An IBM Form (XFDL document) that contains a specially crafted PNG image can crash IBM Forms Viewer. This can occur based on the Viewer’s use of this library.
CVEID: CVE-2015-8126
DESCRIPTION: libpng is vulnerable to a buffer overflow, caused by improper bounds checking by the png_set_PLTE() and png_get_PLTE() functions. By persuading a victim to open a specially-crafted PNG file, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108010> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2015-8472
DESCRIPTION: libpng is vulnerable to a buffer overflow, caused by improper bounds checking by the png_get_PLTE() and png_set_PLTE() functions. By persuading a victim to open a specially crafted PNG image, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/109392> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
IBM Forms Viewer 4.0.*
IBM Forms Viewer 8.0.0
IBM Forms Viewer 8.0.1
IBM Forms Viewer 8.1
IBM Forms Viewer 8.2
IBM Forms Viewer 8.2.1
Product
| VRMF|APAR|Remediation
—|—|—|—
IBM Forms Viewer| 4.0.0.| LO87834| Download and install LO87834
IBM Forms Viewer| 8.0.0.| LO87834| Download and install LO87834
IBM Forms Viewer| 8.0.1.| LO87834
IBM Forms Viewer| 8.1.0.| LO87834| Download and install LO87834
IBM Forms Viewer| 8.2.0.| LO87834| Download and install LO87834
IBM Forms Viewer| 8.2.1.| LO87834| Download and install LO87834