.