News and History of the PNG Development Group from 2004
Herein lie news items and historical stuff primarily of interest to the
Portable Network Graphics Development Group itself. Feel free to poke
around even if you're not a member, though. Note that some of the links,
particularly the older ones, are broken; in some cases this is explained by
later entries. Other links (CompuServe, tcg.arl.mil) have fallen prey to
reorganizations or upgrades; should they ever reappear, the entries below
will be updated as needed.
Keep in mind that this is history here...
- current - see here
- 3 December 2004 - libpng 1.2.8 and
1.0.18 are released. These versions fix a crash bug introduced in
versions 1.2.6 and 1.0.16 that affects applications that strip the
alpha channel. The release also adds a pair of new build-related files.
- 15 October 2004 - Kerry Watson donates a couple of nice PNG
images that didn't fit into his PNG site
(formerly http://www.webcolors.freeserve.co.uk/png/). Anyone
is allowed to link directly to them, as Greg as done here (but you may
wish to save your own copies in case they go away at some point):
- 4 October 2004 - zlib 1.2.2 is released. This version
eliminates a potential security vulnerability when decoding
invalid compressed data, fixes a bug when decompressing dynamic blocks
with no distance codes, and modifies gzread() not to return an error on
empty files. Also note that zlib.org is not currently maintained; use zlib.net instead.
- 26 September 2004 - Larry Seltzer writes an article for the
5 October 2004 issue of PC Magazine entitled, PNG
Transparency in Internet Explorer. In it he discusses the
well-known alpha-transparency bug in MSIE for Windows and describes
Bob Osola's not-so-new
twist on the DirectX hack, which requires only (ahem) a three-line
the DirectX code it invokes. No word yet whether it breaks the Mac
- 11 September 2004 - libpng 1.2.7 and 1.0.17 are released. These
versions fix the PNG-writing bug noted below (26 August
- 26 August 2004 - A (non-security-related) patch against
libpng 1.2.6 and 1.0.16 is released. It fixes a
file-corruption bug in which two
zlib header-bytes can be set incorrectly when writing PNGs.
The result is that some applications, including Microsoft Word
2002 (and other MS Office apps) and Microsoft's Fax and Picture
Viewer, may display the images as garbled. The good news is that
the images are not fatally corrupted; they can be fixed simply by
resetting the two bytes--for example, using pngcrush. See the libpng page for the patch.
- 15 August 2004 - libpng 1.2.6 and 1.0.16 are released. These
versions correct some security flaws, at
least one of which is serious; see the 4 August 2004 item
for details and the libpng page for downloads.
- 12 August 2004 - Kevin A. Freitas writes One PNG, two
browsers, no hacks, which describes how to use Fireworks
to create PNGs with alpha transparency that still look reasonable in
Internet Explorer--no nasty DirectX hacks required. Of course, the method is of limited
usefulness outside the realm of web graphics (i.e., sharp-edged buttons
and similar images, with only a little alpha to soften the edges and
maybe add a drop-shadow), but at least it's fully standards-compliant.
- 4 August 2004 - A significantly more serious libpng
involving invalid palette and transparency chunks is announced, together
with a pair of libpng release candidates containing the fix. See the
libpng page for links, or go directly to
the SourceForge download page for the latest 1.0.16 and 1.2.6
release candidates and for the jumbo patches against libpng 1.2.5 and
ZDNet, Slashdot and others have commentary.
- 24 June 2004 - LWN.net picks
the libpng 16-bps buffer-overrun vulnerability (see the 16 May
item below) as its poster child for Long-lived security holes.
Despite fixes in many Linux distributions nearly 18 months
ago--including Red Hat--the patch managed to
be omitted from later Red Hat distros, apparently through a simple
oversight. Thus "Red Hat users were vulnerable to attackers wielding
evil PNG images for over two years." Of course, that's a little
unfair in that the problem wasn't even discovered until a year and a
half ago, but otherwise it's a valid point in the context of the rest
of the article--which immediately points out that "as far as anybody
can tell, not a single Red Hat user suffered any sort of compromise as
a result of this unfixed bug" and goes on to discuss rating systems for
the severity of different vulnerabilities.
- 16 May 2004 - Two libpng security
patches have been added to the libpng
page; they address the vulnerabilities described in CAN-2002-1363 and CAN-2004-0421. There are no known exploits for either bug, but
carefully crafted PNG images could in principle cause denial of service
(crashes) in both cases and, in the former case, execution of untrusted
code via buffer overrun.
- 3 March 2004 - Oops...apparently the ISO/IEC version of
the PNG spec wasn't actually published last November like we
were told; it
officially reached stage 60.60
only today, in fact (four months later!), as noted on the ISO/IEC
PNG status page. (The official title is the rather unwieldy
ISO/IEC 15948:2004 -- Information technology -- Computer graphics
and image processing -- Portable Network Graphics (PNG): Functional
specification, and it weighs in at 80 pages.) It can be
ordered either on CD-ROM or in downloadable PDF format for 172
Swiss francs. (Or you can just use the identical W3C version.)
- 16 February 2004 - Gregory Wild-Smith writes an update to his original PNG article
(see the 15 September 2003 entry) entitled, PNG's Just Got Smaller. It notes improvements in
Photoshop CS's PNG support, as well as in the Web Image
Guru and PNGOUT optimizers. (Note that the former apparently
is using a lossy approach now.)
Here are some related PNG pages at this site:
Last modified 27 January 2013.
Copyright © 1995-2013 Greg Roelofs.