CERT Warns Of Multiple Vulnerabilities In Libpng

jefftp writes "CERT announced today that there are several vulnerabilities in libpng, one is a buffer overflow which could potentially cause a PNG image file to execute arbitrary code. Libpng release 1.2.6rc1 addresses the problems covered by this CERT announcement, and can be obtained from the libpng Sourceforge project. A fully tested version is to be released in the next few weeks."

Didn't this happen with BMP?

Well, at least there's no internal JMP-like instruction in PNG...

On the plus side, PNG adoption (and this vulnerability) isn't as wide-spread as it could be if certain software were more popular.

Re:Didn't this happen with BMP?

[noselasd]

Well, _lib_png have many, many jmp like instructions, they're called
function calls, and if you manage to overwrite the return address on the stack, you can make it jump anywhere, like the code you injected.
Hopefully it's just the stack you can overflow, most of us should run with a no executable stack theses days, no harm done(well, it probably crashes.. )

Re:Didn't this happen with BMP?

[bl8n8r]

> PNG adoption (and this vulnerability) isn't as
> wide-spread as it could be if certain software
> were more popular.

Hold that crack pipe a moment - the fact that
IE renders PNG files will make possible the ability
to exploit this just as easily as if it were on Linux. You are fishing.

Re:Didn't this happen with BMP?

Hold that crack pipe a moment - the fact that IE renders PNG files will make possible the ability to exploit this just as easily as if it were on Linux.

Only if IE uses libpng. And I don't see any evidence that it does.

Re:Didn't this happen with BMP?

[FireFury03]

most of us should run with a no executable stack theses days

Ah, you mean the vast majority of people are now running Athlon64's? (tip: Plain IA32 CPUs don't support the NX bit).

Re:Didn't this happen with BMP?

[moonbender]

Hm. It isn't acknowledged in the IE About window - but the libpng license doesn't require them to do that, anyway. But I guess the half-baked PNG support in IE is a sure sign that it doesn't use libpng...

Re:Didn't this happen with BMP?

[gl4ss]

tip: you don't need it in hardware..

Re:Didn't this happen with BMP?

[FireFury03]

errm... how?

How exactly do you stop the cpu executing the stack if there is no way to mark it as non-executable?

Re:Didn't this happen with BMP?

How exactly do you stop the cpu executing the stack if there is no way to mark it as non-executable?

Put it in a different segment. Like the OpenWall patch does for Linux. On IA32 machines (386 and up), you can mark an entire segment non-excutable; you just can't mark individual pages.

Re:Didn't this happen with BMP?

Read the Intel developers manual on e.g. segmentation and paging.
There are programmer available bits in a pte...

Re:Didn't this happen with BMP?

[noselasd]

This explains how it's done:
http://people.redhat.com/mingo/exec-shield/ ANNOUNC E-exec-shield

Re:Didn't this happen with BMP?

you don't need it in hardware...

Yes, you do. What you mean to say is that x86 supports NX on a per-segment basis rather than per-page.

You can use this per-segment NX to create a non-executable stack, but as with all things segmented, it's a major pain in the butt to set up. Surprisingly enough, Windows does not support it.

No-execute stack isn't a silver bullet anyway, you just have to simulate a call to the function that clears the NX bit instead of a direct jump into the buffer. It gives ASCII-armor teeth, but it's ultimately useless alone.

Firefox

[dolmen.fr]

Is Mozilla/Firefox/Thunderbird using this lib ?

Re:Firefox

[black+mariah]

Yes. Most everything on Linux that reads or writes PNG's uses it.

Re:Firefox

[beardz]

New builds of Mozilla / Firefox / Thunderbird have been released to patch four potential security vulnerabilities including the libpng issue

Re:Firefox

[CTho9305]

This was one of the security fixes (arguably the only exploitable hole) that was included in yesterday's releases, 1.7.2, 0.9.3, and 0.7.3.

Re:Firefox

Dang. There goes my plan to deal with people who link directly to images hosted on my web server.

Re:Firefox

[timeOday]

Next question: are you running Mozilla/Firefox/Thunderbird as root?

Re:Firefox

[Minna+Kirai]

are you running Mozilla/Firefox/Thunderbird as root?

And another question: Is all of the valuable data on your computer owned by root, or do you occasionally do important work as a user?

Ever type your credit-card into Mozilla/Firefox/Thunderbird?

Re:Firefox

Oh my GOD!?! Thank goodness I am using a much more secure browser like Internet Explorer.

Re:Firefox

[respite]

Yes, but the recent updates seem to have fixed this issue. I've visisted all the crasher png's and Firefox just says:

The image http://scary.beasts.org/misc/pngtest_bad.png cannot be displayed, because it contains errors.

Re:Firefox

[joeljkp]

No, he's right. Mozilla-based apps use libpr0n to render images. Don't know if that somehow links to libpng as well, though.

Re:Firefox

libpron is just the wrapper Gecko uses to provide a consistent API - underneath, it uses libpng, libjpeg, etc.

Re:Firefox

[Mika24]

Ok since you didn't answer the question about FireFox/Mozilla on windows systems does it affect thsose users also???

Re:Firefox

[black+mariah]

It should be resoundingly fucking obvious that if I don't answer a question, then I have no fucking clue what the answer is. Google is your friend.

Mozilla

[KidSock]

So does mozilla statically or dynamically link with libpng?

Re:Mozilla

[slashdevslashtty]

According to this, libpng is part of the source tree. My guess is static.

Re:Mozilla

[jrockway]

Interesting. I wonder if this type of exploit could be prevented if the library was written in, say, java instead? Any experts that know for sure?

Re:Mozilla

[Theril]

Sure it could. Implement image loading and rendering in Java and nobody has patience to load images anymore.

Re:Mozilla

[evil_one666]

I wrote a GIF library in JAVA to display animated gifs on java 1.0 and it was reeeeeeeaaaaaally sloooooooow. It would however not be possible to exploit a buffer overflow on such a decompressor...

Re:Mozilla

[forgoil]

Buffer owerflow attacks won't happen in languages which doesn't "support" that feature, such as perl, python, ruby, java, C# (any managed code), or managed C++ for that matter.

Another way of killing the problem is using the NX (I hope I got that correct) instruction/bit in newer CPUs and simply separate code and data, and not allow execution in a data segment. Win SP2 does this, I am sure Linux does/will soon, one of the BSDs have done stuff like this for a while, etc.

So yes, you would prevent it. But then again, calling a javalib from C... :)

Re:Mozilla

[FireFury03]

Another way of killing the problem is using the NX (I hope I got that correct) instruction/bit in newer CPUs and simply separate code and data, and not allow execution in a data segment. Win SP2 does this, I am sure Linux does/will soon

Yep, Fedora Core 2 has done this since one of the early kernel revisions (I think it was when they went from 2.6.5 to 2.6.6)

Re:Mozilla

" Buffer owerflow attacks won't happen ... using the NX"

No, you can still overflow the buffer, thus being able to modify the return pointer, and some variables. What does this mean? If you were lucky/elite, you could get it to jump to a different function. Sure it's not executing your own instructions from the stack, but it's still control.

thanks,
jacob

Re:Mozilla

[GoCoGi]

Buffer owerflow attacks won't happen in languages which doesn't "support" that feature, such as perl, python, ruby, java, C# (any managed code), or managed C++ for that matter. In theory this is true, but to actually run such a program you need a compiler/interpreter for that language, which could contain bugs, so buffer overflows could be possible. Of course the Java programmer by definition can't introduce a buffer overflow exploit into his Java code, so it will always be the Java interpreter/compiler's fault.

Re:Mozilla

[thedillybar]

What the hell are you talking about?

>I wonder if this type of exploit could be prevented if the library was written in, say, java instead?

Sure it could be prevented. It can also be prevented when written in C. See release 1.2.6rc1.

