It is currently Wed, 20-09-17, 18:21 GMT

All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed, 18-11-15, 17:52 GMT 
Offline
User avatar

Joined: Sun, 02-09-07, 23:16 GMT
Posts: 119
Location: Upstate NY, USA
Recently some buffer overflow bugs have been reported (and fixed) by the current maintainer of libpng.
See http://www.libpng.org/pub/png/libpng.html

It is not at all obvious to me if Celestia (or the .SCI variant) is vulnerable to the problem. A brief search hasn't located an example image file which would trigger the bug, although I suspect they'll be appearing soon.

_________________
Selden


Top
 Profile  
 
PostPosted: Wed, 18-11-15, 19:35 GMT 
Offline
Site Admin
User avatar

Joined: Fri, 31-08-07, 7:01 GMT
Posts: 4495
Location: Hamburg, Germany
Selden wrote:
Recently some buffer overflow bugs have been reported (and fixed) by the current maintainer of libpng.
See http://www.libpng.org/pub/png/libpng.html

It is not at all obvious to me if Celestia (or the .SCI variant) is vulnerable to the problem. A brief search hasn't located an example image file which would trigger the bug, although I suspect they'll be appearing soon.


Thanks, Selden for reminding us about this vulnerability.

In Windows I develop celestia.Sci with libpng-15 while under Linux I use libpng-16. For both libpng series patched subversions are claimed to exist.

In any case we have never noted a problem with libpng under Linux and Windows. Perhaps Dawoon made a different experience with MAC_OS.

Fridger

_________________
Image


Top
 Profile  
 
PostPosted: Fri, 20-11-15, 13:45 GMT 
Offline
User avatar

Joined: Tue, 04-09-07, 2:32 GMT
Posts: 430
Location: South Korea
The vulnerable functions in libpng are listed as:
png_set_tIME()
png_convert_to_rfc1123()
png_get_PLTE()
png_set_PLTE()

Fortunately Celestia trunk code does not call any of these functions. I have not checked celestia.Sci yet.
BTW I still think it is a good idea to keep up with the latest version of libpng because of the many other security bug fixes listed near the bottom of the libpng website.


Top
 Profile  
 
PostPosted: Sun, 22-11-15, 21:39 GMT 
Offline
User avatar

Joined: Tue, 04-09-07, 21:55 GMT
Posts: 766
Location: N 42.38846 W 83.45456
the only png issues i have had, have been with the need for legacy support on some things
this ends up with libpng12,16 installed and having to spiffy WHAT libpng??.pc to use

_________________
"I don't pitch Linux to my friends, I let Microsoft do that for me."
Using OpenSUSE 42.1 & Scientific Linux 6.7


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group