PNG pongs: critical bug patched in ubiquitous libpng

This will not be fun: the graphics processing library libpng has a vulnerability and needs to be patched.

The problem for that is that libpng is everywhere – in browsers, anything that processes photos to produce thumbnails, file browsers, music players, in applications in every operating system.

The bug is a simple denial-of-service at this stage, but that won't be where it ends, since bugs that let attackers crash applications are a favourite starting point for more effective nastiness.

Libpng's custodian Glenn Randers-Pehrson asked for the CVE for the bug here. He writes:

“I request a CVE for a vulnerability in libpng, all versions, in the png_set_PLTE/png_get_PLTE functions. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8. Some applications might read the bit depth from the IHDR chunk and allocate memory for a 2^N entry palette, while libpng can return a palette with up to 256 entries even when the bit depth is less than 8.

“libpng versions 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64 were released today (12 November 2015) to fix this vulnerability. See libpng.sourceforge.net”.

(Note: when The Register tried to check the Sourceforge page, it had been hosed by worried software developers.)

The bug has a base CVE score of 7.5. It's easy to exploit, network exploitable, and as NIST notes, it “allows unauthorised disclosure of information; allows unauthorised modification; allows disruption of service”.

Hacker News has a long discussion of possible impacts here. ®