CERT Warns Of Multiple Vulnerabilities In Libpng

jefftp writes "CERT announced today that there are several vulnerabilities in libpng, one is a buffer overflow which could potentially cause a PNG image file to execute arbitrary code. Libpng release 1.2.6rc1 addresses the problems covered by this CERT announcement, and can be obtained from the libpng Sourceforge project. A fully tested version is to be released in the next few weeks."

Firefox

[dolmen.fr]

Is Mozilla/Firefox/Thunderbird using this lib ?

Re:Firefox

[black mariah]

Yes. Most everything on Linux that reads or writes PNG's uses it.

Re:Firefox

[CTho9305]

This was one of the security fixes (arguably the only exploitable hole) that was included in yesterday's releases, 1.7.2, 0.9.3, and 0.7.3.

Where's the outcry?

[rd_syringe]

If this was a Microsoft thing, Slashdot would be all over it. Arbitrary code execution from an IMAGE READING LIBRARY?!

Just the obligatory "perspective" post. :)

Re:Firefox

[beardz]

New builds of Mozilla / Firefox / Thunderbird have been released to patch four potential security vulnerabilities including the libpng issue [mozilla.org]

Re:Firefox

[timeOday]

Next question: are you running Mozilla/Firefox/Thunderbird as root?

Re:Firefox

[Minna Kirai]

are you running Mozilla/Firefox/Thunderbird as root?

And another question: Is all of the valuable data on your computer owned by root, or do you occasionally do important work as a user?

Ever type your credit-card into Mozilla/Firefox/Thunderbird?

Mozilla

[KidSock]

So does mozilla statically or dynamically link with libpng?

Re:Mozilla

[slashdevslashtty]

According to this [mozilla.org], libpng is part of the source tree. My guess is static.

Re:Mozilla

[jrockway]

Interesting. I wonder if this type of exploit could be prevented if the library was written in, say, java instead? Any experts that know for sure?

Re:Mozilla

[Theril]

Sure it could. Implement image loading and rendering in Java and nobody has patience to load images anymore.

Re:Mozilla

[evil_one666]

I wrote a GIF library in JAVA to display animated gifs on java 1.0 and it was reeeeeeeaaaaaally sloooooooow. It would however not be possible to exploit a buffer overflow on such a decompressor...

Re:Mozilla

[forgoil]

Buffer owerflow attacks won't happen in languages which doesn't "support" that feature, such as perl, python, ruby, java, C# (any managed code), or managed C++ for that matter.

Another way of killing the problem is using the NX (I hope I got that correct) instruction/bit in newer CPUs and simply separate code and data, and not allow execution in a data segment. Win SP2 does this, I am sure Linux does/will soon, one of the BSDs have done stuff like this for a while, etc.

So yes, you would prevent it. But then again, calling a javalib from C... :)

Re:Mozilla

[FireFury03]

Another way of killing the problem is using the NX (I hope I got that correct) instruction/bit in newer CPUs and simply separate code and data, and not allow execution in a data segment. Win SP2 does this, I am sure Linux does/will soon

Yep, Fedora Core 2 has done this since one of the early kernel revisions (I think it was when they went from 2.6.5 to 2.6.6)

Re:Mozilla

[Anonymous Coward]

" Buffer owerflow attacks won't happen ... using the NX"

No, you can still overflow the buffer, thus being able to modify the return pointer, and some variables. What does this mean? If you were lucky/elite, you could get it to jump to a different function. Sure it's not executing your own instructions from the stack, but it's still control.

thanks,
jacob

Canary

[bsd4me]

You can protect against this to. The technique is put a ``canary'' on the stack frame and make sure it is still there before you return.

There are at least two patches to gcc that do this. One is called ProPolice. The name of the second is escaping me right now. OpenBSD includes ProPolice by default.

Google on stack-smashing protectors for more info.

Re:Canary

[RLW]

Or just write good code that includes bounds checking .

Jeepers.

Never use strcpy, always use strncpy. Make sure the code can determine the size of the destination and never copy more than it can hold. Employ smart buffers that won't let you over run what they can hold. This type of exploit has been to widely known of to simply ignore it. besides it's good programming practice that should have been followed to begin with.

