Industry News

Image Library Bug Ran Unpatched for More Than Two Decades

The libpng image library that’s part of the Slackware Linux distribution has been updated with a fix for a vulnerability dating back to June 1995. While the sequence of events leading to exploitation of the bug is said to require active user input, researchers believe the vulnerability has been exploited in the wild.

Discovered and patched by Patrick Keshishian, any application using the unpatched libpng library is vulnerable. The CVE-2016-10087 is now available for Slackware 13.0, 13.1, 13.37, 14.0, and 14.1.

“This release fixes an old NULL pointer dereference bug in png_set_text_2() discovered and patched by Patrick Keshishian,” reads the advisory. “The potential ‘NULL dereference’ bug has existed in libpng since version 0.71 of June 26, 1995. To be vulnerable, an application has to load a text chunk into the png structure, then delete all text, then add another text chunk to the same png structure, which seems to be an unlikely sequence, but it has happened.”

While the vulnerability has been given a low severity rating, it is described as a denial of service type of vulnerability that’s remotely exploitable. One factor that makes libpng the official PNG reference library is that it supports a wide range of PNG features. Steady testing for 22 years also helps increase its reliability.

The official libpng also contains a portability note regarding the libpng API, stating that applications relying on the older API don’t have to panic yet, as libpng 1.2.x and 1.0.x are still being updated with security fixes. However, developers should still update to their latest version.

“The libpng 1.5.x and 1.6.x series continue the evolution of the libpng API, finally hiding the contents of the venerable and hoary png_struct and png_info data structures inside private (i.e., non-installed) header files,” reads the libpng homepage. “Those whose apps depend on the older API need not panic, however (for now); libpng 1.2.x continues to get security fixes, as has 1.0.x for well over a decade”

Upgrading the package is a matter of a running a single command as root – upgradepkg libpng-1.6.27-i586-1_slack14.2.txz – effectively installing the new library package with the fix. The new version of the library was released on December 30th and everyone is strongly encouraged to perform the update.

About the author


Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.