PNG Image Processing Library libpng exposed vulnerability, which has been preliminarily fixed

PNG Image Processing Library libpng exposed vulnerability, which has been preliminarily fixed

The image processing Library libpng has revealed a vulnerability and needs to be repaired as soon as possible. The biggest problem is that, the popularity of libpng is too broad-any browser-related image processing tasks, File Viewing tools, music players, and other applications that are inseparable from every operating system.

Well-constructed images can cause application and even server processes to crash.

First of all, this is not good news: the image processing Library libpng has revealed a vulnerability and needs to be repaired as soon as possible.

The biggest problem is that, the popularity of libpng is too broad-any browser-related image processing tasks, File Viewing tools, music players, and other applications that are inseparable from every operating system.

For the moment, the impact of this vulnerability is simply a denial of service, but its subsequent impact cannot be limited to this. This vulnerability also allows attackers to cause application crashes, which is an excellent starting point for malicious people to further intrude into the system.

Libpng Security leader Glenn Randers-Pehrson reported a general vulnerability disclosure (CVE) for the vulnerability ). He also wrote:

"I submitted a security vulnerability report to CVE FOR THE png_set_PLTE/png_get_PLTE functions in all libpng versions. When writing or reading PNG files, these functions cannot check the out-of-range palette for objects whose bit_depth is less than 8. Some applications may read such digital colors from the file header data block (IHDR) and allocate memory for a 2 ^ N palette, in this case, even if the bit depth is lower than 8, libpng returns a palette of up to 256 colors.

"The latest libpng versions, such as 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64, have been fixed today (July 22, November 12, 2015. You can read libpng.sourceforge.net to learn more ."

(Note: we visited the Sourceforge page, but it was already crowded by many worried software developers .)

This vulnerability was rated as 7.5 points by CVE. Its ease of use leads to potential risks to the network, and as NIST has noted, it "allows unauthorized disclosure of information; unauthorized modification and service interruption ".

This article permanently updates the link address: