CERT Warns Of Multiple Vulnerabilities In Libpng

jefftp writes "CERT announced today that there are several vulnerabilities in libpng, one is a buffer overflow which could potentially cause a PNG image file to execute arbitrary code. Libpng release 1.2.6rc1 addresses the problems covered by this CERT announcement, and can be obtained from the libpng Sourceforge project. A fully tested version is to be released in the next few weeks."

Firefox

[dolmen.fr (583400)]

Is Mozilla/Firefox/Thunderbird using this lib ?

Re:Firefox

[black mariah (654971)]

Yes. Most everything on Linux that reads or writes PNG's uses it.

Where's the outcry?

[rd_syringe (793064)]

If this was a Microsoft thing, Slashdot would be all over it. Arbitrary code execution from an IMAGE READING LIBRARY?!

Just the obligatory "perspective" post. :)

Re:Firefox

[beardz (790974)]

New builds of Mozilla / Firefox / Thunderbird have been released to patch four potential security vulnerabilities including the libpng issue [mozilla.org]

Mozilla

[KidSock (150684)]

So does mozilla statically or dynamically link with libpng?

Re:Mozilla

[slashdevslashtty (712925)]

According to this [mozilla.org], libpng is part of the source tree. My guess is static.

Re:Mozilla

[jrockway (229604)]

Interesting. I wonder if this type of exploit could be prevented if the library was written in, say, java instead? Any experts that know for sure?

Re:Mozilla

[Theril (606664)]

Sure it could. Implement image loading and rendering in Java and nobody has patience to load images anymore.

Re:Mozilla

[forgoil (104808)]

Buffer owerflow attacks won't happen in languages which doesn't "support" that feature, such as perl, python, ruby, java, C# (any managed code), or managed C++ for that matter.

Another way of killing the problem is using the NX (I hope I got that correct) instruction/bit in newer CPUs and simply separate code and data, and not allow execution in a data segment. Win SP2 does this, I am sure Linux does/will soon, one of the BSDs have done stuff like this for a while, etc.

So yes, you would prevent it. But then again, calling a javalib from C... :)

Re:Mozilla

[FireFury03 (653718)]

Another way of killing the problem is using the NX (I hope I got that correct) instruction/bit in newer CPUs and simply separate code and data, and not allow execution in a data segment. Win SP2 does this, I am sure Linux does/will soon

Yep, Fedora Core 2 has done this since one of the early kernel revisions (I think it was when they went from 2.6.5 to 2.6.6)

Bugs in Compilers...

[Tom7 (102298)]

On the other hand, it's quite difficult for a bug to creep into a compiler's bounds checking code (which is typically very simple). I know of no such historic examples, though perhaps this is because relatively few apps actually use safe compiled languages. (It would presumably have to be matched by a bug in the application code...) Interpreters and JIT compilers are much more subject to this kind of problem, particularly if they are written in C themselves. ;) There have been a few JVM exploits historicall

Canary

[bsd4me (759597)]

You can protect against this to. The technique is put a ``canary'' on the stack frame and make sure it is still there before you return.

There are at least two patches to gcc that do this. One is called ProPolice. The name of the second is escaping me right now. OpenBSD includes ProPolice by default.

Google on stack-smashing protectors for more info.

Diagram

[skraps (650379)]

Here [ancoraimparo.net] is a .PNG file with a diagram that explains the problem.

Old news

[Anonymous Coward]

...thanks to the Debian Security mailing list, my systems were secured against this hours before it even made it to /.

Re:Old news

[LiquidCoooled (634315)]

"Submissions review procedure" ?

Taco: "Wooah! this Doom 3 is excellent!!!!"

Michael: "Anyone else gettin 503s?"

Simoniker: "Is anybody doing ANY work?"

Tim: "Simon - yer, just gettin submissions - omg, another 400"

Taco: "Die scum die!!"

Michael: "I give up, anyone wanna 7up?"

Taco [Looking up from game for a minute] "Yer go on then!"

Taco: "Tim, Throw another story onto the site, the natives are gettin restless."

Tim: "eeny, meeny miny mo...."

Re:How old is it REALLY?

[Waffle Iron (339739)]

Programmers and advanced sysadmins can get a fixed version right now. Every normal person has to wait "a few weeks".

Umm... the point-and-drool update utility in my SuSE box automatically installed the patch last night. No programming or advanced sysadmining was required on my part.

Ah-ha!

[iamdrscience (541136)]

You all complained about Internet Explorer not being able to display PNGs correctly, but who's laughing now! Obviously they broke PNG support intentionally for security reasons. Once again, Microsoft comes through on the cutting edge.

Re:Ah-ha!

[Nerull (586485)]

I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.

The latest SP2 fixes it.

[WhoDaresWins (601501)]

I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.