Re:Canary

[Minna Kirai]

Or just write good code that includes bounds checking .

Or just never crash your car. That way, you don't need a seatbelt or airbags.

In fact, if these stupid humans would stop being making mistakes, all kinds of problems would just go away. The nerve of some people; making the world a more dangerous place, just because they happen to be fallible!

Re:Mozilla

[Minna Kirai]

Buffer owerflow attacks won't happen in languages which doesn't "support" that feature,

Pedantically, buffer overflows can still happen in any of those languages. But the easily-exploitable subset called stack overruns cannot. And without stack overruns, the difficulty of convincing a buffer overflow to actually do something harmful is great indeed- but it is a theoretical possibility.

Bugs in Compilers...

[Tom7]

On the other hand, it's quite difficult for a bug to creep into a compiler's bounds checking code (which is typically very simple). I know of no such historic examples, though perhaps this is because relatively few apps actually use safe compiled languages. (It would presumably have to be matched by a bug in the application code...) Interpreters and JIT compilers are much more subject to this kind of problem, particularly if they are written in C themselves. ;) There have been a few JVM exploits historicall

Re:Mozilla

[thedillybar]

What the hell are you talking about?

>I wonder if this type of exploit could be prevented if the library was written in, say, java instead?

Sure it could be prevented. It can also be prevented when written in C. See release 1.2.6rc1 [sourceforge.net].

If you're starting the arguement that Java is inherently more secure, and therefore everything should be written in Java, it's not worth the flamewar.

Re:Mozilla

[Tom7]

Yes, it could of course be prevented, like most other security holes.
Java has a bad reputation for being slow, but there are plenty of natively-compiled languages that are quite fast and would at worst result in a denial-of-service (exception) if they had this bug, never execution of arbitrary code.

It is still a wonder to me that people who claim to be concerned about security choose C for their projects.

Diagram

[skraps]

Here [ancoraimparo.net] is a .PNG file with a diagram that explains the problem.

Old news

[Anonymous Coward]

...thanks to the Debian Security mailing list, my systems were secured against this hours before it even made it to /.

Re:Old news

[LiquidCoooled]

"Submissions review procedure" ?

Taco: "Wooah! this Doom 3 is excellent!!!!"

Michael: "Anyone else gettin 503s?"

Simoniker: "Is anybody doing ANY work?"

Tim: "Simon - yer, just gettin submissions - omg, another 400"

Taco: "Die scum die!!"

Michael: "I give up, anyone wanna 7up?"

Taco [Looking up from game for a minute] "Yer go on then!"

Taco: "Tim, Throw another story onto the site, the natives are gettin restless."

Tim: "eeny, meeny miny mo...."

Re:How old is it REALLY?

[jrockway]

> How long has this vulnerability been in libpng?

Forever. Are you happy with that answer? That proves, once and for all, that Linux fucking sucks. I mean how could the DUMBFUCK developers let a bug like that through!?!?!

Seriously, though. People make mistakes. The libpng people made a mistake. They fixed it, and nobody got hurt. So I don't see the problem.

If it's news to you that OSS isn't bugfree, then you need to wake up. The difference between OSS and M$ (et. al.) is that the OSS people fix

Re:How old is it REALLY?

[Waffle Iron]

Programmers and advanced sysadmins can get a fixed version right now. Every normal person has to wait "a few weeks".

Umm... the point-and-drool update utility in my SuSE box automatically installed the patch last night. No programming or advanced sysadmining was required on my part.

Ah-ha!

[iamdrscience]

You all complained about Internet Explorer not being able to display PNGs correctly, but who's laughing now! Obviously they broke PNG support intentionally for security reasons. Once again, Microsoft comes through on the cutting edge.

Re:Ah-ha!

[Nerull]

I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.

The latest SP2 fixes it.

[WhoDaresWins]

I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.

