The issue affected hundreds of open source software

Nov 19, 2015 02:00 GMT  ·  By

A libpng update has been released by the Debian Project for the long-term supported Debian GNU/Linux 6 LTS series of operating systems, fixing three critical issues discovered recently in the open-source C library.

We reported a couple of days ago that multiple buffer overflows had been discovered in the png_get_PLTE and png_set_PLTE functions of the libpng library, affecting several builds, including version 1.0.64, versions 1.1.x and 1.2.x before version 1.2.54, versions 1.3.x and 1.4.x before version 1.4.17, versions 1.5.x before version 1.5.24, and versions 1.6.x before version 1.6.19.

The issue could allow remote attackers to crash the application that used the libpng library by launching a denial of service (DoS) attack, as well as to cause other damage by using a small bit-depth value in an IHDR (also known as image header) chunk in a PNG image. More details can be found in CVE-2015-8126.

Moreover, a safety check has been added in the png_set_tIME() function of the libpng library. This bug has been reported by Qixue Xiao. The third issue is related to a bug in the png_push_read_zTXt function, which could enable remote attackers to cause a DoS (Denial of Service) attack by using a large avail_in field value in a PNG image. The issue is documented at CVE-2012-3425.

Libpng 1.2.44-1+squeeze5 now available in Debian 6 LTS

The Debian developers were quick to patch the libpng packages in their long-term supported Debian GNU/Linux 6 series of Linux kernel-based operating systems. The libpng 1.2.44-1+squeeze5 package is now available in the default software repositories of the respective OSes, which means that users can update immediately.

Many other GNU/Linux distributions are releasing updated versions of the libpng library, so you should make sure that your operating system is always up to date by checking and applying updates on a daily basis, if you don't want to let attackers penetrate your system, that is.