2029 Headline: Worlds largest data breach caused by zero day exploit in popular PNG 3.0 renderer
the payload was reportedly embedded in an animated image of the attacker repeatedly flicking his left testicle
But is it backwards compatible with an old version that can’t be updated?
Speaking for animation, your browser probably already supports APNG. APNG is 21 years old and has decent adoption. But it’s officially part of the club.
That said, APNGs are fat as fuck and they’re a pretty old solution to animated graphics with an alpha channel. Don’t expect to see everyone making APNGs all of the sudden. There is a reason why people have kept it at a distance.
Yeah, this was my first thought. How many slightly older, no-longer-being-updated pieces of software will fail to open the new version? Hopefully it’s built in a way that it just falls back to legacy and ignores the extra information so you can at least load the file.
Popular photo and video editing apps like Photoshop, DaVinci Resolve, and Avid Media Composer already support it, alongside Chrome, Safari, and Firefox. Apple’s iOS and macOS also work with the new file standard.
This is all the article mentions. I hope you’re right about the backwards compatibility.
I remember the Wild West Web days when it was a toss up seeing if animated Gifs, transparencies in images, or the specific hexadecimal for your personal shade of purple you created would render properly between browsers.
Lies! That gif is sped up 2000%!
LOL, I heard that gif. Timed it in my mind, on the money OP.
I mean, that’s already how animated .gifs work. If somehow you manage to load one into a viewer that doesn’t support the animation functionality it will at least dutifully display the first frame.
How the hell you would manage to do that in this day and age escapes me, but there were a fair few years in the early '90s where you might run into that sort of thing.
One example is piefed unfortunately. Animated gifs as avatar or banner don’t animate currently as far as I can tell.
Those are displayed in browser, right? The only reason that would be happening is if Piefeed is recompressing images and their code is not smart enough to identify an animated .gif and act accordingly.
Probably means there will be new PNGs that old software won’t be able to open.
It makes sense, right? Is there a way around that when adding new features to a file format?
The alternative is to make another file format for clarity, but it’s not really what you want to do.
That depends. Something like HDR should be able to fall back to non-HDR since it largely just adds data, so if the format specifies that extra information is ignored, there’s a chance it works fine.
I’m not sure you can turn an hdr image into a regular one just by snipping it down to 8 bits per channel and discarding the rest.
I mean it would work but I’m not certain you’ll get the best results.
it would work
And that’s probably enough. I don’t know enough about HDR to know if it would look anything like the artist imagined, but as long as it’s close enough, it’s fine if it’s not optimal. Having things completely break is far less than ideal.
I’m probably gonna be massively downvoted for saying the forbidden word but I asked AI to do a summary with references of the forward and backward compatibility of PNG’s new version:
!
Based on recent search results, the new PNG specification (Third Edition) and its reference library (libpng) maintain strong backward compatibility while introducing modern features. Here’s a detailed compatibility analysis:
🔄 1. Backward Compatibility (Viewing Old PNGs with New Lib)
- Full Support: The new libpng (1.6.49+) and PNG Third Edition fully support legacy PNG files. Existing PNGs (conforming to the 2003/2004 spec) will render correctly without changes .
- Implementation Stability: Libpng’s API evolution (e.g., hiding
png_struct/png_infointernals since 1.5.0) ensures older apps usingpng_get_*/png_set_*functions remain compatible. Direct struct access, deprecated since 1.4.x, may break in libpng 2.0.x (C99-only) . - Security Enhancements: Critical vulnerabilities (e.g., CVE-2019-7317 in
png_image_free()) were patched in libpng 1.6.37+, making the new lib safer for decoding old files .
⚠️ 2. Forward Compatibility (Viewing New PNGs with Old Lib)
- Basic Support: Older libpng versions (pre-1.6.37) can decode new PNGs if they avoid new features. Core chunks like
IHDRorIDATremain unchanged . - New Feature Limitations:
- HDR Imagery: Requires libpng 1.6.45+ and apps supporting the
mDCvchunk. Older libs ignore HDR data, falling back to SDR, which may cause color inaccuracies . - APNG Animation: Officially standardized in PNG Third Edition. Older libs (e.g., <1.6) treat APNG as static images, showing only the first frame .
- EXIF Metadata: New
eXIfchunks are ignored by legacy decoders, losing metadata like GPS or copyright info .
- HDR Imagery: Requires libpng 1.6.45+ and apps supporting the
- Security Risks: Older libs (e.g., ≤1.6.36) contain unpatched vulnerabilities (e.g., CVE-2015-8126). Parsing malicious new PNGs could exploit these flaws .
📊 Compatibility Summary
Scenario Compatibility Key Considerations Old PNG → New Lib ✅ Excellent Legacy files work flawlessly; security improved. New PNG → Old Lib ⚠️ Partial Basic rendering works, but HDR/APNG/EXIF ignored. Security risks in unpatched versions. New Features 🔧 Conditional Requires updated apps (e.g., Photoshop, browsers) and OS support . 🔧 3. Implementation and Industry Adoption
- Broad Support: Major browsers (Chrome, Safari, Firefox), OSs (iOS, macOS), and tools (Photoshop, DaVinci Resolve) already support the new spec .
- Progressive Enhancement: New features like HDR use optional chunks, ensuring graceful degradation in older software .
- Future-Proofing: Work on PNG Fourth Edition (HDR/SDR interoperability) and Fifth Edition (better compression) is underway .
