CVE-2019-7317

Name	CVE-2019-7317
Description	png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1800-1, DLA-1806-1, DSA-4435-1, DSA-4448-1, DSA-4451-1
Debian Bugs	921355

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
firefox (PTS)	sid	125.0.1-2	fixed
firefox-esr (PTS)	jessie, jessie (lts)	68.9.0esr-1~deb8u2	fixed
	stretch (security), stretch (lts), stretch	91.11.0esr-1~deb9u1	fixed
	buster	91.12.0esr-1~deb10u1	fixed
	buster (security)	115.10.0esr-1~deb10u1	fixed
	bullseye	115.7.0esr-1~deb11u1	fixed
	bullseye (security)	115.10.0esr-1~deb11u1	fixed
	bookworm	115.7.0esr-1~deb12u1	fixed
	bookworm (security)	115.10.0esr-1~deb12u1	fixed
	trixie	115.8.0esr-1	fixed
	sid	115.10.0esr-1	fixed
libpng (PTS)	jessie, jessie (lts)	1.2.50-2+deb8u3	fixed
libpng1.6 (PTS)	stretch (security), stretch (lts), stretch	1.6.28-1+deb9u1	fixed
	buster	1.6.36-6	fixed
	bullseye	1.6.37-3	fixed
	bookworm	1.6.39-2	fixed
	trixie	1.6.43-1	fixed
	sid	1.6.43-5	fixed
thunderbird (PTS)	jessie, jessie (lts)	1:68.9.0-1~deb8u2	fixed
	stretch (security), stretch (lts), stretch	1:91.10.0-1~deb9u1	fixed
	buster	1:91.12.0-1~deb10u1	fixed
	buster (security)	1:115.9.0-1~deb10u1	fixed
	bullseye	1:115.7.0-1~deb11u1	fixed
	bullseye (security)	1:115.9.0-1~deb11u1	fixed
	bookworm	1:115.7.0-1~deb12u1	fixed
	bookworm (security)	1:115.9.0-1~deb12u1	fixed
	sid	1:115.9.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
firefox	source	experimental	67.0-1
firefox	source	(unstable)	67.0-2
firefox-esr	source	wheezy	(unfixed)	end-of-life
firefox-esr	source	jessie	60.7.0esr-1~deb8u1		DLA-1800-1
firefox-esr	source	stretch	60.7.0esr-1~deb9u1		DSA-4448-1
firefox-esr	source	(unstable)	60.7.0esr-1
libpng	source	wheezy	(not affected)
libpng	source	jessie	(not affected)
libpng	source	(unstable)	(unfixed)
libpng1.6	source	stretch	1.6.28-1+deb9u1		DSA-4435-1
libpng1.6	source	(unstable)	1.6.36-4			921355
thunderbird	source	wheezy	(unfixed)	end-of-life
thunderbird	source	jessie	1:60.7.0-1~deb8u1		DLA-1806-1
thunderbird	source	stretch	1:60.7.0-1~deb9u1		DSA-4451-1
thunderbird	source	(unstable)	1:60.7.0-1

Notes

[jessie] - libpng <not-affected> (Vulnerable code not present)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803
https://github.com/glennrp/libpng/issues/275
https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550
https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-7317
https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-7317
https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-7317
[wheezy] - libpng <not-affected> (Vulnerable code not present)