CERT Warns Of Multiple Vulnerabilities In Libpng

jefftp writes "CERT announced today that there are several vulnerabilities in libpng, one is a buffer overflow which could potentially cause a PNG image file to execute arbitrary code. Libpng release 1.2.6rc1 addresses the problems covered by this CERT announcement, and can be obtained from the libpng Sourceforge project. A fully tested version is to be released in the next few weeks."

Re:Firefox

[black+mariah]

Yes. Most everything on Linux that reads or writes PNG's uses it.

Re:Firefox

[beardz]

New builds of Mozilla / Firefox / Thunderbird have been released to patch four potential security vulnerabilities including the libpng issue

Re:Ah-ha!

[Nerull]

I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.

Updates

[Sunspire]

Fedora Core 1 and 2 already have backported security updates for this as 1.2.5-7 and 1.2.5-8 respectively since yesterday. Much better than having to install a release candidate.

Re:Mozilla

[slashdevslashtty]

According to this, libpng is part of the source tree. My guess is static.

Re:Didn't this happen with BMP?

[noselasd]

Well, _lib_png have many, many jmp like instructions, they're called
function calls, and if you manage to overwrite the return address on the stack, you can make it jump anywhere, like the code you injected.
Hopefully it's just the stack you can overflow, most of us should run with a no executable stack theses days, no harm done(well, it probably crashes.. )

It's a decoder problem

[Snaapy]

"And how many PHP sites/scripts dynamically generates .png files ? Quite a lot I'd think, so, webservers might be vunerable, but it seems
like a longshot to try to inject something to such scripts."

Did you read the article? You don't seem to understand the point here.

The bug affects only loading of PNG images. One can make a specially crafted PNG image which has some invalid fields causing problems in the decoder. The invalid handling of these special error cases may cause an application crash or potential execution of arbitary code in the application which uses libpng.

It is not possible to introduce malicious RAW image data to the encoder. And even if it was possible, you should be able to pump data directly in the encoder, which is not a usual case with dynamically generated images. So, your PHP site is safe.

However, libpng is the most commonly used PNG implementation due to it's free licence. These bugs affect to very many applications (graphics applications, Office applications, user interface managers, browsers, etc.) which happen to use PNG.

A similiar case like this was zlib bugs some time ago.

Re:Gentoo

[Sunspire]

Yeah it's still not fixed, but when an updated package is available it will still most likely simply be versioned 1.2.5-r8. You can keep a watch on the package and see immediately when it's fixed here.

@Mozilla/FireFox-users: No Panic!

The yesterday release of M1.7.2 and FF0.9.3 are fixed. Source: http://www.heise.de/security/news/meldung/49786
(German site) :)

Re:Buffer overflow *again*?

The safer languages would be e.g. python or java. You want an interpreter to decode your images ?
Anyway shit happens.

An error ?:

int main()
{
char str[] = "Hello";
char *tst = malloc(strlen(str));
strncpy(tst,str,strlen(str));
}

An error ?:

void doFoo(int i* , int length) // i - array of ints, length - lenght of array
{
int j;
for(j = 0 ; j length; j++){
dosomething(i[j]);
}
}

Depending on context both can be fatal.

Combine this...

[cperciva]

... with this, and Linux gets to join the "visit a malicious website and get rooted" crowd.

Re:Combine this...

[achurch]

As far as I can tell, that only lets you read memory, which doesn't let you root anything. In fact, I tried the test and though it claimed to have worked, all I got was /proc/mtrr followed 64MB of zeros, which seems odd since my machine's been up long enough that all my physical memory should have been stomped on at some point.

So yes, these are both serious problems, but they still don't boost Linux up into that vaunted "rootable group". (:

The latest SP2 fixes it.

[WhoDaresWins]

I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.

Well using XP SP2 RC2 build 2162 it does nothing in IE other show a broken image link. Whatever Microsoft did in SP2, it seems to have mitigated it. They did recompile major parts of the OS for SP2 with the /GS VC++ stack checking compiler flag. That could have caught it. Or it could be that they were informed about it before full disclosure and they fixed it in SP2. Or that they don't use libpng and their library does it correctly or they fixed the issue by themselves. Whatever be it they seem to have taken care of it. BTW the built-in Windows Picture and Fax Viewer also doesn't crash (nor does mspaint). You can test this out yourself if you have SP2 (don't know if builds earlier than 2162 fix it though) using this image link (Warning! Will crash non patched browsers!) from the original disclosure.

