Image Library Bug Ran Unpatched for More Than Two Decades

The libpng image library that”s part of the Slackware Linux distribution has been updated with a fix for a vulnerability dating back to June 1995. While the sequence of events leading to exploitation of the bug is said to require active user input, researchers believe the vulnerability has been exploited in the wild.

Discovered and patched by Patrick Keshishian, any application using the unpatched libpng library is vulnerable. The CVE-2016-10087 is now available for Slackware 13.0, 13.1, 13.37, 14.0, and 14.1.

“This release fixes an old NULL pointer dereference bug in png_set_text_2() discovered and patched by Patrick Keshishian,” reads the advisory. “The potential “NULL dereference’ bug has existed in libpng since version 0.71 of June 26, 1995. To be vulnerable, an application has to load a text chunk into the png structure, then delete all text, then add another text chunk to the same png structure, which seems to be an unlikely sequence, but it has happened.”

While the vulnerability has been given a low severity rating, it is described as a denial of service type of vulnerability that”s remotely exploitable. One factor that makes libpng the official PNG reference library is that it supports a wide range of PNG features. Steady testing for 22 years also helps increase its reliability.

The official libpng also contains a portability note regarding the libpng API, stating that applications relying on the older API don”t have to panic yet, as libpng 1.2.x and 1.0.x are still being updated with security fixes. However, developers should still update to their latest version.

“The libpng 1.5.x and 1.6.x series continue the evolution of the libpng API, finally hiding the contents of the venerable and hoary png_struct and png_info data structures inside private (i.e., non-installed) header files,” reads the libpng homepage. “Those whose apps depend on the older API need not panic, however (for now); libpng 1.2.x continues to get security fixes, as has 1.0.x for well over a decade”

Upgrading the package is a matter of a running a single command as root – upgradepkg libpng-1.6.27-i586-1_slack14.2.txz – effectively installing the new library package with the fix. The new version of the library was released on December 30^th and everyone is strongly encouraged to perform the update.