News and History of the PNG Development Group from 2002
Herein lie news items and historical stuff primarily of interest to the
Portable Network Graphics Development Group itself. Feel free to poke
around even if you're not a member, though. Note that some of the links,
particularly the older ones, are broken; in some cases this is explained by
later entries. Other links (CompuServe, tcg.arl.mil) have fallen prey to
reorganizations or upgrades; should they ever reappear, the entries below
will be updated as needed.
Keep in mind that this is history here...
- current - see here
- 11 December 2002 - eEye Digital Security reports a heap-corruption vulnerability in the PNG decoder used by Microsoft's
Internet Explorer and other software. Specifically, a bug in
zlib 1.0.4, which is used in the pngfilt.dll component,
can lead to execution of arbitrary code when a specially crafted
(corrupted) PNG image is viewed by Internet Explorer or Microsoft
Outlook. (Many other Microsoft products, including Office,
Visual Studio, and all versions of Windows since Windows
95 OSR 2.5, also ship with the bad DLL. It may be possible to be
attacked in other ways, such as via a Microsoft Word document
containing an embedded image.) This bug was actually fixed in zlib
1.0.5 five years ago, but
Microsoft didn't update Internet Explorer until version 6.1, apparently
in response to the more recent zlib vulnerability (see the
11 March 2002 entry below). Note that this is not
a libpng bug. It does, however, potentially affect any software that
still uses zlib 1.0.4 or earlier, including libpng-based software.
- 11 November 2002 - Sun releases version 2.0 of the Java2
Micro Edition Mobile Information Device Profile (J2ME MIDP), a Java
profile for cell phones and similar devices. As with the original
version (see the 19 September 2000 entry), it requires PNG
support, but this time it also requires binary transparency support--and
full alpha support if the hardware supports that. Spiffy! See also
David Fox's Your First
Micro Java Game and John Muchow's older article, Java 2ME and MIDP
- 3 October 2002 - libpng 1.2.5 and 1.0.15 are released. These
versions fine-tune many of the makefiles and the libpng-config script,
fix a minor interlacing bug, prevent unnecessary aborts when the image
has more compressed data than it should, and replace the toucan.png test
image with an uncorrupted copy.
- 8 July 2002 - libpng 1.2.4 and 1.0.14 are released. These
versions plug some memory leaks and eliminate a buffer-overflow
vulnerability that could be triggered by too-large zlib streams.
(This is completely unrelated to the zlib-specific vulnerability
described in the 11 March 2002 entry below.)
- 22 May 2002 - libpng 1.2.3 is released. The code itself is
essentially unchanged, but the Unix makefiles have been modified to
restore the header files to their original location (via symlinks),
the libpng-config script is now installed, and a new "VB" target
has been added to the MSVC project.
- 16 April 2002 - libpng 1.2.2 and 1.0.13 are released. These
versions add some new error-checking and fix a register-preservation
bug in the MMX-specific code. The makefiles have also been modified
to install the PNG header files in (e.g.) /usr/include/libpng instead
of directly in /usr/include; in other words, applications (or their
makefiles) must be modified to look for png.h in a slightly
different location than before.
- 11 March 2002 - zlib 1.1.4 is released. This version fixes
a security vulnerability (CERT note, Red Hat advisory) wherein specially crafted, invalid deflate
streams can trigger zlib to free a memory buffer twice, leading to
potential denial-of-service attacks (and perhaps worse). This bug
additionally depends on the version of malloc/free in the platform's C
library not checking for such cases; AIX and almost all Linux
systems (glibc-based) are vulnerable, but Windows, Mac OS, FreeBSD,
NetBSD, OpenBSD, and HP-UX reportedly are not.
- 5 January 2002 - Webster's New World Computer Dictionary, 9th
edition, has entries for PNG and Portable Network Graphics,
reports Glenn. Both the PNG and the GIF entries discuss the LZW patent,
and the latter entry has a pointer to the former. How about that?
- 1 January 2002 - E-Soft
publishes a "Technology Penetration Report," based on a survey of half
a million web sites, that shows PNG is used on 2.27% of sites (not
exclusively, of course). Not particularly breathtaking, but a useful
data point nonetheless . . .
Here are some related PNG pages at this site:
Last modified 27 January 2012.
Copyright © 1995-2013 Greg Roelofs.