CVE-2019-7317 - Vulnerability Details

Description

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Published: 2019-02-04

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:libpng:libpng:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.6.0:::::::*
	cpe:2.3:a:oracle:java_se:7u221:::::::*
	cpe:2.3:a:oracle:java_se:8u212:::::::*
	cpe:2.3:a:oracle:jdk:11.0.3:::::::*
	cpe:2.3:a:oracle:jdk:12.0.1:::::::*
	cpe:2.3:a:oracle:mysql::::::::

Configuration 5 [-]

OR	cpe:2.3:a:hp:xp7_command_view:::::advanced:::*
	cpe:2.3:a:hpe:xp7_command_view_advanced_edition_suite::::::::

Configuration 6 [-]

OR	cpe:2.3:a:mozilla:firefox:-:::::::*
	cpe:2.3:a:mozilla:thunderbird:-:::::::*

Configuration 7 [-]

OR	cpe:2.3:o:opensuse:leap:15.0:::::::*
	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:42.3:::::::*

Configuration 8 [-]

AND

cpe:2.3:a:opensuse:package_hub:-:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise:12.0:*:*:*:*:*:*:*

Configuration 9 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*
	cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*
	cpe:2.3:a:netapp:active_iq_unified_manager:9.6:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:9.6:::::windows::
	cpe:2.3:a:netapp:cloud_backup:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_management:-:::::vcenter::
	cpe:2.3:a:netapp:e-series_santricity_storage_manager::::::::
	cpe:2.3:a:netapp:e-series_santricity_unified_manager::::::::
	cpe:2.3:a:netapp:e-series_santricity_web_services::::::web_services_proxy::*
	cpe:2.3:a:netapp:oncommand_insight::::::::
	cpe:2.3:a:netapp:oncommand_workflow_automation::::::::
	cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:::::::*
	cpe:2.3:a:netapp:snapmanager::::::oracle::*
	cpe:2.3:a:netapp:snapmanager::::::sap::*
	cpe:2.3:a:netapp:snapmanager:3.4.2:p1::::oracle::*
	cpe:2.3:a:netapp:snapmanager:3.4.2:p1::::sap::*
	cpe:2.3:a:netapp:steelstore:-:::::::*

Configuration 10 [-]

