US-CERT: Critical Flaws in libpng

The U.S. government’s Computer Emergency Readiness Team (US-CERT) has issued an alert for multiple vulnerabilities in libpng, the popular reference library that supports the Portable Network Graphics (PNG) image format.

The most serious of the vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system, CERT warned.

Application developers who use the libpng library are urged to apply the appropriate vendor patches immediately. For individuals who rely on the original source of libpng, the flaws have been corrected in libpng version 1.2.6rc1 (release candidate 1), which is available for download here.

Research firm Secunia rates the security risk as “highly critical” and warned that a malicious website serving a specially crafted PNG file could compromise the browsers of visitors.

Attackers could also send a malicious PNG via e-mail and compromise the e-mail viewer of the recipient. For systems with user-providable images for “face browsers, a local system compromise could be possible via a malicious PNG, the outfit warned.

PNG is a bit-mapped graphics format approved as a standard by the World Wide Web consortium (W3C) to provide a patent and license-free alternative to the GIF format.
In its advisory, US-CERT said a buffer overflow was detected in the way that libpng processes PNG images. A separate null pointer vulnerability could allow a PNG image with particular characteristics to crash applications.

An integer overflow error exists in the handling of PNG image height, US-CERT said. As a result, a PNG image with excessive height may cause an integer overflow during a memory allocation operation, which could cause the affected application.