Well using XP SP2 RC2 build 2162 it does nothing in IE other show a broken image link. Whatever Microsoft did in SP2, it seems to have mitigated it. They did recompile major parts of the OS for SP2 with the /GS VC++ stack checking compiler flag [weblogs.com]. That could have caught it. Or it could be that they were informed about it before full disclosure and they fixed it in SP2. Or that they don't use libpng and their library does it correctly or they fixed the issue by themselves. Whatever be it they seem to have taken care of it. BTW the built-in Windows Picture and Fax Viewer also doesn't crash (nor does mspaint). You can test this out yourself if you have SP2 (don't know if builds earlier than 2162 fix it though) using this image link [beasts.org] (Warning! Will crash non patched browsers!) from the original disclosure.

Its reassuring that for once MS has already taken care of some security issue (for XP SP2 at least).

Re:The latest SP2 fixes it.

[Nerull (586485)]

Try This image [graphicsmagick.org]

I got it from the bugzilla entry about the libpng issues.

Actully, that image and the one above produce 2 diffrent effects in IE now that ive tested both, maybe its a diffrent issue that got mixed in the same bugzilla entry.

BOEM.

[leuk_he (194174)]

Microsoft internet explorer has encountered a problem ands needs to close. we are sorry for the inconvience.

bla bba
[x] restart mirosoft internet explorer ...

[b]WOW[/b], it is a portable bug!

can anybody tell us if this is exploitable?

Re:Ah-ha!

[billatq (544019)]

Someone who saw the leaked source code a while back happened to mention to me that Internet Explorer uses libpng for rendering PNG files--it's just broken because it uses such a friggin' old version of it. So there's a good chance that IE is affected too.

well

[Anonymous Coward]

it's a good thing all of the porn sites i visit use jpegs

Updates

[Sunspire (784352)]

Fedora Core 1 [fedoranews.org] and 2 [fedoranews.org] already have backported security updates for this as 1.2.5-7 and 1.2.5-8 respectively since yesterday. Much better than having to install a release candidate.

Re:Updates

[anpe (217106)]

Mandrake as well:
http://www.mandrakesoft.com/security/advisories?na me=MDKSA-2004:079 [mandrakesoft.com]

Bug? it's a feature!

[barcodez (580516)]

a buffer overflow which could potentially cause a PNG image file to execute arbitrary code

This is not a bug it's a feature; the libpng team are obviously trying to get a piece of the ActiveX control market...

Around the world....

[Neo-Rio-101 (700494)]

Suddenly MRTG gets a mind of its own and starts spewing out more than just TCP connection data reports!

Gentoo

[AliasTheRoot (171859)]

I just emerge synced and the latest version available is still libpng-1.2.5-r7

Re:Gentoo

[Sunspire (784352)]

Yeah it's still not fixed, but when an updated package is available it will still most likely simply be versioned 1.2.5-r8. You can keep a watch on the package and see immediately when it's fixed here [gentoo.org].

Re:Gentoo

[AliasTheRoot (171859)]

I know this is flamebait, but i'm rising to it:

wtf is this newbie vs zealot crap?

i chose gentoo because i like portage, and i find the way things are laid out to be more similar to the solaris and bsd boxes i'm paid to admin. there's nothing wrong with fedora or mandrake (which you dont use), but if Linux is about anything, it's about choice, and my choice is to use a distro that i feel comfortable with.

Re:Gentoo

[AliasTheRoot (171859)]

just ignore advocates, they'll go away eventually :)

gentoo is good for me, i don't think it's good for everyone - but i'm not everyone, i'm me.

my wife and my mother both use win2k and thats whats good for them, i help them out with patches and suchlike but neither of them really want to care about having gcc or whatever installed.

like i said, it's all about choice.

Buffer overflow *again*?

[Anonymous Coward]

We've all heard about buffer overflow problems in countless programs and libraries again and again. I'm not a programmer, but as I under stand it, the problem is writing to unallocated memory areas. But this is not a new problem, it has happened for ages. Is it really that difficult to avoid? I understand that libpng as a "building block" library needs good performance, but is it really that much of a problem to write things in safer programming languages that don't allow these kind of problems? Can some se

Official Language-based security thread!

[Tom7 (102298)]

(This troll would be more effective if not posted anonymously.)

Indeed this flamewar has been repeated many times. Safe languages do indeed provide protection from these kinds of attacks and typically at a fairly small speed penalty [debian.org] (depending on the language; the number-two language on that list is safe and places above C++!).

See the earlier slashdot discussion [slashdot.org] for loads of argument. ( here [spacebar.org] for my perspective--note, I am a tower-in-the-sky PhD student in programming languages, but I do write lots of

PNG security threat

[Anonymous Coward]

Is there oil at Papua - New Guinea?

Combine this...

