#31 Current PNG and MNG tools pose security risks

None
closed
None
5
2013-01-15
2008-03-11
Anonymous
No

The PNG and MNG tools posted on this site have not been updated to use the latest libpng (in fact, even the most recently released tool, pngcrush, only uses libpng version 1.2.11beta4). There have been multiple critial vulnerability issued for since the release of last pngcrush, which affect ALL PNG and MNG tools posted in this site. To minimize unpredictable errors and vulnerabilities, all PNG and MNG tools should be recompiled using the latest version of libpng (which is 1.2.25 at the time of posting).

Discussion

  • Glenn Randers-Pehrson

    Logged In: YES
    user_id=7859
    Originator: NO

    pngcrush-1.6.5 is built with libpng version 1.2.29 and has no known vulnerabilities.

     
  • Nobody/Anonymous

    Logged In: NO

    I notice there is also a 1.6.6 build too, but the fixed binaries are not available yet, so it still leaves the security hold open for end users.

     
  • Nobody/Anonymous

    The binary is now updated to 1.6.10, which has an outstanding libpng vulnerability that is fixed in the 1.6.11 source. This raises the question of why the site isn't enforcing the policy of hosting identical revisions of pngcrush source and binary.

     
  • Glenn Randers-Pehrson

    When a volunteer provides an updated binary I'll post it. Sometimes that does not happen immediately.

     
  • quanta

    quanta - 2010-07-22

    Current version of pngcrush (1.7.11) is using a version of libpng that has critical vulnerability, which needs updating.

     
  • Glenn Randers-Pehrson

    pngcrush is not vulnerable to either of the recently published vulnerabilities.

     
  • Glenn Randers-Pehrson

    • status: open --> closed
    • milestone: -->
     

Log in to post a comment.