libpng executes injected malicious code
Security expert Tavis Ormandy of Google's security team and oCERT has discovered a security hole in the open source libpng library through which code can be executed when manipulated PNG files are being processed.
The security hole is caused by incorrect handling of unknown chunks with a length of 0. It can only be exploited if libpng was compiled with the
PNG_READ_USER_CHUNKS_SUPPORTED option – the latter option is active by default.
Also, the application linked to libpng has to use
png_set_keep_unknown_chunks(). According to libpng's developers, very few programs use these. Examples include
pngtest, the demonstration from the iibpng package, pngcrush, and the widely used ImageMagick, versions 6.2.5 to 6.4.0-4. The current version as of April 11 is 6.4.0-6.
The vulnerability affects all versions of libpng after 1.0.6. Versions 1.2.27 and 1.0.33 will no longer contain the error, but will not be released until the end of this month. Currently libpng 1.2.27beta01 is available and is not affected. Administrators running vulnerable installations ought to update to the beta version straight away.
- libpng zero-length chunks incorrect handling, oCERT security advisory
- Libpng-1.2.26 security advisory, libpng developers' security advisory