OR	cpe:2.3:a:redhat:satellite:5.8:::::::*
	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 6
firefox-0:60.7.0-1.el6_10	cpe:/o:redhat:enterprise_linux:6	RHSA-2019:1267	2019-05-23T00:00:00Z
thunderbird-0:60.7.0-1.el6_10	cpe:/o:redhat:enterprise_linux:6	RHSA-2019:1310	2019-06-03T00:00:00Z
Red Hat Enterprise Linux 6 Supplementary
java-1.7.1-ibm-1:1.7.1.4.50-1jpp.1.el6_10	cpe:/a:redhat:rhel_extras:6	RHSA-2019:2494	2019-08-15T00:00:00Z
java-1.8.0-ibm-1:1.8.0.5.40-1jpp.1.el6_10	cpe:/a:redhat:rhel_extras:6	RHSA-2019:2592	2019-09-03T00:00:00Z
Red Hat Enterprise Linux 7
firefox-0:60.7.0-1.el7_6	cpe:/o:redhat:enterprise_linux:7	RHSA-2019:1265	2019-05-23T00:00:00Z
thunderbird-0:60.7.0-1.el7_6	cpe:/o:redhat:enterprise_linux:7	RHSA-2019:1309	2019-06-03T00:00:00Z
Red Hat Enterprise Linux 7 Supplementary
java-1.7.1-ibm-1:1.7.1.4.50-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2019:2495	2019-08-15T00:00:00Z
java-1.8.0-ibm-1:1.8.0.5.40-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2019:2585	2019-09-02T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:60.7.0-1.el8_0	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:1269	2019-05-23T00:00:00Z
thunderbird-0:60.7.0-1.el8_0	cpe:/a:redhat:enterprise_linux:8	RHSA-2019:1308	2019-06-03T00:00:00Z
java-1.8.0-ibm-1:1.8.0.5.40-3.el8_0	cpe:/a:redhat:enterprise_linux:8::supplementary	RHSA-2019:2590	2019-09-02T00:00:00Z
Red Hat Satellite 5.8
java-1.8.0-ibm-1:1.8.0.5.40-1jpp.1.el6_10	cpe:/a:redhat:network_satellite:5.8::el6	RHSA-2019:2737	2019-09-11T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-1800-1	firefox-esr security update
Debian DLA	DLA-1806-1	thunderbird security update
Debian DSA	DSA-4435-1	libpng1.6 security update
Debian DSA	DSA-4448-1	firefox-esr security update
Debian DSA	DSA-4451-1	thunderbird security update
EUVD	EUVD-2019-16860	png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
Ubuntu USN	USN-3962-1	libpng vulnerability
Ubuntu USN	USN-3991-1	Firefox vulnerabilities
Ubuntu USN	USN-3997-1	Thunderbird vulnerabilities
Ubuntu USN	USN-4080-1	OpenJDK 8 vulnerabilities
Ubuntu USN	USN-4083-1	OpenJDK 11 vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00565.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00029.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00084.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00038.html
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
http://packetstormsecurity.com/files/152561/Slackware-Security-Advisory-libpng-Updates.html
http://www.securityfocus.com/bid/108098
https://access.redhat.com/errata/RHSA-2019:1265
https://access.redhat.com/errata/RHSA-2019:1267
https://access.redhat.com/errata/RHSA-2019:1269
https://access.redhat.com/errata/RHSA-2019:1308
https://access.redhat.com/errata/RHSA-2019:1309
https://access.redhat.com/errata/RHSA-2019:1310
https://access.redhat.com/errata/RHSA-2019:2494
https://access.redhat.com/errata/RHSA-2019:2495
https://access.redhat.com/errata/RHSA-2019:2585
https://access.redhat.com/errata/RHSA-2019:2590
https://access.redhat.com/errata/RHSA-2019:2592
https://access.redhat.com/errata/RHSA-2019:2737
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
https://github.com/glennrp/libpng/issues/275
https://lists.debian.org/debian-lts-announce/2019/05/msg00032.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00038.html
https://nvd.nist.gov/vuln/detail/CVE-2019-7317
https://seclists.org/bugtraq/2019/Apr/30
https://seclists.org/bugtraq/2019/Apr/36
https://seclists.org/bugtraq/2019/May/56
https://seclists.org/bugtraq/2019/May/59
https://seclists.org/bugtraq/2019/May/67
https://security.gentoo.org/glsa/201908-02
https://security.netapp.com/advisory/ntap-20190719-0005/
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
https://usn.ubuntu.com/3962-1/
https://usn.ubuntu.com/3991-1/
https://usn.ubuntu.com/3997-1/
https://usn.ubuntu.com/4080-1/
https://usn.ubuntu.com/4083-1/
https://www.cve.org/CVERecord?id=CVE-2019-7317
https://www.debian.org/security/2019/dsa-4435
https://www.debian.org/security/2019/dsa-4448
https://www.debian.org/security/2019/dsa-4451
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00486}`	epss `{'score': 0.00576}`

Mon, 21 Oct 2024 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla firefox
CPEs	cpe:2.3:a:mozilla:firefox_esr:-:::::::*	cpe:2.3:a:mozilla:firefox:-:::::::*
Vendors & Products	Mozilla firefox Esr	Mozilla firefox

Subscriptions

Canonical Ubuntu Linux

Debian Debian Linux

Hp Xp7 Command View

Hpe Xp7 Command View Advanced Edition Suite

Libpng Libpng

Mozilla Firefox Thunderbird

Netapp Active Iq Unified Manager Cloud Backup E-series Santricity Management E-series Santricity Storage Manager E-series Santricity Unified Manager E-series Santricity Web Services Oncommand Insight Oncommand Workflow Automation Plug-in For Symantec Netbackup Snapmanager Steelstore

Opensuse Leap Package Hub

Oracle Hyperion Infrastructure Technology Java Se Jdk Mysql

Redhat Enterprise Linux Enterprise Linux Desktop Enterprise Linux For Ibm Z Systems Enterprise Linux For Power Big Endian Enterprise Linux For Power Little Endian Enterprise Linux For Scientific Computing Enterprise Linux Workstation Network Satellite Rhel Extras Satellite

Suse Linux Enterprise

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-02-04T07:00:00.000Z

Updated: 2024-08-04T20:46:45.928Z

Reserved: 2019-02-04T00:00:00.000Z

Link: CVE-2019-7317

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-02-04T08:29:00.447

Modified: 2024-11-21T04:48:00.033

Link: CVE-2019-7317

Redhat

Severity : Low

Publid Date: 2019-01-25T00:00:00Z

Links: CVE-2019-7317 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object