 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Read this for more details:
http://www.us-cert.gov/cas/techalerts/TA04-217A.html
POV-Ray 3.6 uses libpng 1.2.5, a vulnerable version. This means a scene
file using a PNG image map could potentially contain a malicious
payload.
Given the vast number of applications that use libpng, this is scary...
-Ryan
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Ryan Lamansky wrote:
>
> This means a scene file using a PNG image map could potentially contain
a malicious payload.
You should use correct formulations, this is nonsense as you wrote it.
A broken PNG image can cause security problems when you use it in
POV-Ray as an image map.
The whole thing isn't new, there have been similar problems with other
support libraries before. I really don't understand why people make so
much fuzz about it. If you had asked me a week ago to bet $1000 on
libpng containing vulnerabilities or not the answer would have been
completely clear.
Christoph
--
POV-Ray tutorials, include files, Sim-POV,
HCR-Edit and more: http://www.tu-bs.de/~y0013390/
Last updated 06 Jul. 2004 _____./\/^>_*_<^\/\.______
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
This isn't a slam against POV-Ray, or anything like that. I'm just in
shock from the thought that an image file could hack me.
This vulnerability is relatively minor for POV-Ray, since so much user
involvement is needed. Things are a little different for web
browsers...
-Ryan
Post a reply to this message
|
|
| |
| |
|
|
From: Thorsten Froehlich
Subject: Re: libpng Security Vulnerabilities
Date: 5 Aug 2004 11:55:07
Message: <4112585b@news.povray.org>
|
|
|
| |
| |
|
|
In article <cetgc0$8po$1@chho.imagico.de> , Christoph Hormann
<chr### [at] gmx de> wrote:
> The whole thing isn't new, there have been similar problems with other
> support libraries before. I really don't understand why people make so
> much fuzz about it. If you had asked me a week ago to bet $1000 on
> libpng containing vulnerabilities or not the answer would have been
> completely clear.
It still is today. I would still bet $1000 that more will be found in the
future. I would actually hold that for absolutely every non-trivial
software out there.
Thorsten
____________________________________________________
Thorsten Froehlich, Duisburg, Germany
e-mail: tho### [at] trfde
Visit POV-Ray on the web: http://mac.povray.org
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Ryan Lamansky <Spa### [at] kardaxcom> wrote:
> I'm just in shock from the thought that an image file could hack me.
It's much easier to give you a trojan as an SDL script than with
a png.
--
plane{-x+y,-1pigment{bozo color_map{[0rgb x][1rgb x+y]}turbulence 1}}
sphere{0,2pigment{rgbt 1}interior{media{emission 1density{spherical
density_map{[0rgb 0][.5rgb<1,.5>][1rgb 1]}turbulence.9}}}scale
<1,1,3>hollow}text{ttf"timrom""Warp".1,0translate<-1,-.1,2>}// - Warp -
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