If you're starting the arguement that Java is inherently more secure, and therefore everything should be written in Java, it's not worth the flamewar.

Re:Mozilla

[Tom7]

Yes, it could of course be prevented, like most other security holes.
Java has a bad reputation for being slow, but there are plenty of natively-compiled languages that are quite fast and would at worst result in a denial-of-service (exception) if they had this bug, never execution of arbitrary code.

It is still a wonder to me that people who claim to be concerned about security choose C for their projects.

Re:Mozilla

[Minna+Kirai]

Buffer owerflow attacks won't happen in languages which doesn't "support" that feature,

Pedantically, buffer overflows can still happen in any of those languages. But the easily-exploitable subset called stack overruns cannot. And without stack overruns, the difficulty of convincing a buffer overflow to actually do something harmful is great indeed- but it is a theoretical possibility.

Re:Mozilla

[tungwaiyip]

That's a false sense of comfort. These scripting languages often provide features via a wrapper to an underlying C library, libpng is an plausible example, either because the library is more available in C or because of performance reason. The possiblity of buffer overflow would be greatly reduced it the application is written purely in those language. But still the interpreter themselves are often written in C and still pose a potential problem.

Re:Mozilla

[AsparagusChallenge]

It depends.

Compiling Mozilla with "ac_add_options --with-system-png" at the .mozconfig file would make it dynamically linked if you wanted to.

Re:Mozilla

[jesser]

Static, I think. Upgrade to Mozilla 1.7.2 or Firefox 0.9.3 (both released yesterday) to pick up the libpng fixes.

Diagram

[skraps]

Here is a .PNG file with a diagram that explains the problem.

Re:Diagram

[skraps]

Uhhhh. Lighten up mods, it's a *JOKE*. The linked file is a *PNG*. Get it?

Re:Diagram

No. Whats so cool/funny about that ?
So someone renamed the file, but the server gives
the appropriate mimetype and/or the browser figures it out itself. Big deal.

Re:Diagram

Jesus. It must be retard night on slashdot.
The file is actually a GIF. Check the header. "GIF89a".
The post claims it is a PNG that explains the "problem".
If you just read an article about a PNG exploit, and then are stupid enough to click a link that purports to go to a PNG file, you are a dumbass, as the picture informs you.
Since it is actually a GIF, there is no actual harm in viewing the file.
Is that really so hard to piece together?
Perhaps you don't think it's funny. Slashdot's moderation system doesn't have an "Unfunny" option - and for a good reason: dipshits like yourself who would misuse it.

Re:Diagram

Actually, meta-mod does have an unfunny option.

All moderations are meta-modded fair or unfair, except funny, which is meta-modded funny or unfunny.

No, that does not make sense.

Re:Diagram

"Is it ever not retard night on slashdot?"

Yes, sometimes it's retard day.

Re:Diagram

[john_sheu]

Erm...aren't PNG's supposed to *replace* GIFs?

Re:Diagram

Perhaps you don't think it's funny. Slashdot's moderation system doesn't have an "Unfunny" option - and for a good reason: dipshits like yourself who would misuse it.

Actually it would probably prevent some misuse. Now dipshits mod something they think is unfunny as overrated, or troll, or flamebait, which causes karma loss, "unfunny" like "funny" on the other hand wouldn't affect karma.

Old news

...thanks to the Debian Security mailing list, my systems were secured against this hours before it even made it to /.

Re:Old news

...thanks to the Debian Security mailing list, my systems were secured against this hours before it even made it to /.

Hours? Hours makes it old news? Jesus.

There's a submission review procedure before stuff gets posted on slashdot. That takes time.

Re:Old news

[LiquidCoooled]

"Submissions review procedure" ?

Taco: "Wooah! this Doom 3 is excellent!!!!"

Michael: "Anyone else gettin 503s?"

Simoniker: "Is anybody doing ANY work?"

Tim: "Simon - yer, just gettin submissions - omg, another 400"

Taco: "Die scum die!!"

Michael: "I give up, anyone wanna 7up?"

Taco [Looking up from game for a minute] "Yer go on then!"

Taco: "Tim, Throw another story onto the site, the natives are gettin restless."

Tim: "eeny, meeny miny mo...."

Re:Old news

[pilkul]

Yes I make mistakes. Don't we all?

I dont.

Re:Old news

[LiquidCoooled]

dont tell porkies!

Ah-ha!

[iamdrscience]

You all complained about Internet Explorer not being able to display PNGs correctly, but who's laughing now! Obviously they broke PNG support intentionally for security reasons. Once again, Microsoft comes through on the cutting edge.

Re:Ah-ha!

[Nerull]

I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.

Re:Ah-ha!

[billatq]

Someone who saw the leaked source code a while back happened to mention to me that Internet Explorer uses libpng for rendering PNG files--it's just broken because it uses such a friggin' old version of it. So there's a good chance that IE is affected too.

Re:Ah-ha!

[MyHair]

Someone who saw the leaked source code a while back happened to mention to me that Internet Explorer uses libpng for rendering PNG files--it's just broken because it uses such a friggin' old version of it. So there's a good chance that IE is affected too.

Cool! Maybe the update will fix PNG transparency on IE!?

well

it's a good thing all of the porn sites i visit use jpegs

Re:well

Ha, you would think !? They're just renamed (about 179 times on average I would imagine).
Most of them are actually .exe trojans hidden inside what you think are .jpg files.

Re:well

Who fucking cares, exe trojans don't to shit to my Linux

Re:well

[9-bits.tk]

*smacks Anonymous Coward*

Porn sites??!! What would your mother say???

I think

[slashdevslashtty]

I think this was one of the vulnerabilities in Mozilla (Suite, Firefox, Thunderbird) that they already fixed and featured on /.

Re:I think

[slashdevslashtty]

Ok, I found the bug report: here.

Updates

[Sunspire]

Fedora Core 1 and 2 already have backported security updates for this as 1.2.5-7 and 1.2.5-8 respectively since yesterday. Much better than having to install a release candidate.

Re:Updates

[City+Jim+3000]

Forgive a Fedora rookie, but how can I get updates for my RedHat 9 system? I'm guessing the Fedora project has some kind of "backporting" to RedHat 9, no?

I'm running some kind of yum-thing to update, but I've forgot what settings I have in it.

Re:Updates

[anpe]

Mandrake as well:
http://www.mandrakesoft.com/security/advisories?na me=MDKSA-2004:079

Re:Updates

[Sunspire]

There's the Fedora Legacy project that backports security fixes for RH9 and in the future also for old Fedora Core releases. There's already some testing packages for RH9 available in Bugzilla, once they're approved they'll be up on the RH9 advisories page. You should use yum to download and install the new packages, it's all explained on the website.

Re:Updates

[spottedkangaroo]

Woah, watch out.

I applied the all_patches from 1.2.5 and the resulting libpng 1.2.5 is still vulnerable!

The remote execution bug was posted to bugtraq yesterday and I don't think there's a patch for 1.2.5!

This broken image is from the bugtraq post. If it crashes your browser, you're not fixed.

Re:Updates

[whovian]

I followed your broken image links with firefox-0.9.3 on Fedora Core 2 with libpng-1.2.5-5. The browser doesn't crash, just gives an error message. I was expecting a crash. Odd.

Re:Updates

[spottedkangaroo]

Perhaps that update actually contains the demo-patch from bugtraq then.

my mistake.

Re:Updates

[nstrom]

Correct - FB1.9.3 has a fix for bug 251381.

Re:Updates

[nstrom]

I mean FF1.9.3 of course. Lack of coffee this morning :P

Re:Updates

[jrockway]

Wow, that crashes safari. Any updates from Apple or anything like that yet?

Re:Updates

I think you need more coffee. Since we're on the subject of making useless corrections, I believe it would be FF 0.9.3 =)

Bug? it's a feature!

