Two memory corruption vulnerabilities in the PNG reference library, libpng, have been patched, but the scope of software affected by the bug isn’t as wide as initially reported.
The vulnerabilities, addressed in libpng 1.0.64, 1.2.54, 1.4.17, 1.5.24, and 1.6.19, allow for an attacker to write beyond the bounds of a palette, leading to an application crash or hijacking. However, libpng custodian Glenn Randers-Pehrson told Threatpost that normal libpng applications that allow libpng to allocate their palette are not vulnerable.
“To be vulnerable, an application would have to compute the memory required for the palette from the IHDR “bit_depth” not from the palette_length returned by png_get_PLTE(), and then use the palette_length from png_get_PLTE() to copy libpng’s palette into their own palette,” Randers-Pehrson said. “I said as much in my request for CVE, but reporting on the CVE has interpreted that to mean ‘all libpng applications are vulnerable.’ I am not aware of any software that does that, although it would be permitted by the PNG specification.”
Randers-Pehrson said exploits would be relatively easy to craft.
“Just write a PNG file with a bit depth of 1, 2, or 4, and a palette length of 256,” he said. “But you have to find a vulnerable application to attack.”
An attacker would need to trick a user to read a malicious PNG file with a vulnerable application, or find a vulnerable application online and send it a crafted PNG.
“This would cause an out-of-bounds write to memory, with up to around 750 bytes of content controlled by the attacker,” Randers-Pehrson said. “And I’m told that exploiters know how to use that to cause mischief, denial of service, privilege escalation, or hostile takeover of the machine.”
The bug was found in Optipng, a PNG file optimizer which compresses files to a smaller size. Randers-Pehrson said Firefox and other applications such as pngcrush, imagemagick are not vulnerable.
“Any software that depends upon the length of the palette being less than or equal to 2^bit_depth for allocating a block of memory for the palette, but then uses the length of the palette returned from libpng to determine how many bytes to copy from the libpng-allocated palette into their own palette [would be vulnerable],” he said. “I am not aware of any application that does this.”
The Optipng issue was disclosed in July, but Randers-Pehrson said the libpng developers were not aware of it. Cosmi Truta, an Optipng developer, disclosed to libpng on Oct. 29. Randers-Pehrson said he revised Truta’s patch and ran it through libpng’s customary two-week release cycle.
“The patched software safely and quietly reads input PNG files that have an oversized palette, and truncates the palette and issues a warning if a user attempts to write an oversized one,” he said.