Well using XP SP2 RC2 build 2162 it does nothing in IE other show a broken image link. Whatever Microsoft did in SP2, it seems to have mitigated it. They did recompile major parts of the OS for SP2 with the /GS VC++ stack checking compiler flag [weblogs.com]. That could have caught it. Or it could be that they were informed about it before full disclosure and they fixed it in SP2. Or that they don't use libpng and their library does it correctly or they fixed the issue by themselves. Whatever be it they seem to have taken care of it. BTW the built-in Windows Picture and Fax Viewer also doesn't crash (nor does mspaint). You can test this out yourself if you have SP2 (don't know if builds earlier than 2162 fix it though) using this image link [beasts.org] (Warning! Will crash non patched browsers!) from the original disclosure.

Its reassuring that for once MS has already taken care of some security issue (for XP SP2 at least).

Re:The latest SP2 fixes it.

[Chester K]

don't know if builds earlier than 2162 fix it though

No crash in a fully patched IE from XP SP1.

Re:The latest SP2 fixes it.

[forgoil]

Could be NX as well:)

Re:The latest SP2 fixes it.

[Nerull]

Try This image [graphicsmagick.org]

I got it from the bugzilla entry about the libpng issues.

Actully, that image and the one above produce 2 diffrent effects in IE now that ive tested both, maybe its a diffrent issue that got mixed in the same bugzilla entry.

Re:The latest SP2 fixes it.

[Pxtl]

Brought down my IE too, and I'm all updated on this XP box.

BOEM.

[leuk_he]

Microsoft internet explorer has encountered a problem ands needs to close. we are sorry for the inconvience.

bla bba
[x] restart mirosoft internet explorer ...

[b]WOW[/b], it is a portable bug!

can anybody tell us if this is exploitable?

Re:The latest SP2 fixes it.

[AliasTheRoot]

404 file not found on the latest IE for win2k, will check it with firebird when i get home.

Re:The latest SP2 fixes it.

[gosand]

(Warning! Will crash non patched browsers!)

Thanks for the link. This is one reason that I have an external application set up to handle images. Irfanview reports this as an invalid PNG. Of course, if it were embedded in a web page...

Proof of Concept image

[JUSTONEMORELATTE]

Man, whatever happened to popping up a Solitaire game to prove that you could execute arbitrary code? Now we've got an example image which crashes the browser (Netscape 7.1) and locks the profile, so the only way I can get back to bitch about it is to cold boot the damn (win2k) machine.

damn kids these days.

--

Where did you get the example PNG ?

[Gopal.V]

There's this custom PNG decoder [gnu.org] ... and I'm just curious

Re:Where did you get the example PNG ?

[WhoDaresWins]

I got the link from the original full disclosure over here [beasts.org]. See near the end of section 1. That link is given in the CERT alert.

Re:Where did you get the example PNG ?

[Nerull]

http://www.graphicsmagick.org/libpng/beta/samples/ bigw.png Got it from bugzilla.

Re:Ah-ha!

[billatq]

Someone who saw the leaked source code a while back happened to mention to me that Internet Explorer uses libpng for rendering PNG files--it's just broken because it uses such a friggin' old version of it. So there's a good chance that IE is affected too.

well

[Anonymous Coward]

it's a good thing all of the porn sites i visit use jpegs

Kind of amusing, since...

[devphil]

...a few months ago, there was a /. article roasting someone at an antivirus software company for suggesting that "JPEGs may open holes to viruses" and "we may have to give up the JPEG format."

Slashdot readers were waiting in line to flame the guy for suggesting that mere image files could have any possible security implications ("it's just a data file, it doesn't contain code, he's obviously clueless, unlike me and everyone who agrees with me"), and raising the spectre of having to abandon JPEGs because

Updates

[Sunspire]

Fedora Core 1 [fedoranews.org] and 2 [fedoranews.org] already have backported security updates for this as 1.2.5-7 and 1.2.5-8 respectively since yesterday. Much better than having to install a release candidate.

Re:Updates

[anpe]

Mandrake as well:
http://www.mandrakesoft.com/security/advisories?na me=MDKSA-2004:079 [mandrakesoft.com]

Re:Updates

[spottedkangaroo]

Woah, watch out.

