Vulnerable LibPNG in latest XnView

Bugs found in XnView Classic. Please report only one bug per topic!

Moderators: XnTriq, xnview

Post Reply
Karl_S
Posts: 4
Joined: Tue Nov 10, 2015 1:14 pm

Vulnerable LibPNG in latest XnView

Post by Karl_S »

Hi,

from the changelog I can see that the latest XnView version (2.34) uses LibPNG 1.6.18.
As you can see at http://www.libpng.org/pub/png/libpng.html that version has some vulnerabilities.
It would be great if it could be upgraded to 1.6.19, the latest version at this moment, which fixes these issues.
User avatar
omniplex
Posts: 127
Joined: Thu Feb 10, 2011 1:52 pm
Location: Hamburg
Contact:

Re: Vulnerable LibPNG in latest XnView

Post by omniplex »

Karl_S wrote:It would be great if it could be upgraded to 1.6.19, the latest version at this moment, which fixes these issues.
If openssl + libpng team up they could beat Adobe Flash or Oracle Java in a "fixed security bugs per hour" pissing contest. Meanwhile the libpng folks claim that 1.6.19 also isn't good, but 1.6.20 is great (on the page you linked.)

I tried to find the PNG version string in the XnView binary, because WhatsNew.txt could be incorrect, but that failed near a promising "Application built with libpng-" string in XnView.exe. I can't tell if there is an XnView function actually using this string. Something like ffmpeg -buildconf would be nice, a list of all used external libraries together with their versions. E.g., I'd be also interested to know which dcraw version is used in XnView. Or which libjpeg. Or which libtiff.

While looking for PNG in the binary I stumbled over -i -i "%s" -y -ss 00:00:01 -vframes 1 -an -vcodec png -f rawvideo "%s", apparently XnView contains FFmpeg command line options, and one -i instead of -i -i might be good enough. :P As FFmpeg user I'd be also curious which FFmpeg version is used by XnView. The string could be related to animated APNG, but if XnView is linked with FFmpeg libraries it would not need FFmpeg command line options, so this string is rather mysterious.
User avatar
omniplex
Posts: 127
Joined: Thu Feb 10, 2011 1:52 pm
Location: Hamburg
Contact:

Re: Vulnerable LibPNG in latest XnView

Post by omniplex »

JFTR, libpng-1.6.21-README was not a security issue.
Post Reply