[barcodez]

a buffer overflow which could potentially cause a PNG image file to execute arbitrary code

This is not a bug it's a feature; the libpng team are obviously trying to get a piece of the ActiveX control market...

Re:Bug? it's a feature!

[Keeper]

Unfortunately, this technique violates Eolas's patents regarding running code in a browser downloaded from an external source with a seamless user experience...

YBHT HAND!

And you are, in fact, blazingly naive...

Re:php !

Well actually I am blind you insensitive clod!

Re:php !

Seriously, we need a "Dumbass" mod option

Around the world....

[Neo-Rio-101]

Suddenly MRTG gets a mind of its own and starts spewing out more than just TCP connection data reports!

Re:Around the world....

In 2004, MRTG became self aware...

Gentoo

[AliasTheRoot]

I just emerge synced and the latest version available is still libpng-1.2.5-r7

Re:Gentoo

[Sunspire]

Yeah it's still not fixed, but when an updated package is available it will still most likely simply be versioned 1.2.5-r8. You can keep a watch on the package and see immediately when it's fixed here.

Re:Gentoo

Could it be that Mandrake and Fedora have their patched code out faster than the elite gentoo team that is supposed to be poised on the bleeding edge of our scene? My "newbie" distro has been patched and secure for many hours and you gentoo zealots are still scratching your asses...

Heck you don't even need to wait for them to make a binary! It should've been done by now surely...

Re:Gentoo

[AliasTheRoot]

good post, I didn't know about that - if i had moderation turned on i'd give you a +1 informative.

Re:Gentoo

[AliasTheRoot]

I know this is flamebait, but i'm rising to it:

wtf is this newbie vs zealot crap?

i chose gentoo because i like portage, and i find the way things are laid out to be more similar to the solaris and bsd boxes i'm paid to admin. there's nothing wrong with fedora or mandrake (which you dont use), but if Linux is about anything, it's about choice, and my choice is to use a distro that i feel comfortable with.

Re:Gentoo

wtf is this newbie vs zealot crap?
i chose gentoo because i like portage, ... it's about choice, and my choice is to use a distro that i feel comfortable with.

Absolutely. It's just that a few rabid Gentoo advocates got Gentoo a bad rep.

Re:Gentoo

[AliasTheRoot]

just ignore advocates, they'll go away eventually :)

gentoo is good for me, i don't think it's good for everyone - but i'm not everyone, i'm me.

my wife and my mother both use win2k and thats whats good for them, i help them out with patches and suchlike but neither of them really want to care about having gcc or whatever installed.

like i said, it's all about choice.

Re:Gentoo

Whaddaya know, I clicked the link, and it appears it's been patched since you posted it.

Re:Gentoo

[keesh]

Wait for the rsync mirrors to catch up with cvs. -r8 has been in CVS for a while...

RCS file: /var/cvsroot/gentoo-x86/media-libs/libpng/libpng-1 .2.5-r8.ebuild,v

revision 1.3
date: 2004/08/05 10:22:53; author: ciaranm; state: Exp; lines: +2 -2
Stable on sparc, bug #59424

revision 1.2
date: 2004/08/05 10:20:27; author: lu_zero; state: Exp; lines: +2 -2
marked ppc

revision 1.1
date: 2004/08/05 10:02:19; author: plasmaroo; state: Exp;
Security bump for bug #59424.

Re:Gentoo

viewcvs doesn't work in realtime. It can lag behind the main cvs tree by up to an hour.

Re:Gentoo

Gentoy is for ricers. You're being tarred with the same brush as all the fucking wannabe pricks who don't know a CFLAG from a whole in the heads. Get out quick, before the stupid infects you, too.

Re:Gentoo

A whole what in what heads?

Re:Gentoo

[hundalz]

From the gentoo-announce mailing list:

Resolution
==========

All libpng users should upgrade to the latest stable version:

# emerge sync

# emerge -pv ">=media-libs/libpng-1.2.5-r8"
# emerge ">=media-libs/libpng-1.2.5-r8"

You should also run revdep-rebuild to rebuild any packages that depend
on older versions of libpng :

# revdep-rebuild

Hope this helps! :)

Re:Gentoo

[AliasTheRoot]

You know, if I had to pick the thing I thought was the most useless overhyped waste of time about Gentoo, it would be compiling all that crap to make it run.

Thankfully it's a one shot deal and when you've done it once it is pretty much over with.

I have really conservative use flags, probably the only slightly wierd one is SSE for my P4, which probably makes mplayer eat 1% less cpu.

The absolute biggest strength about gentoo for me is portage, i'm from a freebsd background and just plain like how portage works. I also like the stripped out nature of the distribution, if you've spent most of your time adminning solaris or bsd boxes and then come to linux, you'll probably be just plain horrified at the crap that gets put into /bin or /etc on a linux machine.

Anyway, I could care less about tweaking 0.1% extra out of my pc, but portage makes it easier to keep it up to date and gentoo isn't completley braindead about its filesystem layout.

Re:Gentoo

[uid8472]

I seem to recall reading, a few days ago, a Gentoo security advisory about libpng, wherein was recommended upgrading to at least 1.2.5-r7, which had a fix. Was that the same bug as this?

Re:Gentoo

[uid8472]

Answering myself: judging by the more recent advisory, it's not, or there were more bugs than -r7 fixed, or something.

It's a decoder problem

[Snaapy]

"And how many PHP sites/scripts dynamically generates .png files ? Quite a lot I'd think, so, webservers might be vunerable, but it seems
like a longshot to try to inject something to such scripts."

Did you read the article? You don't seem to understand the point here.

The bug affects only loading of PNG images. One can make a specially crafted PNG image which has some invalid fields causing problems in the decoder. The invalid handling of these special error cases may cause an application crash or potential execution of arbitary code in the application which uses libpng.

It is not possible to introduce malicious RAW image data to the encoder. And even if it was possible, you should be able to pump data directly in the encoder, which is not a usual case with dynamically generated images. So, your PHP site is safe.

However, libpng is the most commonly used PNG implementation due to it's free licence. These bugs affect to very many applications (graphics applications, Office applications, user interface managers, browsers, etc.) which happen to use PNG.

A similiar case like this was zlib bugs some time ago.

Re:It's a decoder problem

Ok, I know of quite a lot sites allowing you to upload pictures to
e.g. a gallery. Pictures are then often scaled.
(Which means both encoding and decoding.)

Re:It's a decoder problem

[mindriot]

But wouldn't it still be possible to write a php script that, using libpng, loads a png file, and upload a malicious png for it to load? Yeah, encoding a png is probably safe. But, I mean, do something like this:

$im = imagecreatefrompng("test.png");
imagepng($im);

...and a malicious test.png will have to get loaded first.

Well, of course you won't be able to execute arbitrary code as root (just as www-data or something, and you can already do that in your php script :)). But I'm not so sure how much a malicious png could actually take down in a crash.

Re:It's a decoder problem

Now, who's laughing? I knew my Captain Crunch secret decoder ring would come in handy some day. Muwhhahahahahahah!

Laugh at me, will you? Just wait till I get out of this padded room....

Re:It's a decoder problem

[0x0d0a]

However, libpng is the most commonly used PNG implementation due to it's free licence. These bugs affect to very many applications (graphics applications, Office applications, user interface managers, browsers, etc.) which happen to use PNG.

Note that this is an issue that has not recieved enough attention. These days, data files are transfered around a lot. Sure, people are terribly careful about network code, anything reading data from the network, but how careful are they in checking data that they're reading from "local" files? How secure is MS Office at reading MS Office files, or OpenOffice at reading OpenOffice files? What about libvorbis? How about id3 tag readers? The problem is exacerbated when authors of network applications treat code that reads "trusted", "local" files (i.e. libraries to parse files) as safe, and automatically hands off data to such libraries.

Buffer overflow *again*?

