PNG image processing library libpng exposed vulnerability-a vulnerability warning-the black bar safety net

ID MYHACK58:62201569264
Type myhack58
Reporter 佚名
Modified 2015-11-22T00:00:00


! According to the report: image processing library libpng recently exposed vulnerabilities, currently has a preliminary fix vulnerabilities. Currently the main problem is the libpng the popularity of the range is too wide: operating systemthe browser any with generating a thumbnail associated image processing tasks are inseparable from the application. Vulnerability deep For now, the vulnerability caused by the impact can only cause a denial of service, but the subsequent effects can never be limited thereto. Because this vulnerability also allows a malicious attacker to cause the application to crash, and this is exactly what malicious attackers to achieve further invasion of the optimum choice of the starting point. Libpng security head Glenn Randers-Pehrson for the vulnerability declared a General vulnerability disclosure. In his report, he wrote: “I for all libpng versions among png_set_PLTE/png_get_PLTE function to the CVE security vulnerability reporting. These functions write or read the PNG file, not for bit_depth is less than 8 checks the object out of range color palette. Part of the application may be from the file header data block IHDR)which reads to this bit depth and for a set of 2^N color palette of the allocated memory, in this case, even if the bit depth is less than 8, The libpng will still return an highest provide 2 5 6-color palette.” Currently has a preliminary fix Randers-Pehrson also said: “You take advantage of these vulnerabilities will be easier to find a network attack starting point.” Currently libpng 1. 6. 1 9、1.5.24、1.4.17、1.2. 5 4 and 1. 0. 6 4 and other versions have been in today, 2 0 1 5 years 1 1 months 1 Number 2 get the latest fixes. Everyone can to libpng. sourceforge. net to understand the details. This vulnerability is CVE named 7. 5 points. Its easy to use, resulting in a network there is a potential risk, and as the United States National Institute of standards and technology National Institute of Standards and Technology, NIST points out, it“allows unauthorized disclosure of information, allows unauthorized modification and the resulting service interruption.”