Menu
▾
▴
Re: [png-mng-implement] Lack of security in libpng 1.2
|
From: <jb...@ac...> - 2012-02-21 21:24:30
|
From: Tom Lane [mailto:tg...@ss...] >I have intentionally not installed any such default limits in the RHEL versions of libpng, >and will not. There are very many programs that are not particularly security-exposed, >and limiting them (read: breaking them in corner cases) because there are others that >are exposed isn't going to fly. Ok; what I suggest doesn't impact that; you already have to disable the arbitrary 1 million pixel width and height limits (IMO an app is far more likely to be impacted by these anyway). In 1.6 you will need to set the other limits; the way I've written the code if you set both the old (pre-1.6) limits to '0', the old default, then this will force a maximum determined by maximum of size_t. I guess the main point I'm making is the operating system maintainers can, and do, make careful decisions about things like this so long as they know they need to do it; Tom was part of all the original discussions but other OS maintainers were not. The limits are configurable at build time, though it is necessary to fix or work round the bug in the 1.2 #ifdef check. > We do need to communicate better with authors of security-exposed applications to >ensure that they apply reasonable application-specific restrictions to the set of PNGs >they'll try to read. Yes, that's a solution. We could easily change the libpng build so that the relevant #defines must be set *manually* by whoever builds libpng. Since we will have communicated with everyone that these settings need to be set, and since we can trivially document this in the installation notes, dealing with this will be a minor issue. (Certainly it will be minor compared to the differences in the build process introduced in 1.5). >Installing a universal default limitation is not the correct means to that end. Well, that's what we have at present (it's a universal default to limit width and height combined with a universal default not to limit memory allocations.) So am I correct in understanding your feeling; that there should be no "universal default", therefore it should be necessary for the builder of libpng to manually (so to speak) select a particular default? (This could be as simple as -DPNG_UNIVERSAL_DEFAULT_SUPPORTED, defaulting to 'off', i.e. -DPNG_NO_UNIVERSAL_DEFAULT). Implementing this in all existing versions is trivial; it just involves changing the four lines that currently set the universal defaults so that the build errors out if they are not set (in CPPFLAGS). We could even add a configure option and cmake naturally supports such configuration. John Bowler <jb...@ac...> |