We've all heard about buffer overflow problems in countless programs and libraries again and again. I'm not a programmer, but as I under stand it, the problem is writing to unallocated memory areas. But this is not a new problem, it has happened for ages. Is it really that difficult to avoid? I understand that libpng as a "building block" library needs good performance, but is it really that much of a problem to write things in safer programming languages that don't allow these kind of problems? Can some seasoned programming gurus here enlighten me here?

Re:Buffer overflow *again*?

The safer languages would be e.g. python or java. You want an interpreter to decode your images ?
Anyway shit happens.

An error ?:

int main()
{
char str[] = "Hello";
char *tst = malloc(strlen(str));
strncpy(tst,str,strlen(str));
}

An error ?:

void doFoo(int i* , int length) // i - array of ints, length - lenght of array
{
int j;
for(j = 0 ; j length; j++){
dosomething(i[j]);
}
}

Depending on context both can be fatal.

Re:Buffer overflow *again*?

Maybe one of these days the D programmning language will replace C and C++ (it is binary compatible with C and existing libraries need not be lost). It manages memory like most modern languages but is not interpreted so it will not have the atrocious performance of scripts or .net or java (whatever they say about improved performace... they ARE slow. Whatever the benchmark says, you can painfully tell when you are running a program in java and the like)

Re:Buffer overflow *again*?

I'm a programmer and no, buffer overflow are NOT difficult to avoid ! For incompetent programmer, the simplest solution is simply to stop using stupid languages like "C".

Re:Buffer overflow *again*?

[IamTheRealMike]

Technologies like execshield can help with this. I'd be interested to know if execshield prevented this problem being exploited.

Yes you could reimplement libpng in a safe language that allowed for C export like D or maybe (with some hackery) Java. Nobody has though.

Re:Buffer overflow *again*?

They're trivial to avoid (read: impossible) in nearly every popular language except C, C++, or assembler. The future of computers is definatey having a simple, trusted kernel and running everything else with either proof-carrying code or in a virtual machine (or some combination of both!). I don't know what these people are doing with PNG's that they're absolutely convinced no language besides C can do it fast enough (I call BS). At least they could use OCaml and get better performance than C without buffer overflows.

Re:Buffer overflow *again*?

Input data verification has plenty of problems with managed memory too - you can easily crash a program by supplying it with bad data, so managed memory languages still need data verification.

What you can do with non-managed memory languages to remove all buffer overflow is the use the right tools (no, not a managed heap :) ) but something like splint or
Prefast

Re:Buffer overflow *again*?

[Minna+Kirai]

Simply put, if you are working in a language where you have control of the memory you use;

That's not an answer, but an evasion. The question then becomes "Is it really that difficult to avoid languages where you have control of the memory?"- and as we all know, the answer to that is NO.

There are no real obstacles to safer languages, it's just the historical inertia of the "good enough" C-compatible environment that keeps us there.

Re:php !

[xenoandroid]

You don't know how many times I've thought that when moderating.

Re:php !

[dolmen.fr]

The article is about PNG, not PHP.

Of course, but this means that free PHP hosting services are at risk, as some malicious users will try to exploit this flaw on the server side.

PNG security threat

Is there oil at Papua - New Guinea?

Re:PNG security threat

[MavEtJu]

Is there oil at Papua - New Guinea?

With the risk of being non-funny: yes.

And the Australian government is making sure that they're getting their 'fair' share of it!

@Mozilla/FireFox-users: No Panic!

The yesterday release of M1.7.2 and FF0.9.3 are fixed. Source: http://www.heise.de/security/news/meldung/49786
(German site) :)

Re:@Mozilla/FireFox-users: No Panic!

Hmmm... I see someone was faster. Sorry :(

Re:@Mozilla/FireFox-users: No Panic!

(German site)

Aah, I'm reliefed.

WinXP

Sorry I am kinda new to png stuff... can anyone explain how this might effect my Windows XP box? Should I go get the patch for my system? btw I am running Windows XP professional with service pack 1. Thanks in advance.

Re:WinXP

yes - if you download a png file on winxp it will delete your entire c:\ drive.

Re:WinXP

Sorry I am kinda new to png stuff... can anyone explain how this might effect my Windows XP box? Should I go get the patch for my system? btw I am running Windows XP professional with service pack 1. Thanks in advance.

! - in case this is for real.

PNG is an image format. It's very popular. There's a free (not copyleft free) library that anyone can put in their software to handle the PNG format.

There's a problem with this free library. If you're using software with a broken version of this library, you'll need to update the software.

The XPSP2RC has either fixed or sidestepped the issue. If you want that, you can get it from Windows Update (v5). But it's still a release candidate so you might prefer to wait.

Combine this...

[cperciva]

... with this, and Linux gets to join the "visit a malicious website and get rooted" crowd.

Re:Combine this...

[caluml]

All I get is this:

[+] mmaped uncached file at 0x40014000 - 0x40015000
[+] mmaped kernel data file at 0x4014c000
[-] Race lost 0, use another file!
Terminated

No matter which file I try.
Running 2.6.7-gentoo-r10

Re:Combine this...

[achurch]

As far as I can tell, that only lets you read memory, which doesn't let you root anything. In fact, I tried the test and though it claimed to have worked, all I got was /proc/mtrr followed 64MB of zeros, which seems odd since my machine's been up long enough that all my physical memory should have been stomped on at some point.

So yes, these are both serious problems, but they still don't boost Linux up into that vaunted "rootable group". (:

Re:Combine this...

[thinkninja]

Well, it all depends on what the attacker gets from the kernel memory dump. Could be that they get sensitive information or it could be they get nothing that would help in privilege escalation. I'd rather close that door altogether, myself by using 2.6.8-rc or 2.4.27.

But, please, unless GP has written a proof of concept that shows Linux is rootable via rendering a webpage, he should stop posting flamebait and go back to working on his 'depenguinator'.

Re:Combine this...

[BillyBlaze]

Unix guarentees that new pages are zero-filled, and this can happen in the background. (You can't make that assumption in programming because the stack could have grown bigger than it is now, and function obviously don't zero the stack they used.)

Re:Combine this...

Maybe, and if you're foolish enough be logged in as root.

The latest SP2 fixes it.

[WhoDaresWins]

I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.

Well using XP SP2 RC2 build 2162 it does nothing in IE other show a broken image link. Whatever Microsoft did in SP2, it seems to have mitigated it. They did recompile major parts of the OS for SP2 with the /GS VC++ stack checking compiler flag. That could have caught it. Or it could be that they were informed about it before full disclosure and they fixed it in SP2. Or that they don't use libpng and their library does it correctly or they fixed the issue by themselves. Whatever be it they seem to have taken care of it. BTW the built-in Windows Picture and Fax Viewer also doesn't crash (nor does mspaint). You can test this out yourself if you have SP2 (don't know if builds earlier than 2162 fix it though) using this image link (Warning! Will crash non patched browsers!) from the original disclosure.

Its reassuring that for once MS has already taken care of some security issue (for XP SP2 at least).

Re:The latest SP2 fixes it.

[Chester+K]

don't know if builds earlier than 2162 fix it though

No crash in a fully patched IE from XP SP1.

Re:The latest SP2 fixes it.

[forgoil]

Could be NX as well:)

Re:The latest SP2 fixes it.

[Nerull]

Try This image

I got it from the bugzilla entry about the libpng issues.

Actully, that image and the one above produce 2 diffrent effects in IE now that ive tested both, maybe its a diffrent issue that got mixed in the same bugzilla entry.

Re:The latest SP2 fixes it.

[gosand]

(Warning! Will crash non patched browsers!)

Thanks for the link. This is one reason that I have an external application set up to handle images. Irfanview reports this as an invalid PNG. Of course, if it were embedded in a web page...

Re:The latest SP2 fixes it.

