Slashdot Mirror
CERT Warns Of Multiple Vulnerabilities In Libpng
jefftp writes "CERT announced today that there are several vulnerabilities in libpng, one is a buffer overflow which could potentially cause a PNG image file to execute arbitrary code. Libpng release 1.2.6rc1 addresses the problems covered by this CERT announcement, and can be obtained from the libpng Sourceforge project. A fully tested version is to be released in the next few weeks."
Is Mozilla/Firefox/Thunderbird using this lib ?
So does mozilla statically or dynamically link with libpng?
Here is a .PNG file with a diagram that explains the problem.
Karma: -2147483648 (Mostly affected by integer overflow)
...thanks to the Debian Security mailing list, my systems were secured against this hours before it even made it to /.
You all complained about Internet Explorer not being able to display PNGs correctly, but who's laughing now! Obviously they broke PNG support intentionally for security reasons. Once again, Microsoft comes through on the cutting edge.
it's a good thing all of the porn sites i visit use jpegs
I think this was one of the vulnerabilities in Mozilla (Suite, Firefox, Thunderbird) that they already fixed and featured on /.
M$ Lawyer: But `gcc
Fedora Core 1 and 2 already have backported security updates for this as 1.2.5-7 and 1.2.5-8 respectively since yesterday. Much better than having to install a release candidate.
It's like deja vu all over again.
a buffer overflow which could potentially cause a PNG image file to execute arbitrary code
This is not a bug it's a feature; the libpng team are obviously trying to get a piece of the ActiveX control market...
----
Well, _lib_png have many, many jmp like instructions, they're called
function calls, and if you manage to overwrite the return address on the stack, you can make it jump anywhere, like the code you injected.
Hopefully it's just the stack you can overflow, most of us should run with a no executable stack theses days, no harm done(well, it probably crashes.. )
Seriously, we need a "Dumbass" mod option
Suddenly MRTG gets a mind of its own and starts spewing out more than just TCP connection data reports!
READY.
PRINT ""+-0
I just emerge synced and the latest version available is still libpng-1.2.5-r7
"And how many PHP sites/scripts dynamically generates .png files ? Quite a lot I'd think, so, webservers might be vunerable, but it seems
like a longshot to try to inject something to such scripts."
Did you read the article? You don't seem to understand the point here.
The bug affects only loading of PNG images. One can make a specially crafted PNG image which has some invalid fields causing problems in the decoder. The invalid handling of these special error cases may cause an application crash or potential execution of arbitary code in the application which uses libpng.
It is not possible to introduce malicious RAW image data to the encoder. And even if it was possible, you should be able to pump data directly in the encoder, which is not a usual case with dynamically generated images. So, your PHP site is safe.
However, libpng is the most commonly used PNG implementation due to it's free licence. These bugs affect to very many applications (graphics applications, Office applications, user interface managers, browsers, etc.) which happen to use PNG.
A similiar case like this was zlib bugs some time ago.
We've all heard about buffer overflow problems in countless programs and libraries again and again. I'm not a programmer, but as I under stand it, the problem is writing to unallocated memory areas. But this is not a new problem, it has happened for ages. Is it really that difficult to avoid? I understand that libpng as a "building block" library needs good performance, but is it really that much of a problem to write things in safer programming languages that don't allow these kind of problems? Can some seasoned programming gurus here enlighten me here?
You don't know how many times I've thought that when moderating.
The article is about PNG, not PHP.
Of course, but this means that free PHP hosting services are at risk, as some malicious users will try to exploit this flaw on the server side.
Is there oil at Papua - New Guinea?
The yesterday release of M1.7.2 and FF0.9.3 are fixed. Source: http://www.heise.de/security/news/meldung/49786 :)
(German site)
Sorry I am kinda new to png stuff... can anyone explain how this might effect my Windows XP box? Should I go get the patch for my system? btw I am running Windows XP professional with service pack 1. Thanks in advance.
... with this, and Linux gets to join the "visit a malicious website and get rooted" crowd.
Tarsnap: Online backups for the truly paranoid
Its reassuring that for once MS has already taken care of some security issue (for XP SP2 at least).
What is arbitrary code? How is it any different as compared to any other computer code, say a piece of software?
There's this custom PNG decoder ... and I'm just curious
Quidquid latine dictum sit, altum videtur
Within an hour (or so) after the CERT-mail I also got the Matt Zimmerman-mail.
:)
Fixed
I love this!
Thanks Guys!
Privacy is terrorism.
> PNG adoption (and this vulnerability) isn't as
> wide-spread as it could be if certain software
> were more popular.
Hold that crack pipe a moment - the fact that
IE renders PNG files will make possible the ability
to exploit this just as easily as if it were on Linux. You are fishing.
boycott slashdot February 10th - 17th check out: altSlashdot.org
I just patched my SuSE box. Man that was fast ... or perhaps .. it is because Germany is 6 hours ahead of me.
