Slashdot Mirror

← Back to Stories (view on slashdot.org)

CERT Warns Of Multiple Vulnerabilities In Libpng

Posted by simoniker on from the puh-nug-guh dept.

jefftp writes "CERT announced today that there are several vulnerabilities in libpng, one is a buffer overflow which could potentially cause a PNG image file to execute arbitrary code. Libpng release 1.2.6rc1 addresses the problems covered by this CERT announcement, and can be obtained from the libpng Sourceforge project. A fully tested version is to be released in the next few weeks."

17 of 259 comments (clear)

  1. Re:Firefox by black+mariah · · Score: 5, Informative

    Yes. Most everything on Linux that reads or writes PNG's uses it.

    --
    'Standards' in computing only impress those who are impressed by things like 'standards'.
  2. Ah-ha! by iamdrscience · · Score: 5, Funny

    You all complained about Internet Explorer not being able to display PNGs correctly, but who's laughing now! Obviously they broke PNG support intentionally for security reasons. Once again, Microsoft comes through on the cutting edge.

    1. Re:Ah-ha! by Nerull · · Score: 5, Informative

      I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.

  3. Re:Firefox by beardz · · Score: 4, Informative

    New builds of Mozilla / Firefox / Thunderbird have been released to patch four potential security vulnerabilities including the libpng issue

  4. Bug? it's a feature! by barcodez · · Score: 4, Funny

    a buffer overflow which could potentially cause a PNG image file to execute arbitrary code

    This is not a bug it's a feature; the libpng team are obviously trying to get a piece of the ActiveX control market...

    --

    ----
  5. Re:Mozilla by slashdevslashtty · · Score: 4, Informative

    According to this, libpng is part of the source tree. My guess is static.

    --


    M$ Lawyer: But `gcc /dev/random -o kernel.dll` is our trade secret!
  6. Re:Didn't this happen with BMP? by noselasd · · Score: 5, Informative

    Well, _lib_png have many, many jmp like instructions, they're called
    function calls, and if you manage to overwrite the return address on the stack, you can make it jump anywhere, like the code you injected.
    Hopefully it's just the stack you can overflow, most of us should run with a no executable stack theses days, no harm done(well, it probably crashes.. )

  7. Re:php ! by Anonymous Coward · · Score: 5, Funny

    Seriously, we need a "Dumbass" mod option

  8. It's a decoder problem by Snaapy · · Score: 5, Informative

    "And how many PHP sites/scripts dynamically generates .png files ? Quite a lot I'd think, so, webservers might be vunerable, but it seems
    like a longshot to try to inject something to such scripts."

    Did you read the article? You don't seem to understand the point here.

    The bug affects only loading of PNG images. One can make a specially crafted PNG image which has some invalid fields causing problems in the decoder. The invalid handling of these special error cases may cause an application crash or potential execution of arbitary code in the application which uses libpng.

    It is not possible to introduce malicious RAW image data to the encoder. And even if it was possible, you should be able to pump data directly in the encoder, which is not a usual case with dynamically generated images. So, your PHP site is safe.

    However, libpng is the most commonly used PNG implementation due to it's free licence. These bugs affect to very many applications (graphics applications, Office applications, user interface managers, browsers, etc.) which happen to use PNG.

    A similiar case like this was zlib bugs some time ago.

  9. Re:Gentoo by Sunspire · · Score: 4, Informative

    Yeah it's still not fixed, but when an updated package is available it will still most likely simply be versioned 1.2.5-r8. You can keep a watch on the package and see immediately when it's fixed here.

    --
    It's like deja vu all over again.
  10. Combine this... by cperciva · · Score: 4, Informative

    ... with this, and Linux gets to join the "visit a malicious website and get rooted" crowd.

    --
    Tarsnap: Online backups for the truly paranoid
  11. The latest SP2 fixes it. by WhoDaresWins · · Score: 5, Informative
    I know its a joke, but it seems to work in IE as well, or at least an example PNG crashes it, i suppose one could be crafted for IE to exploit it.
    Well using XP SP2 RC2 build 2162 it does nothing in IE other show a broken image link. Whatever Microsoft did in SP2, it seems to have mitigated it. They did recompile major parts of the OS for SP2 with the /GS VC++ stack checking compiler flag. That could have caught it. Or it could be that they were informed about it before full disclosure and they fixed it in SP2. Or that they don't use libpng and their library does it correctly or they fixed the issue by themselves. Whatever be it they seem to have taken care of it. BTW the built-in Windows Picture and Fax Viewer also doesn't crash (nor does mspaint). You can test this out yourself if you have SP2 (don't know if builds earlier than 2162 fix it though) using this image link (Warning! Will crash non patched browsers!) from the original disclosure.

    Its reassuring that for once MS has already taken care of some security issue (for XP SP2 at least).
  12. Re:Mozilla by Theril · · Score: 5, Funny

    Sure it could. Implement image loading and rendering in Java and nobody has patience to load images anymore.

  13. Re:Mozilla by forgoil · · Score: 4, Informative

    Buffer owerflow attacks won't happen in languages which doesn't "support" that feature, such as perl, python, ruby, java, C# (any managed code), or managed C++ for that matter.

    Another way of killing the problem is using the NX (I hope I got that correct) instruction/bit in newer CPUs and simply separate code and data, and not allow execution in a data segment. Win SP2 does this, I am sure Linux does/will soon, one of the BSDs have done stuff like this for a while, etc.

    So yes, you would prevent it. But then again, calling a javalib from C... :)

  14. Re:Old news by LiquidCoooled · · Score: 5, Funny

    "Submissions review procedure" ?

    Taco: "Wooah! this Doom 3 is excellent!!!!"

    Michael: "Anyone else gettin 503s?"

    Simoniker: "Is anybody doing ANY work?"

    Tim: "Simon - yer, just gettin submissions - omg, another 400"

    Taco: "Die scum die!!"

    Michael: "I give up, anyone wanna 7up?"

    Taco [Looking up from game for a minute] "Yer go on then!"

    Taco: "Tim, Throw another story onto the site, the natives are gettin restless."

    Tim: "eeny, meeny miny mo...."

    --
    liqbase :: faster than paper
  15. Another exploit in libpng by ShadowRage · · Score: 4, Interesting

    image bombs. basically, you create a 190000x190000 pixel monochrome image, save it, and it compresses to 43 kb

    anyone opens it... *BAM* it expands into 2gb of ram.

    1. Re:Another exploit in libpng by thogard · · Score: 4, Interesting

      This is a problem? I've got about 300 people try to anon-proxy through one my servers every day. When they ask for a gif (or png or whatever) would be a nice to give them something to make them go away.