nativeInstaller

2015-11-16 libpng security issue (CVE-2015-8126)

A recent vulnerability was discovered that affect several libpng versions: before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19. This issue allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a small bit-depth value in an IHDR (aka image header) chunk in a PNG image.

Find more information about the issue.

Affected platforms

Check the libpng version that you are currently using with the following command:

$ installdir/common/bin/libpng-config --version

This issue affects libpng versions before 1.0.64, 1.1.x and 1.2.x before 1.2.54, 1.3.x and 1.4.x before 1.4.17, 1.5.x before 1.5.24, and 1.6.x before 1.6.19.

How to patch it

Troubleshooting

Apache fails to start after applying this patch

This usually happens because of some binary incompatibility. The installer will allow you to restore the installation back to its previous state, as shown below:

Apache configuration seems to fail after applying the patch. Do you want to restore to the previous state? [Y/n]:

Select “Y” to go back to the working (but vulnerable) version. If the rollback process fails, manually copy the files from the backup directory, as shown below:

$ cp -rp installdir/libpngfix/backup/* installdir/common
$ installdir/ctlscript.sh restart apache

Post a question in the community so we can help you troubleshoot the issue.