{"id":"UBUNTU-CVE-2019-6129","details":"png_create_info_struct in png.c in libpng 1.6.36 has a memory leak, as demonstrated by pngcp. NOTE: a third party has stated \"I don't think it is libpng's job to free this buffer.","modified":"2026-05-29T18:00:17.265524404Z","published":"2019-01-11T05:29:00Z","upstream":["CVE-2019-6129"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-6129"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2019-6129"}],"affected":[{"package":{"name":"libpng","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/libpng?arch=source&distro=esm-infra-legacy%2Ftrusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.2.49-4ubuntu1","1.2.49-5ubuntu1","1.2.50-1ubuntu1","1.2.50-1ubuntu2","1.2.50-1ubuntu2.14.04.1","1.2.50-1ubuntu2.14.04.2","1.2.50-1ubuntu2.14.04.3","1.2.50-1ubuntu2.14.04.3+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.2.50-1ubuntu2.14.04.3+esm1","binary_name":"libpng12-0"},{"binary_version":"1.2.50-1ubuntu2.14.04.3+esm1","binary_name":"libpng3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-6129.json"}},{"package":{"name":"libpng","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/libpng?arch=source&distro=esm-infra%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.2.51-0ubuntu3","1.2.54-1","1.2.54-1ubuntu1","1.2.54-1ubuntu1.1","1.2.54-1ubuntu1.1+esm1","1.2.54-1ubuntu1.1+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.2.54-1ubuntu1.1+esm2","binary_name":"libpng12-0"},{"binary_version":"1.2.54-1ubuntu1.1+esm2","binary_name":"libpng3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-6129.json"}},{"package":{"name":"libpng1.6","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/libpng1.6?arch=source&distro=esm-apps%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.20-2","1.6.20-2ubuntu0.1~esm1","1.6.20-2ubuntu0.1~esm2","1.6.20-2ubuntu0.1~esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"1.6.20-2ubuntu0.1~esm3","binary_name":"libpng16-16"},{"binary_version":"1.6.20-2ubuntu0.1~esm3","binary_name":"libpng16-devtools"},{"binary_version":"1.6.20-2ubuntu0.1~esm3","binary_name":"libpng16-tools"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-6129.json"}},{"package":{"name":"libpng1.6","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/libpng1.6?arch=source&distro=esm-infra%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.34-1","1.6.34-1ubuntu0.18.04.1","1.6.34-1ubuntu0.18.04.2","1.6.34-1ubuntu0.18.04.2+esm1","1.6.34-1ubuntu0.18.04.2+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.6.34-1ubuntu0.18.04.2+esm2","binary_name":"libpng-tools"},{"binary_version":"1.6.34-1ubuntu0.18.04.2+esm2","binary_name":"libpng16-16"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-6129.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"negligible"}]}