[Pxtl]

Brought down my IE too, and I'm all updated on this XP box.

Re:The latest SP2 fixes it.

[Mononoke]

Brought down Safari version 1.2.2 (v125.8) also.

Re:The latest SP2 fixes it.

[rasz]

Opera 7.54 - nothing happened

Re:The latest SP2 fixes it.

"The image "http://www.graphicsmagick.org/libpng/beta/samples /bigw.png" cannot be displayed, because it contains errors."

Netscape 7.1

Re:The latest SP2 fixes it.

[AliasTheRoot]

404 file not found on the latest IE for win2k, will check it with firebird when i get home.

Re:The latest SP2 fixes it.

[Troed]

Opera are _fast_ - it crashes 7.53 so that's what the update is for.

Re:The latest SP2 fixes it.

[NaDrew]

(Warning! Will crash non patched browsers!)

Opera 7.53/3850 on XP Pro SP1 crashed when it tried to load that file. I note that Opera 7.54 is now available, but the changelog doesn't mention PNG fixes.

Re:The latest SP2 fixes it.

[NaDrew]

7.54 crashes as well.

Arbitrary Code...?

What is arbitrary code? How is it any different as compared to any other computer code, say a piece of software?

Re:Arbitrary Code...?

It isn't. It just means code that is not part of the program itself, but
rather code that is injected into the program/software, and the software
is then tricked to running that code.

Re:Arbitrary Code...?

[GregChant]

Not entirely true. Arbitrary code is any code or script that has been written to perform an arbitrary task; malicious or otherwise. Arbitrary code is equivalent to saying "random sourcecode x".

Re:Arbitrary Code...?

[Anne+Thwacks]

Bill Gates has a patent on arbitrary code. (Or maybe that was SCO).

Where did you get the example PNG ?

[Gopal.V]

There's this custom PNG decoder ... and I'm just curious

Re:Where did you get the example PNG ?

[WhoDaresWins]

I got the link from the original full disclosure over here. See near the end of section 1. That link is given in the CERT alert.

Re:Where did you get the example PNG ?

[Nerull]

http://www.graphicsmagick.org/libpng/beta/samples/ bigw.png Got it from bugzilla.

esr, not rms.

nT

Why do you guys even try??

[ModernGeek]

I dont' get trolling, it isn't funny, and thanks to moderation, it isn't even annoying. So, why do people still try, I don't see a fucking point. It's stupid, it's old, and I'm feeding one.

Re:Why do you guys even try??

Why? Google for "trolls", top hit.

Debian

[Fuzzums]

Within an hour (or so) after the CERT-mail I also got the Matt Zimmerman-mail.

Fixed :)
I love this!

Thanks Guys!

Re:Debian

Fixed :)
I love this!

Except it has been sitting there in the code for a long, long time for all to see and exploit. So much for thousands of eyes examining the code :)

ror

no yuo!

Fucking incompetent idiots.

Did it ever occur to the authors of the library that input data could be from hostile source?

SuSE patch also already available

I just patched my SuSE box. Man that was fast ... or perhaps .. it is because Germany is 6 hours ahead of me.

Attribution?

[Quixote]

Would it be too much to ask whose code was it that had the vulnerability?

I think it is time we started attributing vulnerabilities to the authors (just as we do with companies).

Re:Attribution?

[FireFury03]

If you do that (which is probably a good idea) you'll need to weight it based on the amount of code written by that author that _could_ contain a security hole. Otherwise the stats will just show that the authors who write 99% of the complex network-facing code are responsible for most security holes.

Re:Attribution?

[pclminion]

I think it is time we started attributing vulnerabilities to the authors (just as we do with companies).

Terrible idea. I can tell you right now, if I knew I'd be held personally responsible for bugs in open source software I contributed to, I would not contribute. If you want me to take responsibility for my bugs, give me money.

If you don't like buggy free software, don't use it. What you're describing sounds almost like an inverse meritocracy, where people get branded if they don't write code that's "good enough." All that serves to do is scare people away from contributing.

What's really irritating to me, is that often times the people bitching the loudest are unwilling and unable to contribute to such projects themselves. Sorry, but I'm not going to subject myself to a bunch of amateur sideline criticism. It ain't worth it.

Re:Attribution?

[ricmoo]

I think it's a great idea! I don't know how many of us would actually stop coding OSI if we were going to have our name stapled to serious vulnerabilities.

I'd sooo put bugs like this on my resume...

Re:Attribution?

[mewphobia]

Would it be too much to ask whose code was it that had the vulnerability?

Yes.

I think it is time we started attributing vulnerabilities to the authors (just as we do with companies).

Yes, we do it to companies. Note that this is different from doing it to individuals inside companies. So you're basically wanting to punish open source authors for giving up their free time as opposed to being paid for what they do?

I'm sure that if a bug is found in a piece of code (say libpng) the author certainly knows who they are, and going to be more careful. Why is that not enough?

The open source movement should be about rewarding the efforts of others. It should be about pushing people up. What you're suggesting is akin to a lynching.

Furthermore, open source already has an inherit method of dealing with bugs! As soon as they are found, someone releases a patch! Who would of thought!

Re:Attribution?

[pilkul]

Horrible idea IMHO. What good would that do? You think there would be less bugs? Most developers are already doing their best to avoid all security problems, but they're only human and some slip through the cracks. Your proposal would only discourage developers from working on a project for fear of being branded a bugster, and would do nothing at all for security.

Re:Attribution?

The open source movement should be about rewarding the efforts of others.

Yes, reward for the effort, and acknowledge your mistakes. It goes both ways.

As soon as they are found, someone releases a patch!

Except the bug should not have been there in the first place!

Spoken like a true AC...

Java is not interpreted. Your Java example might cause an ArrayIndexOutOfBoundsException (or whatever the hell they're called), but it sure as hell isn't going to allow someone to insert random data into the heap/stack and have it executed with the privileges of the user running java.

Re:Spoken like a true AC...

Java is not interpreted. Your Java example

I'm not the same AC, but ...

I don't see any Java example. I see two C examples. First one uses C string functions, second one uses pointers.

Re:Spoken like a true AC...

there was no java example, you java-minded anonymous coward!

or does java support pointers now ???? have malloc and strncpy finally made it to java??? i doubt it.

not everything that looks like C or C++ is java.

Re:Spoken like a true AC...

Java is not interpreted.

It may not be technically interpreted. But it is not compiled down to actual machine code. It is compiled to Java byte code which is interpreted. Java is very slow compared to c/c++. So it is not practical for many applications.

Re:Spoken like a true AC...

[shish]

It is compiled to Java byte code which is interpreted

No, it's compiled to bytecode for distribution, and then compiled to binary on the fly whenever you run it. Java could be the same speed as C++, it's just that Sun haven't done as much optimisation as the GCC guys have.

Re:Spoken like a true AC...

No, it's compiled to bytecode for distribution, and then compiled to binary on the fly whenever you run it.

It could be compiled when you run it. Most implementations of the Java VM still interpret it.

Re:Spoken like a true AC...

[Minna+Kirai]

Java could be the same speed as C++

So long as "compiling to binary on the fly" takes ZERO time.

But actually, GCC can compile Java to binary ahead of time, just like it does with any C++ code. But having experimented with this, it doesn't go any faster than Java in a VM on the same machine... which could either indicate the VM is compiling very well, or (more likely) that GCC isn't very optimized for Java inputs.

opensource and security risks !

[chrisranjana.com]

Even though open source has security risks it is much less than closed source systems like ....

How old is it REALLY?

[goldspider]

How long has this vulnerability been in libpng? It's easy to claim that Linux has zero-hour responses to bugs when you announce vulnerabilities after they're patched, but what I'd like to know is how long this has been a problem.

Re:How old is it REALLY?

[jrockway]

> How long has this vulnerability been in libpng?

