Libpng 1.6.51: Four buffer overflow vulnerabilities fixed

Libpng 1.6.51: Four buffer overflow vulnerabilities fixed(openwall.com)

45 points by ledoge 177 days ago | 9 comments

ziotom78 177 days ago |

It’s fantastic they were able to find these issues!

That four new CVEs (two high-severity!) were found in a mature and well-tested library like png reminds me how non-trivial and unforgiving software engineering can be.

Security flaws are often just waiting behind the corner: this should be humbling lesson for all of us.

kevincox 177 days ago |

> All vulnerabilities require user interaction (processing a malicious PNG file)

What world is the author living in where PNGs aren't very frequently read and written with no user interaction. The web obviously displays PNGs with no prompt, sites can generate PNGs with canvas trivially and with no explicit permission. PNGs are also often displayed in notifications and may come from untrustworthy sources.

This feels like an irresponsible downplay of the severity.

lol768 177 days ago | |

I thought this initially too, but there's a comment on https://bugzilla.mozilla.org/show_bug.cgi?id=2001758#c5 that suggests a belief it doesn't affect Firefox at all. So I don't know if the surface for these is particularly obscure such that browsers are insulated?

applied_heat 177 days ago |

Affects back to version 1.6.0 released Feb 14, 2013

lousken 177 days ago |

rust rewrite when?

pornel 177 days ago | |

Chrome is already in the process of removing libpng.

zamadatix 177 days ago | | |

For those curious on what to instead, it seems like they made an in house Skia module (using Rust) named SkPngRustDecoder (and Encoder).

pajko 174 days ago | |

https://www.cve.org/CVERecord/SearchResults?query=rust