Its reassuring that for once MS has already taken care of some security issue (for XP SP2 at least).

Re:The latest SP2 fixes it.

[Nerull]

Try This image

I got it from the bugzilla entry about the libpng issues.

Actully, that image and the one above produce 2 diffrent effects in IE now that ive tested both, maybe its a diffrent issue that got mixed in the same bugzilla entry.

Re:WinXP

Sorry I am kinda new to png stuff... can anyone explain how this might effect my Windows XP box? Should I go get the patch for my system? btw I am running Windows XP professional with service pack 1. Thanks in advance.

! - in case this is for real.

PNG is an image format. It's very popular. There's a free (not copyleft free) library that anyone can put in their software to handle the PNG format.

There's a problem with this free library. If you're using software with a broken version of this library, you'll need to update the software.

The XPSP2RC has either fixed or sidestepped the issue. If you want that, you can get it from Windows Update (v5). But it's still a release candidate so you might prefer to wait.

Re:Arbitrary Code...?

It isn't. It just means code that is not part of the program itself, but
rather code that is injected into the program/software, and the software
is then tricked to running that code.

Re:Mozilla

[evil_one666]

I wrote a GIF library in JAVA to display animated gifs on java 1.0 and it was reeeeeeeaaaaaally sloooooooow. It would however not be possible to exploit a buffer overflow on such a decompressor...

Re:Mozilla

[forgoil]

Buffer owerflow attacks won't happen in languages which doesn't "support" that feature, such as perl, python, ruby, java, C# (any managed code), or managed C++ for that matter.

Another way of killing the problem is using the NX (I hope I got that correct) instruction/bit in newer CPUs and simply separate code and data, and not allow execution in a data segment. Win SP2 does this, I am sure Linux does/will soon, one of the BSDs have done stuff like this for a while, etc.

So yes, you would prevent it. But then again, calling a javalib from C... :)

SuSE patch also already available

I just patched my SuSE box. Man that was fast ... or perhaps .. it is because Germany is 6 hours ahead of me.

Re:Mozilla

[FireFury03]

Another way of killing the problem is using the NX (I hope I got that correct) instruction/bit in newer CPUs and simply separate code and data, and not allow execution in a data segment. Win SP2 does this, I am sure Linux does/will soon

Yep, Fedora Core 2 has done this since one of the early kernel revisions (I think it was when they went from 2.6.5 to 2.6.6)

Re:Mozilla

" Buffer owerflow attacks won't happen ... using the NX"

No, you can still overflow the buffer, thus being able to modify the return pointer, and some variables. What does this mean? If you were lucky/elite, you could get it to jump to a different function. Sure it's not executing your own instructions from the stack, but it's still control.

thanks,
jacob

Re:Didn't this happen with BMP?

How exactly do you stop the cpu executing the stack if there is no way to mark it as non-executable?

Put it in a different segment. Like the OpenWall patch does for Linux. On IA32 machines (386 and up), you can mark an entire segment non-excutable; you just can't mark individual pages.

Re:Didn't this happen with BMP?

[noselasd]

This explains how it's done:
http://people.redhat.com/mingo/exec-shield/ ANNOUNC E-exec-shield

BOEM.

[leuk_he]

Microsoft internet explorer has encountered a problem ands needs to close. we are sorry for the inconvience.

bla bba
[x] restart mirosoft internet explorer ...

[b]WOW[/b], it is a portable bug!

can anybody tell us if this is exploitable?

Re:How old is it REALLY?

[Waffle+Iron]

Programmers and advanced sysadmins can get a fixed version right now. Every normal person has to wait "a few weeks".

Umm... the point-and-drool update utility in my SuSE box automatically installed the patch last night. No programming or advanced sysadmining was required on my part.

Canary

[bsd4me]

You can protect against this to. The technique is put a ``canary'' on the stack frame and make sure it is still there before you return.

There are at least two patches to gcc that do this. One is called ProPolice. The name of the second is escaping me right now. OpenBSD includes ProPolice by default.

Google on stack-smashing protectors for more info.