I applied the all_patches from 1.2.5 and the resulting libpng 1.2.5 is still vulnerable!

The remote execution bug was posted to bugtraq yesterday and I don't think there's a patch for 1.2.5!

This broken image [voltar.org] is from the bugtraq post. If it crashes your browser, you're not fixed.

Re:Updates

[jrockway]

Wow, that crashes safari. Any updates from Apple or anything like that yet?

Re:Updates

[spottedkangaroo]

Perhaps that update actually contains the demo-patch from bugtraq then.

my mistake.

Re:Updates

[nstrom]

Correct - FB1.9.3 has a fix for bug 251381 [mozilla.org].

Re:Updates

[nstrom]

I mean FF1.9.3 of course. Lack of coffee this morning :P

Re:Updates

[Sunspire]

There's the Fedora Legacy [fedoralegacy.org] project that backports security fixes for RH9 and in the future also for old Fedora Core releases. There's already some testing packages for RH9 available in Bugzilla [fedora.us], once they're approved they'll be up on the RH9 advisories page [fedoralegacy.org]. You should use yum to download and install the new packages, it's all explained on the website.

Bug? it's a feature!

[barcodez]

a buffer overflow which could potentially cause a PNG image file to execute arbitrary code

This is not a bug it's a feature; the libpng team are obviously trying to get a piece of the ActiveX control market...

Re:

[account_deleted]

Comment removed based on user account deletion

Gentoo

[AliasTheRoot]

I just emerge synced and the latest version available is still libpng-1.2.5-r7

Re:Gentoo

[Sunspire]

Yeah it's still not fixed, but when an updated package is available it will still most likely simply be versioned 1.2.5-r8. You can keep a watch on the package and see immediately when it's fixed here [gentoo.org].

Re:Gentoo

[keesh]

Wait for the rsync mirrors to catch up with cvs. -r8 has been in CVS for a while...

RCS file: /var/cvsroot/gentoo-x86/media-libs/libpng/libpng- 1 .2.5-r8.ebuild,v

revision 1.3
date: 2004/08/05 10:22:53; author: ciaranm; state: Exp; lines: +2 -2
Stable on sparc, bug #59424

revision 1.2
date: 2004/08/05 10:20:27; author: lu_zero; state: Exp; lines: +2 -2
marked ppc

revision 1.1
date: 2004/08/05 10:02:19; author: plasmaroo; state: Exp;
Security bump for bug #59424.

Re:Gentoo

[AliasTheRoot]

I know this is flamebait, but i'm rising to it:

wtf is this newbie vs zealot crap?

i chose gentoo because i like portage, and i find the way things are laid out to be more similar to the solaris and bsd boxes i'm paid to admin. there's nothing wrong with fedora or mandrake (which you dont use), but if Linux is about anything, it's about choice, and my choice is to use a distro that i feel comfortable with.

Re:Gentoo

[AliasTheRoot]

just ignore advocates, they'll go away eventually :)

gentoo is good for me, i don't think it's good for everyone - but i'm not everyone, i'm me.

my wife and my mother both use win2k and thats whats good for them, i help them out with patches and suchlike but neither of them really want to care about having gcc or whatever installed.

like i said, it's all about choice.

Re:Gentoo

[AliasTheRoot]

You know, if I had to pick the thing I thought was the most useless overhyped waste of time about Gentoo, it would be compiling all that crap to make it run.

Thankfully it's a one shot deal and when you've done it once it is pretty much over with.

I have really conservative use flags, probably the only slightly wierd one is SSE for my P4, which probably makes mplayer eat 1% less cpu.

The absolute biggest strength about gentoo for me is portage, i'm from a freebsd background and just plain like how portage w

Buffer overflow *again*?

[Anonymous Coward]

We've all heard about buffer overflow problems in countless programs and libraries again and again. I'm not a programmer, but as I under stand it, the problem is writing to unallocated memory areas. But this is not a new problem, it has happened for ages. Is it really that difficult to avoid? I understand that libpng as a "building block" library needs good performance, but is it really that much of a problem to write things in safer programming languages that don't allow these kind of problems? Can some se

Re:Buffer overflow *again*?

