Date: Thu, 05 Aug 2004 11:16:06 -0400 From: Chuck Swiger <cswiger@mac.com> To: Andrey Chernov <ache@nagual.pp.ru> Cc: FreeBSD Ports <ports@FreeBSD.ORG> Subject: Re: update vulnerable libpng to fixed version? Message-ID: <41124F36.6080506@mac.com> In-Reply-To: <20040805015904.GA27667@nagual.pp.ru> References: <20040804190855.GA69872@iib.unsam.edu.ar> <2E7293C8-E656-11D8-91D1-003065ABFD92@mac.com> <20040805015904.GA27667@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrey Chernov wrote:
> On Wed, Aug 04, 2004 at 04:38:02PM -0400, Charles Swiger wrote:
[ ... ]
>> Here's a diff which updates the png port to 1.2.6rc1:
>
> We can't make public what is intentionally non-public, from
> libpng-1.2.6rc1-README.txt:
>
> Libpng 1.2.6rc1 - August 4, 2004
>
> This is not intended to be a public release. It will be replaced
> within a few weeks by a public version or by another test version.
Certainly it is OK by me if you want to wait for a few weeks; I've already
updated my systems which are using libpng. What you've said about the README
is topical and I acknowledge the point you make.
However, having 1.2.6rc1 listed as the recommended upgrade path in a CERT
advisory probably makes 1.2.6rc1 more public than it would have been,
otherwise. Speaking of which, the CERT advisory reads:
In the case of VU#388984, an attacker with the ability to introduce a
malformed PNG image to a vulnerable application could cause the
application to crash or could potentially execute arbitrary code with
the privileges of the user running the affected application.
I believe this means that the severity of the bug is critical in terms of
security, and that the exploit is as easy as having someone browse past a
malicious website containing a PNG image and/or opening a mail message
containing one (for someone running Mozilla, KDE's Mailwhichamacallit, etc).
I don't know that any exploits exist today which try to take advantage of the
issue, and I would expect the bad guys to target Windows first, Linux second,
and other platforms third-- but please, let's fix this sooner rather than
later by finding out the hard way that I was wrong.
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41124F36.6080506>