Forever. Are you happy with that answer? That proves, once and for all, that Linux fucking sucks. I mean how could the DUMBFUCK developers let a bug like that through!?!?!

Seriously, though. People make mistakes. The libpng people made a mistake. They fixed it, and nobody got hurt. So I don't see the problem.

If it's news to you that OSS isn't bugfree, then you need to wake up. The difference between OSS and M$ (et. al.) is that the OSS people fix bugs/'ploits faster. See how you can get a fixed version RIGHT NOW? Where's the fixes for MSIE?

Re:How old is it REALLY?

[NineNine]

See how you can get a fixed version RIGHT NOW?

Programmers and advanced sysadmins can get a fixed version right now. Every normal person has to wait "a few weeks".

Re:How old is it REALLY?

[Waffle+Iron]

Programmers and advanced sysadmins can get a fixed version right now. Every normal person has to wait "a few weeks".

Umm... the point-and-drool update utility in my SuSE box automatically installed the patch last night. No programming or advanced sysadmining was required on my part.

Re:How old is it REALLY?

[NineNine]

Most people don't use SUSE. Most people use Windows. I use Firefox on W2K. How do I get this new patch, huh?

Re:How old is it REALLY?

[Waffle+Iron]

Well, I guess that could be a problem. I personally don't use Firefox, mainly because it's still in beta and doesn't yet integrate with my system's package management. (Plus, it doesn't offer huge feature improvements over Konqueror or Mozilla.) The non-beta browsers that did come with my system, however, are already fixed.

Re:How old is it REALLY?

[Daltorak]

Here's the fix for MSIE, dated August 1st:

http://www.microsoft.com/technet/security/bullet in /MS04-025.mspx

You asked...

Re:How old is it REALLY?

[AstroDrabb]

How about just download the new version? Or did you mean how are you supposed to know about it if you are not a geek and read it on /.? Well, go under Tools -> Options -> Advanced, you should see a section called Software Update. Firefox will check periodically for newer version, or you can click the big button labeled Check Now if you want to do it manually. So non-techie Firefox users will get a notice that there is a newer version. Wow, isn't technology great!

Fucking Microsoft security holes!

[NineNine]

I am SO sick of these Microsoft security holes. Plus, a fix in "a few weeks"? What are they thinking? Jesus, if this were open source, we'd have a fix *today*, and we probably wouldn't have had this happen in the first place!! What am I supposed to do about my machine during the next "few weeks"? Make sure that avoid all sites with PNG files, even though I don't know if they have any until I surf to them? Piece of shit company...

Oh wait...

Ooops. Just re-read the article. Yaaay Open Source! I'm so glad that they've been open about this bug, and are fixing it so quickly! Good job guys!

Proof of Concept image

[JUSTONEMORELATTE]

Man, whatever happened to popping up a Solitaire game to prove that you could execute arbitrary code? Now we've got an example image which crashes the browser (Netscape 7.1) and locks the profile, so the only way I can get back to bitch about it is to cold boot the damn (win2k) machine.

damn kids these days.

--

Perfect for spyware...

[Call+Me+Black+Cloud]

...because, as you know, in Soviet Russia pr0n watches you!

Sorry, it's early for me. I'm not warmed up yet. They'll get better...

Another exploit in libpng

[ShadowRage]

image bombs. basically, you create a 190000x190000 pixel monochrome image, save it, and it compresses to 43 kb

anyone opens it... *BAM* it expands into 2gb of ram.

Re:Another exploit in libpng

That's hardly an exploit is it? What exactly do you expect it to do with a 190000 x 190000 image?

If you zip up 2GB of zeroes, e-mail the resulting tiny file to someone and they open it, it is ,amazingly enough, going to consume 2GB of memory. Do you think that's an exploit too?

Now if opening the image causes your house to burn down, your wife to leave you and your pet dog to get gang-raped then you might have a point.

Re:Another exploit in libpng

[thogard]

This is a problem? I've got about 300 people try to anon-proxy through one my servers every day. When they ask for a gif (or png or whatever) would be a nice to give them something to make them go away.

Re:Another exploit in libpng

[Minna+Kirai]

BAM* it expands into 2gb of ram.

*BAM* it reveals that the client-software shouldn't have been naively decompressing the whole file, but only the part it was going to display. (Loading more data from the file when the user begins scrolling)

But seriously folks, this is an example of why DoS attacks can't really be automatically prevented. There's no strict boundary between a legitimate use of heavy resources and intentional squandering of resources.

What if someone wants to store 190000 pixels of black? On the other hand, if I'm browsing the web on my PDA, then a 1280x1024 image will just about bomb me out.

Re:Another exploit in libpng

[sploo22]

Good idea! I'll start up the Gimp and make one of those myself. Be back in just a second. ... ... ...

*CONNECTION TIMEOUT*

Re:Another exploit in libpng

[jefp]

I've been using the equivalent in GIF for years, but I had to write a custom program to create the file. No image editor could do it.

I guess I could adapt the program for PNG.

Re:Another exploit in libpng

[lubricated]

care to link to such an image?

the way you say it should be easy to create.

Re:Another exploit in libpng

[Krunch]

Here you go.

$ perl -e 'use GD; $size = 190000; $img = new GD::Image($size, $size); $img->colorAllocate(0,0,255); print $img->png'

Bypassing libGD to create the PNG "manually" would probably be faster but I don't have enough knowledge about PNG to do that.

Re:Another exploit in libpng

[ShadowRage]

http://www.acidchat.net/images/fuck_you_celeste.pn g

was meant for a certain bitch.

Re:Another exploit in libpng

[lubricated]

cool, that worked

Re:Another exploit in libpng

[lubricated]

actually IE opens it just fine, mozilla based browsers under linux crash

BOEM.

[leuk_he]

Microsoft internet explorer has encountered a problem ands needs to close. we are sorry for the inconvience.

bla bba
[x] restart mirosoft internet explorer ...

[b]WOW[/b], it is a portable bug!

can anybody tell us if this is exploitable?

5 informative... my ass! (in jpeg!)

Moderators moderate this parent away. links to bugzilla from /. do not WORK for years!!!

he could have linked to the NEW RELEASE!

Re:5 informative... my ass! (in jpeg!)

[beardz]

Right, and you're not capable of copy and pasting the link into a new browser window? More to the point, since when is a demonstration of the png fault been considered a new version of anything? (ie, your "NEW RELEASE link?) Whatever :)

With security holes like this...

...maybe these guys should upgrade to a decent OS like Windows :-)

Standardized Libraries

[Teancum]

The LibPNG library is merely a standardized library for reading and writing PNG files. It has been ported to many platforms and is even LGPL'd.

This makes it a two-edged sword in some ways, because nothing is specifically keeping you from writing your own implementation of the PNG specification, but most people are generally lazy and grab whatever is at hand, particularly if it is well written.

The trick is to keep the formal specification seperated from the implementation so the implementation doesn't become the specification. Particularly with multimedia data formats, I've seen this happen far too often. PNG is particularly well designed in this regard, so you don't have to specifically condemn the format, just a particular library for problems like the CERT warning. Some formats are much worse in this regard.

That issues like this are coming up is more of a sign that the library is being widely used. One way to prevent issues like this from really taking over is to provide alternative implementations, so a "virus writer" couldn't depend on a specific implementation for an exploit like this.

Re:Standardized Libraries

[thebatlab]

Are you off your rocker? "Dum de dum...I need to display some PNGs in my program. Rather than use the widely known and used libpng I think I'll write my own entire library". Umm ever here of not re-inventing the wheel? NIHS? Re-use?

"but most people are generally lazy and grab whatever is at hand"

It has nothing to do with laziness and if you can't see that then I never want you to write any software for me.

"One way to prevent issues like this from really taking over is to provide alternative implementations, so a "virus writer" couldn't depend on a specific implementation for an exploit like this."