[IamTheRealMike]

Technologies like execshield can help with this. I'd be interested to know if execshield prevented this problem being exploited.

Yes you could reimplement libpng in a safe language that allowed for C export like D or maybe (with some hackery) Java. Nobody has though.

Official Language-based security thread!

[Tom7]

(This troll would be more effective if not posted anonymously.)

Indeed this flamewar has been repeated many times. Safe languages do indeed provide protection from these kinds of attacks and typically at a fairly small speed penalty [debian.org] (depending on the language; the number-two language on that list is safe and places above C++!).

See the earlier slashdot discussion [slashdot.org] for loads of argument. ( here [spacebar.org] for my perspective--note, I am a tower-in-the-sky PhD student in programming languages, but I do write lots of

Re:Official Language-based security thread!

[timeOday]

I am still boggled that programmers who claim to be interested in security (and who moreover claim to be uninfluenced by marketing and "cool", but rather by technical concerns) still choose C or C++ for their projects.

I agree that unsafe languages are on the way out for most applications in the long run. There's just no reason NOT to prevent these errors automatically. Code reviews and "being careful" are not solutions. There's no good reason for a language to be full of "undefined behavior" black hole

Re:Spoken like a true AC...

[shish]

It is compiled to Java byte code which is interpreted

No, it's compiled to bytecode for distribution, and then compiled to binary on the fly whenever you run it. Java could be the same speed as C++, it's just that Sun haven't done as much optimisation as the GCC guys have.

Re:Spoken like a true AC...

[Minna Kirai]

Java could be the same speed as C++

So long as "compiling to binary on the fly" takes ZERO time.

But actually, GCC can compile Java to binary ahead of time, just like it does with any C++ code. But having experimented with this, it doesn't go any faster than Java in a VM on the same machine... which could either indicate the VM is compiling very well, or (more likely) that GCC isn't very optimized for Java inputs.

PNG security threat

[Anonymous Coward]

Is there oil at Papua - New Guinea?

Re:PNG security threat

[MavEtJu]

Is there oil at Papua - New Guinea?

With the risk of being non-funny: yes.

And the Australian government is making sure that they're getting their 'fair' share of it!

Combine this...

[cperciva]

... with this [isec.pl], and Linux gets to join the "visit a malicious website and get rooted" crowd.

Re:Combine this...

[caluml]

All I get is this:

[+] mmaped uncached file at 0x40014000 - 0x40015000
[+] mmaped kernel data file at 0x4014c000
[-] Race lost 0, use another file!
Terminated

No matter which file I try.
Running 2.6.7-gentoo-r10

Re:Combine this...

[achurch]

As far as I can tell, that only lets you read memory, which doesn't let you root anything. In fact, I tried the test and though it claimed to have worked, all I got was /proc/mtrr followed 64MB of zeros, which seems odd since my machine's been up long enough that all my physical memory should have been stomped on at some point.

So yes, these are both serious problems, but they still don't boost Linux up into that vaunted "rootable group". (:

Re:Combine this...

[thinkninja]

Well, it all depends on what the attacker gets from the kernel memory dump. Could be that they get sensitive information or it could be they get nothing that would help in privilege escalation. I'd rather close that door altogether, myself by using 2.6.8-rc or 2.4.27.

But, please, unless GP has written a proof of concept that shows Linux is rootable via rendering a webpage, he should stop posting flamebait and go back to working on his 'depenguinator'.

Arbitrary Code...?

[Anonymous Coward]

What is arbitrary code? How is it any different as compared to any other computer code, say a piece of software?

Re:Arbitrary Code...?

[Anne Thwacks]

Bill Gates has a patent on arbitrary code. (Or maybe that was SCO).

Re:Arbitrary Code...?

[GregChant]

Not entirely true. Arbitrary code is any code or script that has been written to perform an arbitrary task; malicious or otherwise. Arbitrary code is equivalent to saying "random sourcecode x".

