libpng security advisory

For discussions about security.
Post Reply
Message
Author
User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

libpng security advisory

#1 Post by Monsie »

Hi all,

This flaw in libpng was reported on February 15th. It involves an integer overflow which can be exploited through the browser if a hacker uses malformed images on a website and such images can also be sent through e-mail.

It appears there are a couple of approaches to fixing this problem. Mozilla has already issued a fix for Firefox 10 as announced in this article: http://www.internetnews.com/blog/skerne ... -flaw.html whereas Debian has issued an update for libpng http://www.debian.org/security/2012/dsa-2410 which in my thinking gets at the root of the problem, because it did not issue an update for its IceWeasel (Firefox) browser.

So, I am wondering to what extent this affects Puppy and whether Debian's libpng fix could be ported to Puppy.

Here is a screenshot from my Wary desktop which shows that libpng is used in a lot of places.

Monsie
Attachments
libpngsearch.jpg
(168.51 KiB) Downloaded 392 times
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

User avatar
Terryphi
Posts: 761
Joined: Wed 02 Jul 2008, 09:32
Location: West Wales, Britain.

#2 Post by Terryphi »

Yes, /usr/lib/libpng12.so.0.44.0 needs replacing with the later version. Some versions may use libpng12.so.0.42.0 which also needs updating.

If you visit a malicious website which serves a specially crafted .png file ( or open such a file in an email attachment) it will crash your system. That seems to be all there is to it.
[b]Classic Opera 12.16 browser SFS package[/b] for Precise, Slacko, Racy, Wary, Lucid, etc available[url=http://terryphillips.org.uk/operasfs.htm]here[/url] :)

User avatar
Monsie
Posts: 631
Joined: Thu 01 Dec 2011, 07:37
Location: Kamloops BC Canada

libpng security advisory

#3 Post by Monsie »

Thanks Terryphi for the additional information. This prompted me to do some more research, and I found the latest details at: http://www.libpng.org/pub/png/libpng.html as well as links for downloading the source code regarding the newest patch which if I understand the number system correctly would be libpng.1.2.47 This version was just released yesterday (Feb. 18th).

That said, I'm wondering about protocol. For releases such as Wary and Racy, is it up to Barry to compile the source code and release it, or can someone in the Puppy Community do so and submit it for Barry's approval?

Monsie
My [u]username[/u] is pronounced: "mun-see". Derived from my surname, it was my nickname throughout high school.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#4 Post by 01micko »

The latest Slacko RC2 has both seamonkey-2.7.2 with the fix compiled against libpng-14.
Puppy Linux Blog - contact me for access

User avatar
pemasu
Posts: 5474
Joined: Wed 08 Jul 2009, 12:26
Location: Finland

#5 Post by pemasu »

I just picked the security updated libpng from squeeze security-update page. It had same libpng version number as the one I had. So...there wont be any conflicts with other libs.
The build is Dpup Exprimo.

User avatar
Semme
Posts: 8399
Joined: Sun 07 Aug 2011, 20:07
Location: World_Hub

#6 Post by Semme »

More from Linux Security and H-Online..

Post Reply