💎 Conclusion
- Upgrade Recommended: New libpng (1.6.49+) ensures security and full compatibility with legacy files.
- Test Workflows: Verify critical tools handle new features (e.g., APNG animation in browsers).
- Fallbacks for Old Systems: For environments stuck with outdated libs, convert new PNGs to legacy format (e.g., strip HDR/APNG) .
For developers: Use
png_get_valid(png_ptr, info_ptr, PNG_INFO_mDCv)to check HDR support and provide fallbacks .!<
downvoters: is it wrong?
I don’t know. If the poster couldn’t be bothered to fact-check, why would I? It is just safer to assume that it can be misinformation.
If you prefer to know nothing about PNG compatibility rather than something that might be true about PNG. That’s fine but definitely not my approach.
Also, as I said to another commenter. Critical thinking is not some tool you decide to use on some comments and not others. An AI answer on some topics is actually more likely to be correct than an answer by a human being. And it’s not some stuff I was told by an AI guru it’s what researchers are evaluating in many universities. Ask an human to complete various tasks and then ask the AI model and compare scientifically the data. And it turns out there is task where the AI outperforms the human pretty much all the time.
YET on this particular task the assumption is that it’s bullshit and it’s just downvoted. Now I would have posted the same data myself and for some reason I would not see a single downvote. The same data represented differently completely change the likelihood of it being accurate. Even though at the end of the day you shouldn’t trust blindly neither a comment from an human or an AI output.
Honestly, I’m saddened to see people already rejecting completely the technology instead of trying to understand what it’s good at and what it’s bad at and most importantly experiencing it themselves.
I wanted to know what was generative AI worth so I read about it and tried it locally with open source software. Now I know how to spot images that are AI generated, I know what’s difficult for this tech and what is not. I think that’s a much healthier attitude than blindly rejecting any and all AI outputs.
You put way too much trust in AI. AI is seldom right. It is however very good at sounding like it knows what it’s talking about. It’s like a conservative podcaster.
As you can see it’s irrelevant apparently. If it’s AI generated it will be downvoted.
It’s not irrelevant, it’s that you don’t actually know if it’s true or not, so it’s not a valuable contribution.
If you started your comment by saying “This is something I completely made up and may or may not be correct” and then posted the same thing, you should expect the same result.
I did check some of the references.
What I dont understand is why you would perceive this content as more trustworthy if I didn’t say it’s AI.
Nobody should trust blindly some anonymous comment on a forum. I have to check what the AI blurbs out but you can just gobble the comment of some stranger without exercising yourself some critical thinking?
As long as I’m transparent on the source and especially since I did check some of it to be sure it’s not some kind of hallucination…
There shouldn’t be any difference of trust between some random comment on a social network and what some AI model thinks on a subject.
Also it’s not like this is some important topic with societal implications. It’s just a technical question that I had (and still doesn’t) that doesn’t mandate researching. None of my work depends on that lib. So before my comment there was no information on compatibility. Now there is but you have to look at it critically and decide if you want to verify or trust it.
That’s why I regret this kind of stubborn downvoting where people just assume the worse instead of checking the actual data.
Sometime I really wonder if I’m the only one supposed to check my data? Aren’t everybody here capable of verifying the AI output if they think it’s worth the time and effort?
Basically, downvoting here is choosing “no information” rather than “information I have to verify because it’s AI generated”.
Edit: Also I could have just summarized the AI output myself and not mention AI. What then? Would you have checked the accuracy of that data? Critical thinking is not something you use “sometimes” or just “on some comments”.
Also it’s not like this is some important topic with societal implications. It’s just a technical question that I had (and still doesn’t) that doesn’t mandate researching.
So why “research” it with AI in the first place, if you don’t care about the results and don’t even think it’s worth researching? This is legitimately absurd to read.
You realize that if we wanted to see an
AILLM response, we’d ask anAILLM ourselves. What you’re doing is akin to :Hey guys, I’ve asked google if the new png is backward compatible, and here are the first links it gave me, hope this helps : [list 200 links]
I understand that. It’s the downvoting of the clearly marked as AI LLM response. Is it detrimental to the conversation here to have that? Is it better to share nothing rather than this LLM output?
Was this thread better without it?
Is complete ignorance of the PNG compatibility preferable to reading this AI output and pondering how true is it?
[list 200 links]
Now I think this conversation is getting just rude for no reason. I think the AI output was definitely not the “I’m lucky” result of a Google search and the fact that you choose that metaphor is in bad faith.
Animated PNG has been trying to be an extension to the PNG spec for 20+ years.
I could have sworn animated pngs were a thing in the Macromedia Fireworks days. Really dating myself with that ref.
There were two different animated PNG extensions, MNG and APNG. Neither of them ever really caught on. I guess they’re hoping to do better by baking it into the core spec.
APNG is what they’re using in v3, so all many libraries need to do* is update that code for HDR.
* surely that’s easy, right?
Sigh, I miss Macromedia. Anyway, I do remember that being a thing as well. Guess it was never officially part of the spec.
Goodbye gif hello png?
Is it pronounced png or png?
jng
How does this compare to nvidia JXR hdr screenshots ?
This has a chance of being widely adopted? Lol
Now if anyone don’t mind explaining, PNG vs JXL?
JXL is badly supported but it does offer lossless encoding in a more flexible and much more efficient way than png doe
Basically jxl could theoretically replace png, jpg, and also exr.
