Twenty-one-year-old text editing flaw in libpng finally gets fixed

News by Rene Millman

Slackware has fixed a well-known, 21-year-old vulnerability in libpng that could have allowed hackers to mount denial-of-service attack with trivial exploit.

Slackware has issued a patch for a 21-year-old bug that could allow a remote unauthenticated attacker to mount a DoS hack on a vulnerable system using the Null dereference flaw.

The flaw (CVE-2016-10087) affects virtually all libpng versions through 1.6.26, 1.5.27, 1.4.19, 1.2.56, and 1.0.66, respectively, have a null-pointer-dereference bug in png_set_text_2() when an image-editing application adds, removes, and re-adds text chunks to a PNG image, according to the Libpng web page.

According to a notice, to be vulnerable an application has to load a text chunk into the png structure, then delete all text, then add another text chunk to the same png structure. The announcement said this “seems to be an unlikely sequence, but it has happened”.

The bug was discovered and patched by Patrick Keshishian.

Libpng is the official PNG reference library. It supports almost all PNG features, is extensible and has been extensively tested for over 20 years, according to its developers. However, the notice on the website said that the issue “should not come as a particular surprise to anyone who has added libpng support to an application this millennium; the manual has warned of it since at least July 2000.”

The library is used in Ubuntu, Debian and Red Hat, as well as Chrome and Firefox.

The developers of libpng said that those whose apps depend on the older API “need not panic, however” – libpng 1.2.x continues to get security fixes, as has 1.0.x for well over a decade, it said.

Developers have been urged to download and use the latest version of the library, which can be found here.

Pascal Geenens, Radware's EMEA security evangelist, told SC Media UK that it is important to note that there is no way that an attacker could craft a special png image that would trigger this vulnerability, it can only be triggered interactively or through tools that can queue commands in workflows. 

“As far as DoS goes, the vulnerability could cause a crash of an interactive image editing program that runs in the confined memory space of the user when he subsequently adds, deletes and re-adds metadata to the same image without closing it. But this could easily be worked around by saving and closing the image after deleting metadata and reopening it to add the new metadata. Nothing on the system will be compromised,” he said.

“From a web service point of view, a bot could exploit this to cause extra load on the servers by continuously making the service fail, but the exploit needs to be customised for the specific web application it is targeting. I believe there are more efficient and less complex, less target specific ways to create disruptions.”

Stephen Gates, chief research intelligence analyst at NSFOCUS, told SC that when most people think of a DoS attack, they envision bots all over the world launching an attack that consumes all available bandwidth. 

“However, that's not always the case. ‘Denial of Service' (DoS) vulnerabilities exist in a host of operating systems and applications that can allow a single hacker to take systems offline. These types of assaults are called ‘specially crafted packet' attacks, and can be just as effective at taking systems offline.  Routers, firewalls, IPS, operating systems, and applications have been known to be vulnerable to various DoS attacks for years,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews