Libpng Bug Affects Thousands of Software Applications

[Exterminator]

Content source

http://news.softpedia.com/news/libpng-bug-affects-thousands-software-applications-496242.shtml

Multiple buffer overflows in libpng, a very common C library
It seems that every month there's a major security bug that affects a large number of applications or a large number of users.

We've seen this with Stagefright over the summer and with the recent (de)serialization issue in Java's Commons Collection library. Now it's time for libpng, a C library used in many desktop and Web software to provide PNG support.

The bugs in question are, as described by the libpng team, "Virtually all libpng versions through 1.6.18, 1.5.23, 1.4.16, 1.2.53, and 1.0.63, respectively, have a potential out-of-bounds read in png_set_tIME()/png_convert_to_rfc1123() [CVE-2015-7981] and an out-of-bounds write in png_get_PLTE()/png_set_PLTE() [CVE-2015-8126]."

Both cause a silly DoS (Denial of Service) state, but since the code is written in C, a DoS exposes the underlying system to more widespread abuse.

Thousands of applications and technologies are indirectly affected
Any application that is capable of reading, writing, or displaying PNG images can be abused via this issue. This includes Web browsers, image editing software, MMS features on Androids, instant messaging applications, video games, music players (if album art is displayed), servers manipulating PNG images, entire operating systems, and about anywhere a PNG file preview or avatar is displayed.

Basically "everything" is affected, hence the term of "monthly global computer security meltdown" as coined by one of the software engineers debating the bug on Hacker News.

The fact that the vulnerabilities could be exploited via a specially-crafted PNG image both locally and from afar helped the bug receive a CVSS score of 7.5 out of 10, which means it's quite a critical issue.

libpng versions 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64 were released a few days ago to fix both bugs.

Fixes are available, but it will take years to spread to all affected software
Despite new versions don't expect the problems to be solved right away. The vulnerable versions of this library are buried in layers of software that many developers might not be interested or willing to put the work into updating.

The vulnerability has also sparked lots of debate over a general rethinking of the software application model, with many people criticizing the "bundling" approach to dependencies.

Of course, very few take into account that when C and libpng were created, the concept of packet (module, component, library) management/installers as seen today in APT, Symfony, npm, Bower, and the rest, was only a theory.

For now, expect a wave of security updates from all the software programs you use daily. If you don't see such update from your software maker, get in touch and ask for details. Exploitation of these bugs can lead to serious issues like remote code execution, just to name one of a hacker's favorite entry methods for taking over systems.

 

[LabZero]

This article remind me about the famous bug in Open SSL.
It exists since 2004 and It has never noticed by anyone because no one, including the person that wrote that code, has never compiled OpenSSL enabling a control of DES weak keys.

When the problem was reported, the OpenSSL team rather than removing unused and useless control on a obsolete algorithm, has preferred to resolve the error and leave a code that was never checked by anyone in at least 11 years.

This, together with heartbleed is one of many examples of how OpenSSL has become a vulnerable code.