Slashdot Mirror
CERT Warns Of Multiple Vulnerabilities In Libpng
jefftp writes "CERT announced today that there are several vulnerabilities in libpng, one is a buffer overflow which could potentially cause a PNG image file to execute arbitrary code. Libpng release 1.2.6rc1 addresses the problems covered by this CERT announcement, and can be obtained from the libpng Sourceforge project. A fully tested version is to be released in the next few weeks."
Jesus. It must be retard night on slashdot.
The file is actually a GIF. Check the header. "GIF89a".
The post claims it is a PNG that explains the "problem".
If you just read an article about a PNG exploit, and then are stupid enough to click a link that purports to go to a PNG file, you are a dumbass, as the picture informs you.
Since it is actually a GIF, there is no actual harm in viewing the file.
Is that really so hard to piece together?
Perhaps you don't think it's funny. Slashdot's moderation system doesn't have an "Unfunny" option - and for a good reason: dipshits like yourself who would misuse it.
The article is about PNG, not PHP.
Of course, but this means that free PHP hosting services are at risk, as some malicious users will try to exploit this flaw on the server side.
just ignore advocates, they'll go away eventually :)
gentoo is good for me, i don't think it's good for everyone - but i'm not everyone, i'm me.
my wife and my mother both use win2k and thats whats good for them, i help them out with patches and suchlike but neither of them really want to care about having gcc or whatever installed.
like i said, it's all about choice.
If you do that (which is probably a good idea) you'll need to weight it based on the amount of code written by that author that _could_ contain a security hole. Otherwise the stats will just show that the authors who write 99% of the complex network-facing code are responsible for most security holes.
http://blog.nexusuk.org
(This troll would be more effective if not posted anonymously.)
Indeed this flamewar has been repeated many times. Safe languages do indeed provide protection from these kinds of attacks and typically at a fairly small speed penalty (depending on the language; the number-two language on that list is safe and places above C++!).
See the earlier slashdot discussion for loads of argument. ( here for my perspective--note, I am a tower-in-the-sky PhD student in programming languages, but I do write lots of code in many languages, including C and C++.) I am still boggled that programmers who claim to be interested in security (and who moreover claim to be uninfluenced by marketing and "cool", but rather by technical concerns) still choose C or C++ for their projects.
If this was a Microsoft thing, Slashdot would be all over it. Arbitrary code execution from an IMAGE READING LIBRARY?!
:)
Just the obligatory "perspective" post.
Terrible idea. I can tell you right now, if I knew I'd be held personally responsible for bugs in open source software I contributed to, I would not contribute. If you want me to take responsibility for my bugs, give me money.
If you don't like buggy free software, don't use it. What you're describing sounds almost like an inverse meritocracy, where people get branded if they don't write code that's "good enough." All that serves to do is scare people away from contributing.
What's really irritating to me, is that often times the people bitching the loudest are unwilling and unable to contribute to such projects themselves. Sorry, but I'm not going to subject myself to a bunch of amateur sideline criticism. It ain't worth it.