libpng executes injected malicious code
Security expert Tavis Ormandy of Google's security team and oCERT has discovered a security hole in the open source libpng library through which code can be executed when manipulated PNG files are being processed.
The security hole is caused by incorrect handling of unknown chunks with a length of 0. It can only be exploited if libpng was compiled with the PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
or PNG_READ_USER_CHUNKS_SUPPORTED
option – the latter option is active by default.
Also, the application linked to libpng has to use png_set_read_user_chunk_fn()
or png_set_keep_unknown_chunks()
. According to libpng's developers, very few programs use these. Examples include pngtest
, the demonstration from the iibpng package, pngcrush, and the widely used ImageMagick, versions 6.2.5 to 6.4.0-4. The current version as of April 11 is 6.4.0-6.
The vulnerability affects all versions of libpng after 1.0.6. Versions 1.2.27 and 1.0.33 will no longer contain the error, but will not be released until the end of this month. Currently libpng 1.2.27beta01 is available and is not affected. Administrators running vulnerable installations ought to update to the beta version straight away.
See also:
- libpng zero-length chunks incorrect handling, oCERT security advisory
- Libpng-1.2.26 security advisory, libpng developers' security advisory
(mba)