mark :: blog

10 Aug 2004: PNG Critical Security Flaw

Last week we published fixes for flaws in libPNG found by a UK researcher. Since these flaws didn't get much press attention I wanted to take this opportunity to fill in a few of the details. If you don't want the details just goto https://rhn.redhat.com/cve/CAN-2004-0597.html and update your systems right now.

Chris Evans discovered a stack buffer overflow in the libPNG library. This means that an attacker could create a malicious PNG image file to take advantage of the flaw. If you were to view that malicious image on your system then it could execute arbitrary code as you. Since most applications that display PNG files are linked to libPNG or contain libPNG code, that increases the risk of this flaw.

Whilst researching affected applications we found that most browsers were affected - so an attacker would simply have to put a malicious image onto a web site that you visit. You'd still need to be forced to visit that web site though. Or maybe the attacker can act as a man-in-the-middle and inject the malicious image file (as was reported recently at DefCon where wireless surfers had all their images replaced). More worrying are perhaps email applications that might load images by default, which could allow propegation of a worm. This isn't an issue that only affects Linux; just sending malicious images in attachments to someone using AppleMail on MAC OSX is enough to trigger the flaw.

Although i've not yet seen an exploit containing shellcode for this issue we believe it is triviallly exploitable. This is a "Critical" update.

Red Hat Enterprise Linux users need to update their libpng and Mozilla (which contained it's own copy of libpng) packages. Updating libpng is sufficient to protect all the applications that use that library to decode images (although you'll need to restart any applications you've already got running to pick up the change, it's probably easiest just to restart your system if you're unsure).

Fedora Core users should be protected against possible exploits of this issue by exec-shield, but should still upgrade (as a malicious PNG file would still crash an application).

https://rhn.redhat.com/cve/CAN-2004-0597.html

Because libpng is under a BSD-style license, anyone is basically free to use or include libpng even in closed-source products. So expect to see a whole raft of advisories over the coming weeks as other vendors come to discover that they're vulnerable to this issue.

Created: 10 Aug 2004
Tagged as: , ,

Hi! I'm Mark Cox. This blog gives my thoughts on security work, open source, home automation, and other topics.

popular tags: [all], apache, cve, cvss, fedora, ha, metrics, microsoft, redhat, security

Subscribe to RSS feed