update vulnerable libpng to fixed version?

Chuck Swiger cswiger at mac.com
Thu Aug 5 08:16:12 PDT 2004

Andrey Chernov wrote:
> On Wed, Aug 04, 2004 at 04:38:02PM -0400, Charles Swiger wrote:
[ ... ]
>> Here's a diff which updates the png port to 1.2.6rc1:
> We can't make public what is intentionally non-public, from 
> libpng-1.2.6rc1-README.txt:
> Libpng 1.2.6rc1 - August 4, 2004
> This is not intended to be a public release.  It will be replaced
> within a few weeks by a public version or by another test version.

Certainly it is OK by me if you want to wait for a few weeks; I've already 
updated my systems which are using libpng.  What you've said about the README 
is topical and I acknowledge the point you make.

However, having 1.2.6rc1 listed as the recommended upgrade path in a CERT 
advisory probably makes 1.2.6rc1 more public than it would have been, 
otherwise.  Speaking of which, the CERT advisory reads:

    In the case of VU#388984, an attacker with the ability to introduce a
    malformed PNG image to a vulnerable application could cause the
    application to crash or could potentially execute arbitrary code with
    the privileges of the user running the affected application.

I believe this means that the severity of the bug is critical in terms of 
security, and that the exploit is as easy as having someone browse past a 
malicious website containing a PNG image and/or opening a mail message 
containing one (for someone running Mozilla, KDE's Mailwhichamacallit, etc).

I don't know that any exploits exist today which try to take advantage of the 
issue, and I would expect the bad guys to target Windows first, Linux second, 
and other platforms third-- but please, let's fix this sooner rather than 
later by finding out the hard way that I was wrong.


More information about the freebsd-ports mailing list