Critical security flaw discovered in PNG graphics library

Posted on Monday, November 16 2015 @ 13:24 CET by Thomas De Maesschalck
Security researchers have discovered a critical security bug in the graphics processing library libpng. The bug enables attackers to trigger a buffer overflow via a manipulated PNG image file, and potentially allows all kinds of nasty stuff to happen. Various implementations of the libpng library are used across many platforms and are used by many applications including browsers, file browsers, music players, app stores, etc. Patches for the libpng library are available but it will likely take some time for software developers have updated every vulnerable application.
Libpng's custodian Glenn Randers-Pehrson asked for the CVE for the bug here. He writes:

“I request a CVE for a vulnerability in libpng, all versions, in the png_set_PLTE/png_get_PLTE functions. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8. Some applications might read the bit depth from the IHDR chunk and allocate memory for a 2^N entry palette, while libpng can return a palette with up to 256 entries even when the bit depth is less than 8.

“libpng versions 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64 were released today (12 November 2015) to fix this vulnerability. See”.
Via: The Register

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments