Vulnerable LibPNG in latest XnView

[Karl_S]

Hi,

from the changelog I can see that the latest XnView version (2.34) uses LibPNG 1.6.18.
As you can see at http://www.libpng.org/pub/png/libpng.html that version has some vulnerabilities.
It would be great if it could be upgraded to 1.6.19, the latest version at this moment, which fixes these issues.

[omniplex]

It would be great if it could be upgraded to 1.6.19, the latest version at this moment, which fixes these issues.

If openssl + libpng team up they could beat Adobe Flash or Oracle Java in a "fixed security bugs per hour" pissing contest. Meanwhile the libpng folks claim that 1.6.19 also isn't good, but 1.6.20 is great (on the page you linked.)

I tried to find the PNG version string in the XnView binary, because WhatsNew.txt could be incorrect, but that failed near a promising "Application built with libpng-" string in XnView.exe. I can't tell if there is an XnView function actually using this string. Something like ffmpeg -buildconf would be nice, a list of all used external libraries together with their versions. E.g., I'd be also interested to know which dcraw version is used in XnView. Or which libjpeg. Or which libtiff.

While looking for PNG in the binary I stumbled over -i -i "%s" -y -ss 00:00:01 -vframes 1 -an -vcodec png -f rawvideo "%s", apparently XnView contains FFmpeg command line options, and one -i instead of -i -i might be good enough. As FFmpeg user I'd be also curious which FFmpeg version is used by XnView. The string could be related to animated APNG, but if XnView is linked with FFmpeg libraries it would not need FFmpeg command line options, so this string is rather mysterious.

[omniplex]

JFTR, libpng-1.6.21-README was not a security issue.