photonetworkde - Fotolia
Decades-old bug in the libpng open source graphics library patched
A low-severity vulnerability dating back to 1995 in libpng, the official reference library implementation for PNG, may have enabled remote DoS attacks.
The latest vulnerability in a widely used open source graphics library may be low in severity, but it's very high in age.
A bug was recently discovered in all versions of libpng, the official reference library for the Portable Network Graphics (PNG) specification, dating back to version 0.71 first released in June 1995. The vulnerability was patched at the end of December.
Libpng is platform-independent and included in many Linux distributions. The vulnerability can be used to execute a remote denial-of-service attack, but it requires very specific conditions, as well as active user input, for a successful exploitation against the open source graphics library.
"This release fixes an old NULL pointer dereference bug in png_set_text_2() discovered and patched by [open source developer] Patrick Keshishian. The potential 'NULL dereference' bug has existed in libpng since version 0.71 of June 26, 1995," the Slackware Linux security team wrote in its security advisory. "To be vulnerable, an application has to load a text chunk into the PNG structure, then delete all text, then add another text chunk to the same PNG structure, which seems to be an unlikely sequence, but it has happened."
While the sequence of text loading and deleting may seem unlikely, the vulnerability does not occur in applications capable only of viewing PNG images -- it is limited to PNG-editing applications. Furthermore, the libpng project noted there are no known PNG graphics editors susceptible to the vulnerability without interactive user input.
"Virtually all libpng versions through 1.6.26, 1.5.27, 1.4.19, 1.2.56 and 1.0.66, respectively, have a null-pointer-dereference bug in png_set_text_2() when an image-editing application adds, removes and readds text chunks to a PNG image," the libpng project wrote on its website. "This bug does not affect pure viewers, nor are there any known editors that could trigger it without interactive user input."
The libpng open source graphics library project announced availability of the patches on Dec. 29, 2016, and the vulnerability is tracked as CVE-2016-10087. Linux distributions, including Red Hat, SUSE and Arch, assessed the vulnerability's severity as "low" in their advisories, while Debian rated the vulnerability severity as "important" in its advisory.