I think it is time we started attributing vulnerabilities to the authors (just as we do with companies).
most of us should run with a no executable stack theses days
Ah, you mean the vast majority of people are now running Athlon64's? (tip: Plain IA32 CPUs don't support the NX bit).
http://blog.nexusuk.org
Hm. It isn't acknowledged in the IE About window - but the libpng license doesn't require them to do that, anyway. But I guess the half-baked PNG support in IE is a sure sign that it doesn't use libpng...
Switch back to Slashdot's D1 system.
tip: you don't need it in hardware..
world was created 5 seconds before this post as it is.
errm... how?
How exactly do you stop the cpu executing the stack if there is no way to mark it as non-executable?
http://blog.nexusuk.org
> How long has this vulnerability been in libpng?
Forever. Are you happy with that answer? That proves, once and for all, that Linux fucking sucks. I mean how could the DUMBFUCK developers let a bug like that through!?!?!
Seriously, though. People make mistakes. The libpng people made a mistake. They fixed it, and nobody got hurt. So I don't see the problem.
If it's news to you that OSS isn't bugfree, then you need to wake up. The difference between OSS and M$ (et. al.) is that the OSS people fix bugs/'ploits faster. See how you can get a fixed version RIGHT NOW? Where's the fixes for MSIE?
My other car is first.
Man, whatever happened to popping up a Solitaire game to prove that you could execute arbitrary code? Now we've got an example image which crashes the browser (Netscape 7.1) and locks the profile, so the only way I can get back to bitch about it is to cold boot the damn (win2k) machine.
damn kids these days.
--
See how you can get a fixed version RIGHT NOW?
Programmers and advanced sysadmins can get a fixed version right now. Every normal person has to wait "a few weeks".
No, it's compiled to bytecode for distribution, and then compiled to binary on the fly whenever you run it. Java could be the same speed as C++, it's just that Sun haven't done as much optimisation as the GCC guys have.
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
...because, as you know, in Soviet Russia pr0n watches you!
Sorry, it's early for me. I'm not warmed up yet. They'll get better...
This explains how it's done:/ ANNOUNC E-exec-shield
http://people.redhat.com/mingo/exec-shield
image bombs. basically, you create a 190000x190000 pixel monochrome image, save it, and it compresses to 43 kb
anyone opens it... *BAM* it expands into 2gb of ram.
Microsoft internet explorer has encountered a problem ands needs to close. we are sorry for the inconvience.
...
bla bba
[x] restart mirosoft internet explorer
[b]WOW[/b], it is a portable bug!
can anybody tell us if this is exploitable?
The LibPNG library is merely a standardized library for reading and writing PNG files. It has been ported to many platforms and is even LGPL'd.
This makes it a two-edged sword in some ways, because nothing is specifically keeping you from writing your own implementation of the PNG specification, but most people are generally lazy and grab whatever is at hand, particularly if it is well written.
The trick is to keep the formal specification seperated from the implementation so the implementation doesn't become the specification. Particularly with multimedia data formats, I've seen this happen far too often. PNG is particularly well designed in this regard, so you don't have to specifically condemn the format, just a particular library for problems like the CERT warning. Some formats are much worse in this regard.
That issues like this are coming up is more of a sign that the library is being widely used. One way to prevent issues like this from really taking over is to provide alternative implementations, so a "virus writer" couldn't depend on a specific implementation for an exploit like this.
On the other hand, it's quite difficult for a bug to creep into a compiler's bounds checking code (which is typically very simple). I know of no such historic examples, though perhaps this is because relatively few apps actually use safe compiled languages. (It would presumably have to be matched by a bug in the application code...) Interpreters and JIT compilers are much more subject to this kind of problem, particularly if they are written in C themselves. ;) There have been a few JVM exploits historically, though it is still much easier to make a secure JVM than to make tens of thousands of secure applications.
Finally, remember that even C has the burden of bugs in its compiler, runtime, and libraries, so this argument is useless at differentiating between C and safe compiled languages (unless you can argue that the latter have more complicated support code).
Umm... the point-and-drool update utility in my SuSE box automatically installed the patch last night. No programming or advanced sysadmining was required on my part.
You can protect against this to. The technique is put a ``canary'' on the stack frame and make sure it is still there before you return.
There are at least two patches to gcc that do this. One is called ProPolice. The name of the second is escaping me right now. OpenBSD includes ProPolice by default.
Google on stack-smashing protectors for more info.
(S(SKK)(SKK))(S(SKK)(SKK))
(This troll would be more effective if not posted anonymously.)
Indeed this flamewar has been repeated many times. Safe languages do indeed provide protection from these kinds of attacks and typically at a fairly small speed penalty (depending on the language; the number-two language on that list is safe and places above C++!).
See the earlier slashdot discussion for loads of argument. ( here for my perspective--note, I am a tower-in-the-sky PhD student in programming languages, but I do write lots of code in many languages, including C and C++.) I am still boggled that programmers who claim to be interested in security (and who moreover claim to be uninfluenced by marketing and "cool", but rather by technical concerns) still choose C or C++ for their projects.