Debian

[Fuzzums]

Within an hour (or so) after the CERT-mail I also got the Matt Zimmerman-mail.

Fixed :)
I love this!

Thanks Guys!

SuSE patch also already available

[Anonymous Coward]

I just patched my SuSE box. Man that was fast ... or perhaps .. it is because Germany is 6 hours ahead of me.

Attribution?

[Quixote]

Would it be too much to ask whose code was it that had the vulnerability?

I think it is time we started attributing vulnerabilities to the authors (just as we do with companies).

Re:Attribution?

[FireFury03]

If you do that (which is probably a good idea) you'll need to weight it based on the amount of code written by that author that _could_ contain a security hole. Otherwise the stats will just show that the authors who write 99% of the complex network-facing code are responsible for most security holes.

Re:Attribution?

[pclminion]

I think it is time we started attributing vulnerabilities to the authors (just as we do with companies).

Terrible idea. I can tell you right now, if I knew I'd be held personally responsible for bugs in open source software I contributed to, I would not contribute. If you want me to take responsibility for my bugs, give me money.

If you don't like buggy free software, don't use it. What you're describing sounds almost like an inverse meritocracy, where people get branded if they don't write code that's

Another exploit in libpng

[ShadowRage]

image bombs. basically, you create a 190000x190000 pixel monochrome image, save it, and it compresses to 43 kb

anyone opens it... *BAM* it expands into 2gb of ram.

Re:Another exploit in libpng

[thogard]

This is a problem? I've got about 300 people try to anon-proxy through one my servers every day. When they ask for a gif (or png or whatever) would be a nice to give them something to make them go away.

Re:Another exploit in libpng

[Minna Kirai]

BAM* it expands into 2gb of ram.

*BAM* it reveals that the client-software shouldn't have been naively decompressing the whole file, but only the part it was going to display. (Loading more data from the file when the user begins scrolling)

But seriously folks, this is an example of why DoS attacks can't really be automatically prevented. There's no strict boundary between a legitimate use of heavy resources and intentional squandering of resources.

What if someone wants to store 190000 pixels of black?

Standardized Libraries

[Teancum]

The LibPNG library is merely a standardized library for reading and writing PNG files. It has been ported to many platforms and is even LGPL'd.

This makes it a two-edged sword in some ways, because nothing is specifically keeping you from writing your own implementation of the PNG specification, but most people are generally lazy and grab whatever is at hand, particularly if it is well written.

The trick is to keep the formal specification seperated from the implementation so the implementation doesn't bec

Re:Standardized Libraries

[thebatlab]

Are you off your rocker? "Dum de dum...I need to display some PNGs in my program. Rather than use the widely known and used libpng I think I'll write my own entire library". Umm ever here of not re-inventing the wheel? NIHS? Re-use?

"but most people are generally lazy and grab whatever is at hand"

It has nothing to do with laziness and if you can't see that then I never want you to write any software for me.

"One way to prevent issues like this from really taking over is to provide alternative implemen

Mitigation...

[Chief Typist]

It appears to me that this problem exists at both the client and the server.

Updating a server to use the patched version of libpng is an obvious first step. You don't want the buffer overflow compromising security as you deliver a .png file (which would only be an issue if you read the .png from the server before delivery.)

The tricky part is what to do with the .png files that have been tampered with. You don't really want to serve those up to clients -- you'd be delivering a security risk. There will be a significant lag before client software is updated -- browsers and anything else that streams .png over a network connection will be at risk during this time.

It seems to me that there's a need for some kind of scanning tool that checks for bogus .png files. At the server side, you could scan for compromised files and get rid of them.

Does such a tool exist?

-ch

Interesting synchronicity

[mwood]

Someone was asking on a mailing list why Mozilla fanboys think their browser is so much more secure than the Internet Explorer fanboys' browser. (My words, not his.) The same day, the PNG vulnerability came out. THE SAME DAY, the patched Mozilla, Firefox, etc. were released. I was using the new Mozilla an hour after I learned (via mail from US-CERT) about the vulnerability in a third-party library that Mozilla uses.

I consider the question answered.

Re:Didn't this happen with BMP?