At some point this argument stops holding water. And that point was yesterday! There is nothing wrong with having one major implementation of a widely used multimedia format. I know, I know. "But look at the vulnerabilities". Yup, and they're all fixed now so everybody can update their apps easily and away they go. Otherwise who's to say that out of the myriad of implementations you're hoping for, 1/4 won't have exploits in them?

Re:Standardized Libraries

Are you off your rocker? "Dum de dum...I need to display some PNGs in my program. Rather than use the widely known and used libpng I think I'll write my own entire library". Umm ever here of not re-inventing the wheel? NIHS? Re-use?

Many readers will overlook an erroneous trivialization of the work required to produce quality software, so many posts use such a trivialization to seem insightful when they're really spouting a bunch of garbage. Heck, occasionally these crackpots will say that someone should fork Mozilla to fix one lousy bug!

Bugs in Compilers...

[Tom7]

On the other hand, it's quite difficult for a bug to creep into a compiler's bounds checking code (which is typically very simple). I know of no such historic examples, though perhaps this is because relatively few apps actually use safe compiled languages. (It would presumably have to be matched by a bug in the application code...) Interpreters and JIT compilers are much more subject to this kind of problem, particularly if they are written in C themselves. ;) There have been a few JVM exploits historically, though it is still much easier to make a secure JVM than to make tens of thousands of secure applications.

Finally, remember that even C has the burden of bugs in its compiler, runtime, and libraries, so this argument is useless at differentiating between C and safe compiled languages (unless you can argue that the latter have more complicated support code).

Canary

[bsd4me]

You can protect against this to. The technique is put a ``canary'' on the stack frame and make sure it is still there before you return.

There are at least two patches to gcc that do this. One is called ProPolice. The name of the second is escaping me right now. OpenBSD includes ProPolice by default.

Google on stack-smashing protectors for more info.

Re:Canary

[RLW]

Or just write good code that includes bounds checking .

Jeepers.

Never use strcpy, always use strncpy. Make sure the code can determine the size of the destination and never copy more than it can hold. Employ smart buffers that won't let you over run what they can hold. This type of exploit has been to widely known of to simply ignore it. besides it's good programming practice that should have been followed to begin with.

Re:Canary

[Minna+Kirai]

Or just write good code that includes bounds checking .

Or just never crash your car. That way, you don't need a seatbelt or airbags.

In fact, if these stupid humans would stop being making mistakes, all kinds of problems would just go away. The nerve of some people; making the world a more dangerous place, just because they happen to be fallible!

Re:Canary

[Fenris+Ulf]

Never use strcpy, always use strncpy.

It's a tragedy that this won't be modded funny.

And on the off chance that you're serious, don't use strncpy, since it doesn't terminate your strings if it hits the byte limit.

Personally, I'm a fan of snprintf(), and I think the last few decades of Unix would have been a lot safer had it existed in K&R stdio.

Re:Canary

[runderwo]

Yes, because clearly it is a difficult and convoluted procedure to set the last byte in the string to 0 after using strncpy().

Re:Canary

[Annoying]

To make a mockery of your point, it is equally difficult and convoluted to do proper bounds checking isn't it?
Yet it doesn't happen, as setting the last byte in a string to 0 might often not happen. I'm not a programmer really so I don't know what occurs if the last byte of a string isn't null, it might be less dangerous than buffer overflows but it doesn't sound like strncpy() is any more fool-programmer-proof.

Re:Canary

[inflex]

Actually, you might be meaning "strlcpy". strncpy is just as bad almost as strcpy.

The key issue is (quoted from the man page)

"The strncpy() function is similar, except that not more than n bytes of src are copied. Thus, if there is no null byte among the first n bytes of src, the result will not be null-terminated."

Which basically means that you still stand the risk of having strings which aren't terminated correctly (not quite a buffer overflow at the strncpy point, but will create interesting problems later).

Either use strlcpy or snprintf.

PLD.

Re:Canary

[Krunch]

The name of the second is escaping me right now.

I think it's StackGuard.

Re:Canary

I know a CS professor that goes by runderwo... you aren't he, are you?

Re:Canary

[runderwo]

No.

Official Language-based security thread!

[Tom7]

(This troll would be more effective if not posted anonymously.)

Indeed this flamewar has been repeated many times. Safe languages do indeed provide protection from these kinds of attacks and typically at a fairly small speed penalty (depending on the language; the number-two language on that list is safe and places above C++!).

See the earlier slashdot discussion for loads of argument. ( here for my perspective--note, I am a tower-in-the-sky PhD student in programming languages, but I do write lots of code in many languages, including C and C++.) I am still boggled that programmers who claim to be interested in security (and who moreover claim to be uninfluenced by marketing and "cool", but rather by technical concerns) still choose C or C++ for their projects.

Re:Official Language-based security thread!

[timeOday]

I am still boggled that programmers who claim to be interested in security (and who moreover claim to be uninfluenced by marketing and "cool", but rather by technical concerns) still choose C or C++ for their projects.

I agree that unsafe languages are on the way out for most applications in the long run. There's just no reason NOT to prevent these errors automatically. Code reviews and "being careful" are not solutions. There's no good reason for a language to be full of "undefined behavior" black holes.

And yet I'm a hypocrite, as I use C++ for most things (except Perl for text processing and little utilities). Why? Because the maturity of the tools, availability of libraries, and performance.

I don't feel performance and GUI appearance are inherintly degraded by VM's, but in today's world, they are. Every Tom Dick and Harry has an interpreted scripting language with a bunch of different unstable GUI bindings, but that's not good enough.

I'm afraid that Linux is losing ground to MS on this front. Microsoft's CLR is here to stay and has good development tools. Soon most apps for Windows won't have buffer overflows or invalid pointers anymore. They'll still be open to other things, like email worms, but regardless it will seem increasingly senseless and frustrating when yet another buffer overflow attack is found in a Linux app.

Re:Official Language-based security thread!

[Dr.+Manhattan]

I am still boggled that programmers who claim to be interested in security (and who moreover claim to be uninfluenced by marketing and "cool", but rather by technical concerns) still choose C or C++ for their projects.

For some types of programs, performance (in speed and resource use) really really matters. There are targets that current VMs just can't meet. These situations are becoming increasingly rare (indeed, IMHO they are the distinct minority at this point, thank goodness), but they do exist.

Careful design can minimize a lot of this. I chose C for my secure networking program, but made sure it couldn't be subject to buffer overflow and other such attacks. If you look at the design goals and restraints, I think you'll agree that C was the right choice.

Re:Official Language-based security thread!

[Tom7]

I agree with you, and there is a definite social and tool-availability pressures that make modern languages harder to use. But these problems are easily solved with a community effort, which is something that open source folks are good at!

I also agree that I think windows will see a real security benefit from the .NET CLR (maybe only because it will allow programmers to more easily integrate newer and more secure languages with the OS API), and I think it's sad that linux will have to play catch-up.

By the way, safe languages by no means need a VM. SML and O'Caml are both natively compiled, fast, and safe.

Re:Official Language-based security thread!

[Tom7]

There are targets that current VMs just can't meet.

True, but there exist several fine safe languages that don't use VMs.

Re:Official Language-based security thread!

See the earlier slashdot discussion [slashdot.org] for loads of argument. ( here [spacebar.org] for my perspective--note, I am a tower-in-the-sky PhD student in programming languages, but I do write lots of code in many languages, including C and C++.) I am still boggled that programmers who claim to be interested in security (and who moreover claim to be uninfluenced by marketing and "cool", but rather by technical concerns) still choose C or C++ for their projects.

"It is a poor carpenter that blames his tools."

C and C++ do suffer from buffer overflow attacks, but it is possible to guard against such attacks. If there were a (preferably standard) safer array construct in C that everyone could use instead of plain old arrays, then C could be almost as safe as other languages. Unfortunately, there seems to be a lot of inertia that keeps everyone from adopting a non-standard safer container. However, we could, in theory make the language much safer than it is today without replacing it altogether.

