
From the mailing list announcement:
These all fix a potential "NULL dereference" bug that has existed in libpng since version 0.71 of June 26, 1995. To be vulnerable, an application has to load a text chunk into the png structure, then delete all text, then add another text chunk to the same png structure, which seems to be an unlikely sequence, but it has happened.
Great to see that bug being discovered and fixed after 21 years. There are also a few other minor updates to find with libpng 1.6.27.
Here's to hoping for more open-source/Linux security and bug-fixing improvements in 2017!
29 Comments