back to article Libpng library gets fix for truly ancient bug

Slackware has raced out of the blocks in 2017, issuing one patch for the libpng image library on New Year's Day, and two Mozilla patches. The libpng bug got its Common Vulnerabilities and Exposures number, CVE-2016-10087, on December 30. Slackware's announcement says the bug can't be exploited without active user input. The “ …

  1. jake Silver badge

    Gotta love Slackware :-)

    In the last week of the year there were also updates for Python, Samba, expat, and openssh ... I eyeball the changelogs pretty much daily, takes no time. See:

    1. LDS Silver badge

      Re: Gotta love Slackware :-)

      Yes, very nerdy to release patches when lots of people are on holidays... oh well, my Drupal site warned me of a new patch on January 1st. Some people can't really stay away from a computer a few days.

  2. Doctor Syntax Silver badge

    From the Mozilla bug list

    "CVE-2016-9904: Cross-origin information leak in shared atoms"

    Quantum processing in Thunderbird!

    Mines the one that got entangled.

    1. jake Silver badge

      Slackware will entangle you ... if you let it ;-)

      jake --entangled for some 23 years now ...

  3. Version 1.0 Silver badge

    And todays lesson is ...

    It doesn't matter how long you've been using the library without any problems, the potential is still there for a hack. Kudos to Slackware for fixing it, but how many more bugs are out there just waiting discovery? Or are currently known and exploited by the State?

    Moving on, I think we need to reexamine the way software gets written and tested - because our current methods aren't working. Today's #1 defense is to "run it in a sandbox" ... so of course the #1 hack is to break out of the sandbox - duh, we didn't see that coming?

    1. Lee D Silver badge

      Re: And todays lesson is ...

      I'd say the longer you've been running a particular software, the more likely a bug like this actually is.

      People don't get that the software attack surface might be static, but the attacks used against it are constantly evolving. No matter whether you update every day, every month, or not at all, it makes little difference (some, but little) as almost every new attack is just that - new.

      And leaving software alone because "it just works" is missing the point. It still needs to be isolated and protected from any form of input, usually by devices and interfaces that ARE updated regularly and religiously.

      The amount of embedded device code on a network is scary nowadays, which is why you have to make sure that your frontline and your users are behaving themselves and kept up-to-date against all these kinds of things. You have to come in at a zero-trust angle in order to stand any chance.

      Just because something's worked fine for 10 years does NOT mean that it's safe. It means it's got ten years worth of attacks against it that it was never designed to combat.

  4. The Count

    As a matter of fact

    I was coding image processing software in 1995 for the first digital cameras from Apple, Logitec, and Fujitsu.

    I didn't write libpng though, so don't blame me.

  5. Robert Helpmann?? Silver badge

    “it has happened”

    Of course it has happened! The internet is populated by monkeys busily pounding away at keyboards. If a damnfool thing can be done, it must be done and the sooner, the better. What did you expect? Shakespeare?

  6. nathanmacinnes

    I read El Reg mainly for the article subheadings.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019