Topic is wrong

If this had been a Windows problem I suspect the Topic would have been Bug or Security, obviously since it's Linux we couldn't put it there, hmm programming that sounds nice.

Har har. You are teh clevar.

[Ayanami+Rei]

You've got the slashbot MINDSET pat down. Maybe you can pretend to be a slashdotter in the TALENT SHOW.
Also, your website sucks.

Kind of amusing, since...

[devphil]

...a few months ago, there was a /. article roasting someone at an antivirus software company for suggesting that "JPEGs may open holes to viruses" and "we may have to give up the JPEG format."

Slashdot readers were waiting in line to flame the guy for suggesting that mere image files could have any possible security implications ("it's just a data file, it doesn't contain code, he's obviously clueless, unlike me and everyone who agrees with me"), and raising the spectre of having to abandon JPEGs because of a virus ("dumbass, we can fix anything, we're invulnerable").

The mockers were partly right, in that of course such a hole would be patched and we could all move on with out lives; nobody's suggesting today that PNG be abandoned, and if libjpeg were discovered to secretly transmit an email calling for the assassination of Ronald McDonald when asked to display an image of a taco, nobody sane would call for dropping JPEGs, either.

But hopefully some of the 10-year-olds flaming away then with "no simple data file can open a door to a virus or have any security effect, cuz the contents aren't executed as code, l00zer" will get a bit of an education today. You only hope the contents aren't executed as code...

Re:Kind of amusing, since...

[slamb]

But hopefully some of the 10-year-olds flaming away then with "no simple data file can open a door to a virus or have any security effect, cuz the contents aren't executed as code, l00zer" will get a bit of an education today. You only hope the contents aren't executed as code...

Indeed. I've noticed recently some .pdf files that can crash Apple's Preview.app. That makes me nervous, since often such crashes are exploitable. I wonder how long it is before someone makes malicious .pdfs...we're used to those being safe, but maybe they aren't.

Re:Kind of amusing, since...

[jack_csk]

Then Microsoft will declare that document files are formatted texts and can't execute code.
Oh...wait... they can.

Mitigation...

[Chief+Typist]

It appears to me that this problem exists at both the client and the server.

Updating a server to use the patched version of libpng is an obvious first step. You don't want the buffer overflow compromising security as you deliver a .png file (which would only be an issue if you read the .png from the server before delivery.)

The tricky part is what to do with the .png files that have been tampered with. You don't really want to serve those up to clients -- you'd be delivering a security risk. There will be a significant lag before client software is updated -- browsers and anything else that streams .png over a network connection will be at risk during this time.

It seems to me that there's a need for some kind of scanning tool that checks for bogus .png files. At the server side, you could scan for compromised files and get rid of them.

Does such a tool exist?

-ch

Interesting synchronicity

[mwood]

Someone was asking on a mailing list why Mozilla fanboys think their browser is so much more secure than the Internet Explorer fanboys' browser. (My words, not his.) The same day, the PNG vulnerability came out. THE SAME DAY, the patched Mozilla, Firefox, etc. were released. I was using the new Mozilla an hour after I learned (via mail from US-CERT) about the vulnerability in a third-party library that Mozilla uses.

I consider the question answered.

Where's the outcry?

[rd_syringe]

If this was a Microsoft thing, Slashdot would be all over it. Arbitrary code execution from an IMAGE READING LIBRARY?!

Just the obligatory "perspective" post. :)

Re:Where's the outcry?

[aardvarkjoe]

But it's OK, really, since it's open source. Everyone who installed Mozilla audited all the code before using it.

Re:Where's the outcry?

[sdcharle]

Yeah, if it were a Microsoft vulnerability, which headline would we see:

• Vulnerability in Windows Threatens National Security
• There is a buffer overflow or something in sumrndmlib.dll

Re:Where's the outcry?

Perspective my ass. If this was a Microsoft thing, you wouldn't know about for YEARS and even then Microsoft would deny it until some third party came out with the exploit at which point they would drag their feet in coming up with a patch.

But, even with all your complaining, here the story is on the front page of Slashdot. What was that about "Slashdot would be all over it"? Looks like they are already, but you're too much of an idiot to recognize that fact.

And while we're at it, let us not forget that CERT warned people away from Internet Explorer recently. Why don't you put that in your pipe and smoke it you fucking crackhead.

Again, perspective my ass. How garbage like this gets modded up is beyond me.

[SOLVED, partially] Re:Buffer overflow *again*?

[cpghost]

A lot of problems (though not all) would go away with the right GCC extension.

Sandbox for a browser

[iamacat]

Why give an application accessing potentially hostile content unlimited access to your system. I am surprised you Linux users don't already run Mozilla chrooted or VMed. I might try that for Safari once I figure out all the dependencies.

Re:Sandbox for a browser

chroot? VM? Dependencies? WTF? Just create a restricted user account just for browsing and su before starting the browser. Delete and recreate the account one in a while if you're feeling particularly paranoid.

Re:Sandbox for a browser

[iamacat]

This depends on the whole system being secure - no programs setting wrong permissions for temporary files, no public-accessible stuff in home directories. Me, I would rather put a criminal in jail than let him wonder around and make sure everyone else got bars on the windows.

Crashes Safari

[spitzak]

Tried the above image in Safari on OS/X and it went bye-bye after a great deal of disk thrashing. Offered me the chance to submit a bug report to Apple, but I didn't bother, as I figure somebody else has told them already...

Interesting

A while ago I created a 1280x1024 black and white checkerboard pattern PNG using the GIMP. Strangely, this file was able to crash some viewers and looked wrong in others. I still have the file sitting around but I never got around to reporting the bug to the relevant parties. I wonder if it could be related to these vulnerabilities.

Re:Interesting

After writing the parent post, I decided to see how bad the effects of the image were. Not only did the image viewer (feh) lock up, so did X, and I was unable to do ctrl-alt-f1 (although I was able to move my mouse cursor). My remedy involved logging in via my Sony Clie and killing X (the KILL signal was required). This worked, but my virtual consoles were left in an unusable state, with 1 and 2 pixel wide vertical stripes of white, separated by 1 pixel wide stripes of black.

Re:Interesting

Send a copy of the image to glennrp at imagemagick.org and he'll diagnose it.

libpng?

[xmorg]

gif is still better, it shows up transarent colors.

Re:libpng?

[maunleon]

What color is a trans[p]arent color?

Re:php !

Well good fucking luck exploiting it on the server side considering it's a client side problem!

File is offline now.

[leuk_he]

Somebody did not like the traffic and took the file down.

What makes you think it isn't a Microsoft thing?

[juhaz]

Programs: libpng users including mozilla, konqueror, various e-mail clients, generally lots. Also reports that some versions of IE are vulnerable to some of the problems.

I don't know if pngfilt.dll includes libpng code, but if it doesn't, then they've apparently managed to make same mistakes on their own.

Re:What makes you think it isn't a Microsoft thing

[JKR]

What makes you think it isn't a Microsoft thing?

Well, maybe the fact that MS didn't write libpng? D'uh.

WTF?

You've always been a weak-ass troll, but now you're just fucking pathetic. Swallow a gun and do us all a favor.

Re:What makes you think it isn't a Microsoft thing

[juhaz]

It doesn't matter who wrote what.

If Microsoft, or Mozilla Foundation, or $SOFTWARE_VENDOR chooses to include public domain or BSD licensed code into their application, they're from thereon just as much responsible for any holes it may create in that app as if they'd written it themselves.

When you're creating a piece of software from smaller modules you check that they're safe whether particular code comes from Microsoft Employee 12323154, anonymous patch in bugzilla, libpng folks or $WHATEVER, and if you don't, then it's your fault, whichever it was, simple, right?