The latest vulnerability in a widely used open source graphics library may be low in severity, but it's very high...
A bug was recently discovered in all versions of libpng, the official reference library for the Portable Network Graphics (PNG) specification, dating back to version 0.71 first released in June 1995. The vulnerability was patched at the end of December.
Libpng is platform-independent and included in many Linux distributions. The vulnerability can be used to execute a remote denial-of-service attack, but it requires very specific conditions, as well as active user input, for a successful exploitation against the open source graphics library.
"This release fixes an old NULL pointer dereference bug in png_set_text_2() discovered and patched by [open source developer] Patrick Keshishian. The potential 'NULL dereference' bug has existed in libpng since version 0.71 of June 26, 1995," the Slackware Linux security team wrote in its security advisory. "To be vulnerable, an application has to load a text chunk into the PNG structure, then delete all text, then add another text chunk to the same PNG structure, which seems to be an unlikely sequence, but it has happened."
While the sequence of text loading and deleting may seem unlikely, the vulnerability does not occur in applications capable only of viewing PNG images -- it is limited to PNG-editing applications. Furthermore, the libpng project noted there are no known PNG graphics editors susceptible to the vulnerability without interactive user input.
"Virtually all libpng versions through 1.6.26, 1.5.27, 1.4.19, 1.2.56 and 1.0.66, respectively, have a null-pointer-dereference bug in png_set_text_2() when an image-editing application adds, removes and readds text chunks to a PNG image," the libpng project wrote on its website. "This bug does not affect pure viewers, nor are there any known editors that could trigger it without interactive user input."
The libpng open source graphics library project announced availability of the patches on Dec. 29, 2016, and the vulnerability is tracked as CVE-2016-10087. Linux distributions, including Red Hat, SUSE and Arch, assessed the vulnerability's severity as "low" in their advisories, while Debian rated the vulnerability severity as "important" in its advisory.
Find out more about NULL pointer dereference bugs from expert Mark Dowd
Learn about Google's Project Wycheproof for finding known weaknesses in cryptographic libraries
Read about the ImageTragick vulnerability in another popular open source graphics library