Commonly used libpng library is vulnerable due to bug – update

A vulnerability has been identified in the libpng library. The first patch is available for a number of versions. However, the library is in many applications and it will not be easy to fix the vulnerability everywhere.

Libpng custodian Glenn Randers-Pehrson has requested a resume for the vulnerability under number CVE-2015-8126. It would be a buffer overflow that allows attackers with manipulated PNG images to crash applications and execute malicious code. When png files with a bit depth less than 8 are read or written, a check for valid values ​​is missing, which can cause a crash. The vulnerability has a cvss score of 7.5 out of 10 and is network executable.

It’s a problematic bug because libpng is present in virtually every application that handles PNG images, including browsers, music players, and games. Another factor is the fact that there is no central version of libpng that can be modified in one go. Many programs use their own version of the library. It will therefore take some time until the vulnerability is removed in all systems. A patch has been released for versions 1.6.19, 1.5.24, 1.4.17, 1.2.54, and 1.0.64 of libpng.

The term CVE stands for ‘common vulnerabilities and exposures’. This is a database in which vulnerabilities in systems and networks are tracked and assigned a number.

Update: It appears that a number of applications are not affected by this vulnerability. This concerns PHP and Google products such as Android, Chrome OS and Chrome. The last three use the Skia library. The same goes for Firefox and Firefox OS.