Libpng library gets fix for truly ancient bug
Where were you in June 1995? Coding image libraries? Let's have a chat
Slackware has raced out of the blocks in 2017, issuing one patch for the libpng image library on New Year's Day, and two Mozilla patches.
The libpng bug got its Common Vulnerabilities and Exposures number, CVE-2016-10087, on December 30. Slackware's announcement says the bug can't be exploited without active user input.
The “unlikely sequence” of events to exploit the NULL dereference bug is as follows: first, an application load a text chunk into the png structure; second, it deletes all text; third, another text chunk gets added to the same png structure.
Unlikely, but, Slackware's security team says, “it has happened”.
Anyone else using libpng in a distribution or application will need to get the latest version of the library – because this bug has existed in
png_set_text_2() since June 1995. It was discovered and patched by Patrick Keshishian.
The Moz fixes cover Slackware's Mozilla Thunderbird implementation and its Mozilla-based Seamonkey browser.
The Thunderbird vulnerability has also been fixed in user clients. It's a critical-rated use-after-free error when manipulating DOM events and audio elements, and was part of an eight-bug update issued on December 28.
The Seamonkey fix brings Slackware up to date with version 2.46. ®