PNG processing vulnerability in KHTML

The developers of KDE have reported a security hole in the KHTML library which may cause the program to crash or allow injected malware to be executed when specially crafted PNG images are processed. A source code patch has been released.

When KDE 4.0 was released, the developers of the project integrated a new PNG loader into the desktop. A buffer overflow can be triggered in this loader by submitting specially crafted PNG images. This causes the program to crash, and KDE developers can't rule out that it may also be exploited to execute injected code.

A source code patch to fix the security hole is available on the KDE project's FTP servers. Linux distributors are expected to release updated packages shortly. Users are advised to install these as soon as they become available.

See also:

• KHTML PNG Loader Buffer Overflow, security advisory by the KDE developers
• Source code patch released by the KDE developers

(mba)