Fluid Attacks Database

Description

Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
nuget	libpng	>=1.6.0 <=1.6.15	1.6.18.1
debian 12	texlive-bin	>=0 <2014.20140926.35254-4	2014.20140926.35254-4
debian 13	libpng1.6	>=0 <1.6.16-1	1.6.16-1
debian 14	libpng1.6	>=0 <1.6.16-1	1.6.16-1
debian 11	libpng1.6	>=0 <1.6.16-1	1.6.16-1
debian 13	texlive-bin	>=0 <2014.20140926.35254-4	2014.20140926.35254-4
debian 12	libpng1.6	>=0 <1.6.16-1	1.6.16-1
debian 11	texlive-bin	>=0 <2014.20140926.35254-4	2014.20140926.35254-4
debian 14	texlive-bin	>=0 <2014.20140926.35254-4	2014.20140926.35254-4

Aliases

1. CVE-2014-94952. NVD-2014-94953. OSV-2014-94954. OSV-DEBIAN-2014-94955. GCVE-2014-94956. SECURITY-TRACKER-CVE-2014-9495

References

1. https://github.com/Enessar/LibPNG_OSS-Fuzz

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.