Libpng library gets fix for truly ancient bug

Where were you in June 1995? Coding image libraries? Let's have a chat

Got Tips? 9 Reg comments

Slackware has raced out of the blocks in 2017, issuing one patch for the libpng image library on New Year's Day, and two Mozilla patches.

The libpng bug got its Common Vulnerabilities and Exposures number, CVE-2016-10087, on December 30. Slackware's announcement says the bug can't be exploited without active user input.

The “unlikely sequence” of events to exploit the NULL dereference bug is as follows: first, an application load a text chunk into the png structure; second, it deletes all text; third, another text chunk gets added to the same png structure.

Unlikely, but, Slackware's security team says, “it has happened”.

Anyone else using libpng in a distribution or application will need to get the latest version of the library – because this bug has existed in png_set_text_2() since June 1995. It was discovered and patched by Patrick Keshishian.

The Moz fixes cover Slackware's Mozilla Thunderbird implementation and its Mozilla-based Seamonkey browser.

The Thunderbird vulnerability has also been fixed in user clients. It's a critical-rated use-after-free error when manipulating DOM events and audio elements, and was part of an eight-bug update issued on December 28.

The Seamonkey fix brings Slackware up to date with version 2.46. ®

Sponsored: Webcast: Simplify data protection on AWS


Keep Reading

 Bugs in software as an illustration

Open-source bug bonanza: Vulnerabilities up almost 50 per cent thanks to people actually looking for them

Can't fix flaws if you don't look for them

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch

Update, update, update. Plus: Flash, Struts, Drupal also make appearances

What do you not want right now? A bunch of Cisco SD-WAN, Webex vulnerabilities? Here are a bunch of them

Switchzilla says remote networking gear has a grab-bag of holes
A bug in the code

GitHub gobbles biz used by NASA, Google, etc to search code for bugs and security holes in Mars rovers, apps...

Semmle's flaw-finding queries can be shared and used on multiple projects
Image composite: Microsoft and StudioLondon

Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week

Patch Tuesday Nothing too scary. Plus updates from SAP, Adobe, VMware
Windows 10 by Anton Watman, image via Shutterstock

Stuck at home? Need something to keep busy with? Microsoft has 115 ideas – including an awful SMBv3 security hole to worry about

Updated Hefty Patch Tuesday covers critical Word, Dynamics bugs, and more
Google's Play Store is the only official source for Android applications

Too bad, so sad, exploit devs: Google patches possibly several million dollars' worth of security flaws in Android

Except one – a 'your phone is now my phone' bug reported months ago and still not fixed
Man browses his tablet and ignores the beach. Photo by shutterstock

It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes

Patch Tuesday And Google drops a zero-day on Windows after deadline miss

Biting the hand that feeds IT © 1998–2020