Date: Thu, 29 Dec 2016 12:17:16 -0500 From: Glenn Randers-Pehrson <glennrp@...il.com> To: oss-security@...ts.openwall.com Subject: libpng NULL pointer dereference bugfix libpng-1.6.27 has been released to fix an old NULL pointer dereference bug in png_set_text_2() discovered and patched by Patrick Keshishian. New releases of legacy branches (1.0.67, 1.2.57, 1.4.20, and 1.5.28) have also been released. Other versions can be patched by adding a single line info_ptr->max_text = 0; at the appropriate spot in png.c. The potential "NULL dereference" bug that has existed in libpng since version 0.71 of June 26, 1995. To be vulnerable, an application has to load a text chunk into the png structure, then delete all text, then add another text chunk to the same png structure, which seems to be an unlikely sequence, but it has happened. Applications that I have looked at (firefox, imagemagick, graphicsmagick, pngcrush) do not appear to be vulnerable. I reported the bug using CERT's online reporting system several days ago but have not received any response. Glenn Randers-Pehrson libpng custodian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