Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Vulnerability Discovered in libpng

Vulnerability Discovered in libpng

This item in japanese


The libpng library used in dozens of popular applications has a vulnerability according to its custodian, Glenn Randers-Pherson.  It is important for administrators and users whose applications utilize libpng recognize the need to update their applications and systems as soon as possible. 

Libpng is used by numerous applications to provide read/write support for the PNG image format.  The affected code in libpng deals with png_set_PLTE/png_get_PLTE functions and according to Randers-Pherson they “...failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8.”  The result that applications built using the affected versions of libpng are vulnerable to exploitation.  It is of particular importance that applications that use a static library of libpng receive an update as they will not take advantage of a system-wide library update.

Randers-Pherson has already released updated source code to reflect the required fixes so that users and developers can start updating their systems.  Mainstream Linux distributions are still actively working to include the updates—for example the Debian is actively working on fixes while Ubuntu has triaged the bug but not yet started work.  Readers are encouraged to check for the availability of updates on their system and to apply them as soon as possible.  Comments appearing as news of the vulnerability spread indicate the seriousness of the problem.  User “jimrandomh” at Hacker News noted that since libpng is used in so many programs it is now always obvious how many are vulnerable.  

Rate this Article