[noselasd]

Well, _lib_png have many, many jmp like instructions, they're called
function calls, and if you manage to overwrite the return address on the stack, you can make it jump anywhere, like the code you injected.
Hopefully it's just the stack you can overflow, most of us should run with a no executable stack theses days, no harm done(well, it probably crashes.. )

Re:Didn't this happen with BMP?

[FireFury03]

most of us should run with a no executable stack theses days

Ah, you mean the vast majority of people are now running Athlon64's? (tip: Plain IA32 CPUs don't support the NX bit).

Re:Didn't this happen with BMP?

[gl4ss]

tip: you don't need it in hardware..

Re:Didn't this happen with BMP?

[FireFury03]

errm... how?

How exactly do you stop the cpu executing the stack if there is no way to mark it as non-executable?

Re:Didn't this happen with BMP?

[noselasd]

This explains how it's done:
http://people.redhat.com/mingo/exec-shield/ ANNOUNC E-exec-shield

Re:Didn't this happen with BMP?

[bl8n8r]

> PNG adoption (and this vulnerability) isn't as
> wide-spread as it could be if certain software
> were more popular.

Hold that crack pipe a moment - the fact that
IE renders PNG files will make possible the ability
to exploit this just as easily as if it were on Linux. You are fishing.

Re:Didn't this happen with BMP?

[moonbender]

Hm. It isn't acknowledged in the IE About window - but the libpng license doesn't require them to do that, anyway. But I guess the half-baked PNG support in IE is a sure sign that it doesn't use libpng...

Re:php !

[Anonymous Coward]

Seriously, we need a "Dumbass" mod option

Re:php !

[dolmen.fr]

The article is about PNG, not PHP.

Of course, but this means that free PHP hosting services are at risk, as some malicious users will try to exploit this flaw on the server side.

It's a decoder problem

[Snaapy]

"And how many PHP sites/scripts dynamically generates .png files ? Quite a lot I'd think, so, webservers might be vunerable, but it seems
like a longshot to try to inject something to such scripts."

Did you read the article? You don't seem to understand the point here.

The bug affects only loading of PNG images. One can make a specially crafted PNG image which has some invalid fields causing problems in the decoder. The invalid handling of these special error cases may cause an application crash or potential execution of arbitary code in the application which uses libpng.

It is not possible to introduce malicious RAW image data to the encoder. And even if it was possible, you should be able to pump data directly in the encoder, which is not a usual case with dynamically generated images. So, your PHP site is safe.

However, libpng is the most commonly used PNG implementation due to it's free licence. These bugs affect to very many applications (graphics applications, Office applications, user interface managers, browsers, etc.) which happen to use PNG.

A similiar case like this was zlib bugs some time ago.

Re:It's a decoder problem

[mindriot]

But wouldn't it still be possible to write a php script that, using libpng, loads a png file, and upload a malicious png for it to load? Yeah, encoding a png is probably safe. But, I mean, do something like this:

$im = imagecreatefrompng("test.png");
imagepng($im);

...and a malicious test.png will have to get loaded first.

Well, of course you won't be able to execute arbitrary code as root (just as www-data or something, and you can already do that in your php script :)). But I'm not so sure how much a ma

Re:It's a decoder problem

[0x0d0a]

However, libpng is the most commonly used PNG implementation due to it's free licence. These bugs affect to very many applications (graphics applications, Office applications, user interface managers, browsers, etc.) which happen to use PNG.

Note that this is an issue that has not recieved enough attention. These days, data files are transfered around a lot. Sure, people are terribly careful about network code, anything reading data from the network, but how careful are they in checking data that they're

Re:WinXP

[Anonymous Coward]

Sorry I am kinda new to png stuff... can anyone explain how this might effect my Windows XP box? Should I go get the patch for my system? btw I am running Windows XP professional with service pack 1. Thanks in advance.

! - in case this is for real.

PNG is an image format. It's very popular. There's a free (not copyleft free) library that anyone can put in their software to handle the PNG format.

There's a problem with this free library. If you're using software with a broken version of this library, you'll