Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Dec 2016 12:17:16 -0500
From: Glenn Randers-Pehrson <>
Subject: libpng NULL pointer dereference bugfix

libpng-1.6.27 has been released to fix an old NULL pointer dereference
bug in png_set_text_2() discovered and patched by Patrick  Keshishian.

New releases of legacy branches (1.0.67, 1.2.57, 1.4.20, and 1.5.28) have
also been released.  Other versions can be patched by adding a single

      info_ptr->max_text = 0;

at the appropriate spot in png.c.

The potential "NULL dereference" bug that has existed in libpng
since version 0.71 of June 26, 1995.  To be vulnerable, an application
has to load a text chunk into the png structure, then delete all text, then
add another text chunk to the same png structure, which seems to be
an unlikely sequence, but it has happened.

Applications that I have looked at (firefox, imagemagick, graphicsmagick,
pngcrush) do not appear to be vulnerable.

I reported the bug using CERT's online reporting system several days
ago but have not received any response.

Glenn Randers-Pehrson
libpng custodian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.