CVE-2019-7317

Impact:
Low
Public Date:
2019-01-25
CWE:
CWE-400
Bugzilla:
1672409: CVE-2019-7317 libpng: use-after-free in png_image_free in png.c

The MITRE CVE dictionary describes this issue as:

png_image_free in png.c in libpng 1.6.36 has a use-after-free because png_image_free_function is called under png_safe_execute.

Find out more about CVE-2019-7317 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

In general, this flaw cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but it is potentially a risk in browser or browser-like contexts.

CVSS v3 metrics

CVSS3 Base Score 3.3
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact Low

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 6 (thunderbird) RHSA-2019:1310 2019-06-03
Red Hat Enterprise Linux 8 (thunderbird) RHSA-2019:1308 2019-06-03
Red Hat Enterprise Linux 7 (thunderbird) RHSA-2019:1309 2019-06-03
Red Hat Enterprise Linux 7 (firefox) RHSA-2019:1265 2019-05-23
Red Hat Enterprise Linux 6 (firefox) RHSA-2019:1267 2019-05-23
Red Hat Enterprise Linux 8 (firefox) RHSA-2019:1269 2019-05-23

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 8 libpng12 Not affected
Red Hat Enterprise Linux 8 libpng Affected
Red Hat Enterprise Linux 8 mingw-libpng Affected
Red Hat Enterprise Linux 7 libpng Not affected
Red Hat Enterprise Linux 7 libpng12 Not affected
Red Hat Enterprise Linux 6 libpng Not affected
Red Hat Enterprise Linux 5 libpng Not affected
Last Modified

CVE description copyright © 2017, The MITRE Corporation