CVE-2014-9495

Published: 10 January 2015

Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.

Notes

Author	Note
mdeslaur	only 1.5.x and 1.6.x

Priority

Status

Package	Release	Status
libpng Launchpad, Ubuntu, Debian	lucid	Not vulnerable
	precise	Not vulnerable
	trusty	Not vulnerable
	upstream	Needs triage
	utopic	Not vulnerable

References

http://tfpwn.com/files/libpng_heap_overflow_1.6.15.txt
http://sourceforge.net/p/png-mng/mailman/message/33173461/
https://www.cve.org/CVERecord?id=CVE-2014-9495
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›