POV-Ray : Newsgroups : povray.programming : libpng Security Vulnerabilities Server Time
22 Dec 2024 17:36:10 EST (-0500)
  libpng Security Vulnerabilities (Message 1 to 5 of 5)  
From: Ryan Lamansky
Subject: libpng Security Vulnerabilities
Date: 5 Aug 2004 09:32:30
Message: <411236ee$1@news.povray.org>
Read this for more details:

http://www.us-cert.gov/cas/techalerts/TA04-217A.html

POV-Ray 3.6 uses libpng 1.2.5, a vulnerable version.  This means a scene 
file using a PNG image map could potentially contain a malicious 
payload.

Given the vast number of applications that use libpng, this is scary...

-Ryan


Post a reply to this message

From: Christoph Hormann
Subject: Re: libpng Security Vulnerabilities
Date: 5 Aug 2004 10:35:02
Message: <cetgc0$8po$1@chho.imagico.de>
Ryan Lamansky wrote:
> 
> This means a scene file using a PNG image map could potentially contain 
a malicious payload.

You should use correct formulations, this is nonsense as you wrote it. 
A broken PNG image can cause security problems when you use it in 
POV-Ray as an image map.

The whole thing isn't new, there have been similar problems with other 
support libraries before.  I really don't understand why people make so 
much fuzz about it.  If you had asked me a week ago to bet $1000 on 
libpng containing vulnerabilities or not the answer would have been 
completely clear.

Christoph

-- 
POV-Ray tutorials, include files, Sim-POV,
HCR-Edit and more: http://www.tu-bs.de/~y0013390/
Last updated 06 Jul. 2004 _____./\/^>_*_<^\/\.______


Post a reply to this message

From: Ryan Lamansky
Subject: Re: libpng Security Vulnerabilities
Date: 5 Aug 2004 11:25:33
Message: <4112516d$1@news.povray.org>
This isn't a slam against POV-Ray, or anything like that.  I'm just in 
shock from the thought that an image file could hack me.

This vulnerability is relatively minor for POV-Ray, since so much user 
involvement is needed.  Things are a little different for web 
browsers...

-Ryan


Post a reply to this message

From: Thorsten Froehlich
Subject: Re: libpng Security Vulnerabilities
Date: 5 Aug 2004 11:55:07
Message: <4112585b@news.povray.org>
In article <cetgc0$8po$1@chho.imagico.de> , Christoph Hormann 
<chr### [at] gmxde>  wrote:

> The whole thing isn't new, there have been similar problems with other
> support libraries before.  I really don't understand why people make so
> much fuzz about it.  If you had asked me a week ago to bet $1000 on
> libpng containing vulnerabilities or not the answer would have been
> completely clear.

It still is today.  I would still bet $1000 that more will be found in the
future.  I would actually hold that for absolutely every non-trivial
software out there.

    Thorsten

____________________________________________________
Thorsten Froehlich, Duisburg, Germany
e-mail: tho### [at] trfde

Visit POV-Ray on the web: http://mac.povray.org


Post a reply to this message

From: Warp
Subject: Re: libpng Security Vulnerabilities
Date: 5 Aug 2004 12:44:31
Message: <411263ef@news.povray.org>
Ryan Lamansky <Spa### [at] kardaxcom> wrote:
> I'm just in shock from the thought that an image file could hack me.

  It's much easier to give you a trojan as an SDL script than with
a png.

-- 
plane{-x+y,-1pigment{bozo color_map{[0rgb x][1rgb x+y]}turbulence 1}}
sphere{0,2pigment{rgbt 1}interior{media{emission 1density{spherical
density_map{[0rgb 0][.5rgb<1,.5>][1rgb 1]}turbulence.9}}}scale
<1,1,3>hollow}text{ttf"timrom""Warp".1,0translate<-1,-.1,2>}//  - Warp -


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.