update vulnerable libpng to fixed version?
Chuck Swiger
cswiger at mac.com
Thu Aug 5 08:16:12 PDT 2004
Andrey Chernov wrote:
> On Wed, Aug 04, 2004 at 04:38:02PM -0400, Charles Swiger wrote:
[ ... ]
>> Here's a diff which updates the png port to 1.2.6rc1:
>
> We can't make public what is intentionally non-public, from
> libpng-1.2.6rc1-README.txt:
>
> Libpng 1.2.6rc1 - August 4, 2004
>
> This is not intended to be a public release. It will be replaced
> within a few weeks by a public version or by another test version.
Certainly it is OK by me if you want to wait for a few weeks; I've already
updated my systems which are using libpng. What you've said about the README
is topical and I acknowledge the point you make.
However, having 1.2.6rc1 listed as the recommended upgrade path in a CERT
advisory probably makes 1.2.6rc1 more public than it would have been,
otherwise. Speaking of which, the CERT advisory reads:
In the case of VU#388984, an attacker with the ability to introduce a
malformed PNG image to a vulnerable application could cause the
application to crash or could potentially execute arbitrary code with
the privileges of the user running the affected application.
I believe this means that the severity of the bug is critical in terms of
security, and that the exploit is as easy as having someone browse past a
malicious website containing a PNG image and/or opening a mail message
containing one (for someone running Mozilla, KDE's Mailwhichamacallit, etc).
I don't know that any exploits exist today which try to take advantage of the
issue, and I would expect the bad guys to target Windows first, Linux second,
and other platforms third-- but please, let's fix this sooner rather than
later by finding out the hard way that I was wrong.
--
-Chuck
More information about the freebsd-ports
mailing list