News and History of the PNG Development Group from 2004

Herein lie news items and historical stuff primarily of interest to the Portable Network Graphics Development Group itself. Feel free to poke around even if you're not a member, though. Note that some of the links, particularly the older ones, are broken; in some cases this is explained by later entries. Other links (CompuServe, tcg.arl.mil) have fallen prey to reorganizations or upgrades; should they ever reappear, the entries below will be updated as needed.

Keep in mind that this is history here...

• current - see here

• 3 December 2004 - libpng 1.2.8 and 1.0.18 are released. These versions fix a crash bug introduced in versions 1.2.6 and 1.0.16 that affects applications that strip the alpha channel. The release also adds a pair of new build-related files.

• 15 October 2004 - Kerry Watson donates a couple of nice PNG images that didn't fit into his PNG site (formerly http://www.webcolors.freeserve.co.uk/png/). Anyone is allowed to link directly to them, as Greg as done here (but you may wish to save your own copies in case they go away at some point):
     

• 4 October 2004 - zlib 1.2.2 is released. This version eliminates a potential security vulnerability when decoding invalid compressed data, fixes a bug when decompressing dynamic blocks with no distance codes, and modifies gzread() not to return an error on empty files. Also note that zlib.org is not currently maintained; use zlib.net instead.

• 26 September 2004 - Larry Seltzer writes an article for the 5 October 2004 issue of PC Magazine entitled, PNG Transparency in Internet Explorer. In it he discusses the well-known alpha-transparency bug in MSIE for Windows and describes Bob Osola's not-so-new twist on the DirectX hack, which requires only (ahem) a three-line kludge to your web pages--plus an extra JavaScript file, of course, and the DirectX code it invokes. No word yet whether it breaks the Mac version.

• 11 September 2004 - libpng 1.2.7 and 1.0.17 are released. These versions fix the PNG-writing bug noted below (26 August entry).

• 26 August 2004 - A (non-security-related) patch against libpng 1.2.6 and 1.0.16 is released. It fixes a file-corruption bug in which two zlib header-bytes can be set incorrectly when writing PNGs. The result is that some applications, including Microsoft Word 2002 (and other MS Office apps) and Microsoft's Fax and Picture Viewer, may display the images as garbled. The good news is that the images are not fatally corrupted; they can be fixed simply by resetting the two bytes--for example, using pngcrush. See the libpng page for the patch.

• 15 August 2004 - libpng 1.2.6 and 1.0.16 are released. These versions correct some security flaws, at least one of which is serious; see the 4 August 2004 item for details and the libpng page for downloads.

• 12 August 2004 - Kevin A. Freitas writes One PNG, two browsers, no hacks, which describes how to use Fireworks to create PNGs with alpha transparency that still look reasonable in Internet Explorer--no nasty DirectX hacks required. Of course, the method is of limited usefulness outside the realm of web graphics (i.e., sharp-edged buttons and similar images, with only a little alpha to soften the edges and maybe add a drop-shadow), but at least it's fully standards-compliant.

• 4 August 2004 - A significantly more serious libpng vulnerability involving invalid palette and transparency chunks is announced, together with a pair of libpng release candidates containing the fix. See the libpng page for links, or go directly to the SourceForge download page for the latest 1.0.16 and 1.2.6 release candidates and for the jumbo patches against libpng 1.2.5 and earlier. CNET, ZDNet, Slashdot and others have commentary.

• 24 June 2004 - LWN.net picks the libpng 16-bps buffer-overrun vulnerability (see the 16 May item below) as its poster child for Long-lived security holes. Despite fixes in many Linux distributions nearly 18 months ago--including Red Hat--the patch managed to be omitted from later Red Hat distros, apparently through a simple oversight. Thus "Red Hat users were vulnerable to attackers wielding evil PNG images for over two years." Of course, that's a little unfair in that the problem wasn't even discovered until a year and a half ago, but otherwise it's a valid point in the context of the rest of the article--which immediately points out that "as far as anybody can tell, not a single Red Hat user suffered any sort of compromise as a result of this unfixed bug" and goes on to discuss rating systems for the severity of different vulnerabilities.

• 16 May 2004 - Two libpng security patches have been added to the libpng page; they address the vulnerabilities described in CAN-2002-1363 and CAN-2004-0421. There are no known exploits for either bug, but carefully crafted PNG images could in principle cause denial of service (crashes) in both cases and, in the former case, execution of untrusted code via buffer overrun.

• 3 March 2004 - Oops...apparently the ISO/IEC version of the PNG spec wasn't actually published last November like we were told; it officially reached stage 60.60 only today, in fact (four months later!), as noted on the ISO/IEC PNG status page. (The official title is the rather unwieldy ISO/IEC 15948:2004 -- Information technology -- Computer graphics and image processing -- Portable Network Graphics (PNG): Functional specification, and it weighs in at 80 pages.) It can be ordered either on CD-ROM or in downloadable PDF format for 172 Swiss francs. (Or you can just use the identical W3C version.)

• 16 February 2004 - Gregory Wild-Smith writes an update to his original PNG article (see the 15 September 2003 entry) entitled, PNG's Just Got Smaller. It notes improvements in Photoshop CS's PNG support, as well as in the Web Image Guru and PNGOUT optimizers. (Note that the former apparently is using a lossy approach now.)

Here are some related PNG pages at this site:

• Current News of the PNG Development Group
• Historical PNG news:
  • 2013 · 2012 · 2011 · 2010 · 2009 · 2008 · 2007 · 2006 · 2005 · 2004 · 2003 · 2002 · 2001 · 2000 · 1999 · 1998 · 1997 · 1996 · 1995
• History of PNG
• Current Status of PNG

• PNG Home Page
• Complete PNG Site Map

Copyright © 1995-2015 Greg Roelofs.