News and History of the PNG Development Group from 2002

Herein lie news items and historical stuff primarily of interest to the Portable Network Graphics Development Group itself. Feel free to poke around even if you're not a member, though. Note that some of the links, particularly the older ones, are broken; in some cases this is explained by later entries. Other links (CompuServe, tcg.arl.mil) have fallen prey to reorganizations or upgrades; should they ever reappear, the entries below will be updated as needed.

Keep in mind that this is history here...

• current - see here

• 11 December 2002 - eEye Digital Security reports a heap-corruption vulnerability in the PNG decoder used by Microsoft's Internet Explorer and other software. Specifically, a bug in zlib 1.0.4, which is used in the pngfilt.dll component, can lead to execution of arbitrary code when a specially crafted (corrupted) PNG image is viewed by Internet Explorer or Microsoft Outlook. (Many other Microsoft products, including Office, Visual Studio, and all versions of Windows since Windows 95 OSR 2.5, also ship with the bad DLL. It may be possible to be attacked in other ways, such as via a Microsoft Word document containing an embedded image.) This bug was actually fixed in zlib 1.0.5 five years ago, but Microsoft didn't update Internet Explorer until version 6.1, apparently in response to the more recent zlib vulnerability (see the 11 March 2002 entry below). Note that this is not a libpng bug. It does, however, potentially affect any software that still uses zlib 1.0.4 or earlier, including libpng-based software.

• 11 November 2002 - Sun releases version 2.0 of the Java2 Micro Edition Mobile Information Device Profile (J2ME MIDP), a Java profile for cell phones and similar devices. As with the original version (see the 19 September 2000 entry), it requires PNG support, but this time it also requires binary transparency support--and full alpha support if the hardware supports that. Spiffy! See also David Fox's Your First Micro Java Game and John Muchow's older article, Java 2ME and MIDP Development.

• 3 October 2002 - libpng 1.2.5 and 1.0.15 are released. These versions fine-tune many of the makefiles and the libpng-config script, fix a minor interlacing bug, prevent unnecessary aborts when the image has more compressed data than it should, and replace the toucan.png test image with an uncorrupted copy.

• 8 July 2002 - libpng 1.2.4 and 1.0.14 are released. These versions plug some memory leaks and eliminate a buffer-overflow vulnerability that could be triggered by too-large zlib streams. (This is completely unrelated to the zlib-specific vulnerability described in the 11 March 2002 entry below.)

• 22 May 2002 - libpng 1.2.3 is released. The code itself is essentially unchanged, but the Unix makefiles have been modified to restore the header files to their original location (via symlinks), the libpng-config script is now installed, and a new "VB" target has been added to the MSVC project.

• 16 April 2002 - libpng 1.2.2 and 1.0.13 are released. These versions add some new error-checking and fix a register-preservation bug in the MMX-specific code. The makefiles have also been modified to install the PNG header files in (e.g.) /usr/include/libpng instead of directly in /usr/include; in other words, applications (or their makefiles) must be modified to look for png.h in a slightly different location than before.

• 11 March 2002 - zlib 1.1.4 is released. This version fixes a security vulnerability (CERT note, Red Hat advisory) wherein specially crafted, invalid deflate streams can trigger zlib to free a memory buffer twice, leading to potential denial-of-service attacks (and perhaps worse). This bug additionally depends on the version of malloc/free in the platform's C library not checking for such cases; AIX and almost all Linux systems (glibc-based) are vulnerable, but Windows, Mac OS, FreeBSD, NetBSD, OpenBSD, and HP-UX reportedly are not.

• 5 January 2002 - Webster's New World Computer Dictionary, 9th edition, has entries for PNG and Portable Network Graphics, reports Glenn. Both the PNG and the GIF entries discuss the LZW patent, and the latter entry has a pointer to the former. How about that?

• 1 January 2002 - E-Soft publishes a "Technology Penetration Report," based on a survey of half a million web sites, that shows PNG is used on 2.27% of sites (not exclusively, of course). Not particularly breathtaking, but a useful data point nonetheless . . .

Here are some related PNG pages at this site:

• Current News of the PNG Development Group
• Historical PNG news:
  • 2013 · 2012 · 2011 · 2010 · 2009 · 2008 · 2007 · 2006 · 2005 · 2004 · 2003 · 2002 · 2001 · 2000 · 1999 · 1998 · 1997 · 1996 · 1995
• History of PNG
• Current Status of PNG

• PNG Home Page
• Complete PNG Site Map

Copyright © 1995-2013 Greg Roelofs.