[cperciva (102828)]

... with this [isec.pl], and Linux gets to join the "visit a malicious website and get rooted" crowd.

Re:Combine this...

[achurch (201270)]

As far as I can tell, that only lets you read memory, which doesn't let you root anything. In fact, I tried the test and though it claimed to have worked, all I got was /proc/mtrr followed 64MB of zeros, which seems odd since my machine's been up long enough that all my physical memory should have been stomped on at some point.

So yes, these are both serious problems, but they still don't boost Linux up into that vaunted "rootable group". (:

Arbitrary Code...?

[Anonymous Coward]

What is arbitrary code? How is it any different as compared to any other computer code, say a piece of software?

Debian

[Fuzzums (250400)]

Within an hour (or so) after the CERT-mail I also got the Matt Zimmerman-mail.

Fixed :)
I love this!

Thanks Guys!

Attribution?

[Quixote (154172)]

Would it be too much to ask whose code was it that had the vulnerability?

I think it is time we started attributing vulnerabilities to the authors (just as we do with companies).

Re:Attribution?

[FireFury03 (653718)]

If you do that (which is probably a good idea) you'll need to weight it based on the amount of code written by that author that _could_ contain a security hole. Otherwise the stats will just show that the authors who write 99% of the complex network-facing code are responsible for most security holes.

Re:Attribution?

[pclminion (145572)]

I think it is time we started attributing vulnerabilities to the authors (just as we do with companies).

Terrible idea. I can tell you right now, if I knew I'd be held personally responsible for bugs in open source software I contributed to, I would not contribute. If you want me to take responsibility for my bugs, give me money.

If you don't like buggy free software, don't use it. What you're describing sounds almost like an inverse meritocracy, where people get branded if they don't write code that's

Another exploit in libpng

[ShadowRage (678728)]

image bombs. basically, you create a 190000x190000 pixel monochrome image, save it, and it compresses to 43 kb

anyone opens it... *BAM* it expands into 2gb of ram.

Re:Another exploit in libpng

[thogard (43403)]

This is a problem? I've got about 300 people try to anon-proxy through one my servers every day. When they ask for a gif (or png or whatever) would be a nice to give them something to make them go away.

Mitigation...

[Chief Typist (110285)]

It appears to me that this problem exists at both the client and the server.

Updating a server to use the patched version of libpng is an obvious first step. You don't want the buffer overflow compromising security as you deliver a .png file (which would only be an issue if you read the .png from the server before delivery.)

The tricky part is what to do with the .png files that have been tampered with. You don't really want to serve those up to clients -- you'd be delivering a security risk. There will be a significant lag before client software is updated -- browsers and anything else that streams .png over a network connection will be at risk during this time.

It seems to me that there's a need for some kind of scanning tool that checks for bogus .png files. At the server side, you could scan for compromised files and get rid of them.

Does such a tool exist?

-ch

Re:Didn't this happen with BMP?

[noselasd (594905)]

Well, _lib_png have many, many jmp like instructions, they're called
function calls, and if you manage to overwrite the return address on the stack, you can make it jump anywhere, like the code you injected.
Hopefully it's just the stack you can overflow, most of us should run with a no executable stack theses days, no harm done(well, it probably crashes.. )

Re:Didn't this happen with BMP?

[FireFury03 (653718)]

most of us should run with a no executable stack theses days

Ah, you mean the vast majority of people are now running Athlon64's? (tip: Plain IA32 CPUs don't support the NX bit).

Re:Didn't this happen with BMP?

[noselasd (594905)]

This explains how it's done:
http://people.redhat.com/mingo/exec-shield/ ANNOUNC E-exec-shield

Re:php !

[Anonymous Coward]

Seriously, we need a "Dumbass" mod option

Re:php !

[dolmen.fr (583400)]

The article is about PNG, not PHP.

Of course, but this means that free PHP hosting services are at risk, as some malicious users will try to exploit this flaw on the server side.

It's a decoder problem

[Snaapy (753650)]

"And how many PHP sites/scripts dynamically generates .png files ? Quite a lot I'd think, so, webservers might be vunerable, but it seems
like a longshot to try to inject something to such scripts."

Did you read the article? You don't seem to understand the point here.

The bug affects only loading of PNG images. One can make a specially crafted PNG image which has some invalid fields causing problems in the decoder. The invalid handling of these special error cases may cause an application crash or potential execution of arbitary code in the application which uses libpng.

It is not possible to introduce malicious RAW image data to the encoder. And even if it was possible, you should be able to pump data directly in the encoder, which is not a usual case with dynamically generated images. So, your PHP site is safe.

However, libpng is the most commonly used PNG implementation due to it's free licence. These bugs affect to very many applications (graphics applications, Office applications, user interface managers, browsers, etc.) which happen to use PNG.

A similiar case like this was zlib bugs some time ago.