It’s fantastic they were able to find these issues!
That four new CVEs (two high-severity!) were found in a mature and well-tested library like png reminds me how non-trivial and unforgiving software engineering can be.
Security flaws are often just waiting behind the corner: this should be humbling lesson for all of us.
It’s fantastic they were able to find these issues!
That four new CVEs (two high-severity!) were found in a mature and well-tested library like png reminds me how non-trivial and unforgiving software engineering can be.
Security flaws are often just waiting behind the corner: this should be humbling lesson for all of us.
Affects back to version 1.6.0 released Feb 14, 2013
rust rewrite when?
Chrome is already in the process of removing libpng.
For those curious on what to instead, it seems like they made an in house Skia module (using Rust) named SkPngRustDecoder (and Encoder).