BT

Vulnerability Discovered in libpng

| by Jeff Martin Follow 17 Followers on Nov 18, 2015. Estimated reading time: 1 minute |

The libpng library used in dozens of popular applications has a vulnerability according to its custodian, Glenn Randers-Pherson.  It is important for administrators and users whose applications utilize libpng recognize the need to update their applications and systems as soon as possible. 

Libpng is used by numerous applications to provide read/write support for the PNG image format.  The affected code in libpng deals with png_set_PLTE/png_get_PLTE functions and according to Randers-Pherson they “...failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8.”  The result that applications built using the affected versions of libpng are vulnerable to exploitation.  It is of particular importance that applications that use a static library of libpng receive an update as they will not take advantage of a system-wide library update.

Randers-Pherson has already released updated source code to reflect the required fixes so that users and developers can start updating their systems.  Mainstream Linux distributions are still actively working to include the updates—for example the Debian is actively working on fixes while Ubuntu has triaged the bug but not yet started work.  Readers are encouraged to check for the availability of updates on their system and to apply them as soon as possible.  Comments appearing as news of the vulnerability spread indicate the seriousness of the problem.  User “jimrandomh” at Hacker News noted that since libpng is used in so many programs it is now always obvious how many are vulnerable.  

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss
BT