libpng: Remote execution of arbitrary code

A null pointer dereference in libpng might allow remote attackers to execute arbitrary code.

Affected Packages
Package media-libs/libpng on all architectures

contentversion
Affected versions< 1.6.27
Unaffected versions>= 1.6.27
>= 1.5.28
>= 1.4.20
>= 1.2.57
>= 1.0.67

Background
libpng is a standard library used to process PNG (Portable Network Graphics) images. It is used by several programs, including web browsers and potentially server processes.

Description
A null pointer dereference was discovered in libpng in the png_push_save_buffer function. In order to be vulnerable, an application has to load a text chunk into the PNG structure, then delete all text, then add another text chunk to the same PNG structure, which seems to be an unlikely sequence, but it is possible.

Impact
A remote attacker, by enticing a user to process a specially crafted PNG file, could execute arbitrary code with the privileges of the process.

libpng-1.6.27 has been released to fix an old NULL pointer dereference
bug in png_set_text_2() discovered and patched by Patrick Keshishian.

New releases of legacy branches (1.0.67, 1.2.57, 1.4.20, and 1.5.28) have
also been released. Other versions can be patched by adding a single
line

  info_ptr->max_text = 0;

at the appropriate spot in png.c.

The potential “NULL dereference” bug that has existed in libpng
since version 0.71 of June 26, 1995. To be vulnerable, an application
has to load a text chunk into the png structure, then delete all text, then
add another text chunk to the same png structure, which seems to be
an unlikely sequence, but it has happened.

Applications that I have looked at (firefox, imagemagick, graphicsmagick,
pngcrush) do not appear to be vulnerable.

https://security.gentoo.org/glsa/201701-74
http://www.openwall.com/lists/oss-security/2016/12/29/2

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值