...a few months ago, there was a
Slashdot readers were waiting in line to flame the guy for suggesting that mere image files could have any possible security implications ("it's just a data file, it doesn't contain code, he's obviously clueless, unlike me and everyone who agrees with me"), and raising the spectre of having to abandon JPEGs because of a virus ("dumbass, we can fix anything, we're invulnerable").
The mockers were partly right, in that of course such a hole would be patched and we could all move on with out lives; nobody's suggesting today that PNG be abandoned, and if libjpeg were discovered to secretly transmit an email calling for the assassination of Ronald McDonald when asked to display an image of a taco, nobody sane would call for dropping JPEGs, either.
But hopefully some of the 10-year-olds flaming away then with "no simple data file can open a door to a virus or have any security effect, cuz the contents aren't executed as code, l00zer" will get a bit of an education today. You only hope the contents aren't executed as code...
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
It appears to me that this problem exists at both the client and the server.
.png file (which would only be an issue if you read the .png from the server before delivery.)
.png files that have been tampered with. You don't really want to serve those up to clients -- you'd be delivering a security risk. There will be a significant lag before client software is updated -- browsers and anything else that streams .png over a network connection will be at risk during this time.
.png files. At the server side, you could scan for compromised files and get rid of them.
Updating a server to use the patched version of libpng is an obvious first step. You don't want the buffer overflow compromising security as you deliver a
The tricky part is what to do with the
It seems to me that there's a need for some kind of scanning tool that checks for bogus
Does such a tool exist?
-ch
Right, and you're not capable of copy and pasting the link into a new browser window? More to the point, since when is a demonstration of the png fault been considered a new version of anything? (ie, your "NEW RELEASE link?) Whatever :)
Someone was asking on a mailing list why Mozilla fanboys think their browser is so much more secure than the Internet Explorer fanboys' browser. (My words, not his.) The same day, the PNG vulnerability came out. THE SAME DAY, the patched Mozilla, Firefox, etc. were released. I was using the new Mozilla an hour after I learned (via mail from US-CERT) about the vulnerability in a third-party library that Mozilla uses.
I consider the question answered.
Most people don't use SUSE. Most people use Windows. I use Firefox on W2K. How do I get this new patch, huh?
If this was a Microsoft thing, Slashdot would be all over it. Arbitrary code execution from an IMAGE READING LIBRARY?!
:)
Just the obligatory "perspective" post.
Java could be the same speed as C++
So long as "compiling to binary on the fly" takes ZERO time.
But actually, GCC can compile Java to binary ahead of time, just like it does with any C++ code. But having experimented with this, it doesn't go any faster than Java in a VM on the same machine... which could either indicate the VM is compiling very well, or (more likely) that GCC isn't very optimized for Java inputs.
A lot of problems (though not all) would go away with the right GCC extension.
cpghost at Cordula's Web.
Well, I guess that could be a problem. I personally don't use Firefox, mainly because it's still in beta and doesn't yet integrate with my system's package management. (Plus, it doesn't offer huge feature improvements over Konqueror or Mozilla.) The non-beta browsers that did come with my system, however, are already fixed.
Why give an application accessing potentially hostile content unlimited access to your system. I am surprised you Linux users don't already run Mozilla chrooted or VMed. I might try that for Safari once I figure out all the dependencies.
Tried the above image in Safari on OS/X and it went bye-bye after a great deal of disk thrashing. Offered me the chance to submit a bug report to Apple, but I didn't bother, as I figure somebody else has told them already...
Here's the fix for MSIE, dated August 1st:
t in /MS04-025.mspx
http://www.microsoft.com/technet/security/bulle
You asked...
How about just download the new version? Or did you mean how are you supposed to know about it if you are not a geek and read it on /.? Well, go under Tools -> Options -> Advanced, you should see a section called Software Update. Firefox will check periodically for newer version, or you can click the big button labeled Check Now if you want to do it manually. So non-techie Firefox users will get a notice that there is a newer version. Wow, isn't technology great!
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
gif is still better, it shows up transarent colors.
Somebody did not like the traffic and took the file down.
Programs: libpng users including mozilla, konqueror, various e-mail clients, generally lots. Also reports that some versions of IE are vulnerable to some of the problems.
I don't know if pngfilt.dll includes libpng code, but if it doesn't, then they've apparently managed to make same mistakes on their own.
Well, maybe the fact that MS didn't write libpng? D'uh.
It doesn't matter who wrote what.
If Microsoft, or Mozilla Foundation, or $SOFTWARE_VENDOR chooses to include public domain or BSD licensed code into their application, they're from thereon just as much responsible for any holes it may create in that app as if they'd written it themselves.
When you're creating a piece of software from smaller modules you check that they're safe whether particular code comes from Microsoft Employee 12323154, anonymous patch in bugzilla, libpng folks or $WHATEVER, and if you don't, then it's your fault, whichever it was, simple, right?