In association with heise online

14 April 2008, 17:14

libpng executes injected malicious code

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security expert Tavis Ormandy of Google's security team and oCERT has discovered a security hole in the open source libpng library through which code can be executed when manipulated PNG files are being processed.

The security hole is caused by incorrect handling of unknown chunks with a length of 0. It can only be exploited if libpng was compiled with the PNG_READ_UNKNOWN_CHUNKS_SUPPORTED or PNG_READ_USER_CHUNKS_SUPPORTED option – the latter option is active by default.

Also, the application linked to libpng has to use png_set_read_user_chunk_fn() or png_set_keep_unknown_chunks(). According to libpng's developers, very few programs use these. Examples include pngtest, the demonstration from the iibpng package, pngcrush, and the widely used ImageMagick, versions 6.2.5 to 6.4.0-4. The current version as of April 11 is 6.4.0-6.

The vulnerability affects all versions of libpng after 1.0.6. Versions 1.2.27 and 1.0.33 will no longer contain the error, but will not be released until the end of this month. Currently libpng 1.2.27beta01 is available and is not affected. Administrators running vulnerable installations ought to update to the beta version straight away.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit