Closed
Bug 759891
Opened 12 years ago
Closed 12 years ago
Update libjpeg-turbo to 1.2.x branch r831 (or later)
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
FIXED
mozilla16
Tracking | Status | |
---|---|---|
firefox13 | --- | unaffected |
firefox14 | --- | fixed |
firefox15 | --- | fixed |
firefox16 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: justin.lebar+bug, Assigned: justin.lebar+bug)
References
Details
(Keywords: sec-other, Whiteboard: [sg:dupe 759802][advisory-tracking+])
Attachments
(2 files)
967 bytes,
patch
|
jrmuizel
:
review+
|
Details | Diff | Splinter Review |
26.51 KB,
patch
|
jrmuizel
:
review+
akeybl
:
approval-mozilla-aurora-
akeybl
:
approval-mozilla-beta-
akeybl
:
approval-mozilla-esr10-
|
Details | Diff | Splinter Review |
libjpeg-turbo 1.2.x r831 fixes a potential security vulnerability. We should update ASAP. Ryan, are you interested in doing this again?
Assignee | ||
Updated•12 years ago
|
Blocks: CVE-2012-2806
Comment 1•12 years ago
|
||
I'm traveling until the end of next week. I can do it if nobody else does first.
Assignee | ||
Updated•12 years ago
|
Summary: Update libjpeg to 1.2.x branch r831 (or later) → Update libjpeg-turbo to 1.2.x branch r831 (or later)
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → justin.lebar+bug
Assignee | ||
Comment 2•12 years ago
|
||
Attachment #630079 -
Flags: review?(jmuizelaar)
Assignee | ||
Comment 3•12 years ago
|
||
I'll probably fold these two csets together when I check them in, but I thought it would be easier to review separately.
Attachment #630080 -
Flags: review?(jmuizelaar)
Assignee | ||
Comment 4•12 years ago
|
||
The process I used to generate part 2 was: * Update my svn clone to r831 * diff -r -U8 media/libjpeg ~/my/libjpeg-turbo/clone > ~/patch * Clean up ~/patch (remove spurious differences, e.g. because libjpeg-turbo has a different Makefile.in)
Assignee | ||
Comment 5•12 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=26474b1d7fee
Updated•12 years ago
|
Attachment #630079 -
Flags: review?(jmuizelaar) → review+
Assignee | ||
Comment 6•12 years ago
|
||
Looks good on try; I'll land once I get r+ on the other patch.
Comment 7•12 years ago
|
||
Comment on attachment 630080 [details] [diff] [review] Part 2: Update the code. Review of attachment 630080 [details] [diff] [review]: ----------------------------------------------------------------- Sure
Attachment #630080 -
Flags: review?(jmuizelaar) → review+
Assignee | ||
Comment 8•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d10a38139eb8
Target Milestone: --- → mozilla16
Assignee | ||
Comment 9•12 years ago
|
||
Comment on attachment 630080 [details] [diff] [review] Part 2: Update the code. [Approval Request Comment] Security fix. No string changes. If we wanted a smaller patch, we could probably cherry-pick the fix from libjpeg-turbo, instead of upgrading wholesale. But I think landing what we're landing in nightly onto branches makes sense, because that's what we're testing. Happy to let this bake on trunk for a day or two, but nom'ing now so it's on everyone's radar.
Attachment #630080 -
Flags: approval-mozilla-esr10?
Attachment #630080 -
Flags: approval-mozilla-beta?
Attachment #630080 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
status-firefox12:
--- → affected
status-firefox13:
--- → affected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
status-firefox16:
--- → affected
Comment 10•12 years ago
|
||
I would much rather have a targeted patch.
Assignee | ||
Comment 11•12 years ago
|
||
(In reply to Joe Drew (:JOEDREW!) from comment #10) > I would much rather have a targeted patch. My concern is just that we're going to test the full r831 on Nightly, so we'd be introducing an effectively new version of the jpeg decoder just for branches. Maybe DRC could verify for us that cherry-picking the fix is safe. I'll post a patch.
Assignee | ||
Comment 12•12 years ago
|
||
> I'll post a patch. ...to bug 759802.
Comment 13•12 years ago
|
||
830->831 does not depend on any prior patches, so it should be safe to apply it without any of the other 1.2.1 patches.
Comment 14•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d10a38139eb8
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Group: core-security
Comment 15•12 years ago
|
||
Despite the approval requests here, do we want the smaller patch in bug 759802 instead? Definitely for ESR we'd want the small one, for Aurora we could go with this one, and Beta is a toss-up in my mind.
Keywords: sec-other
Whiteboard: [sg:dupe 759802]
Assignee | ||
Comment 16•12 years ago
|
||
I think taking the smaller patch on Beta and ESR and the larger patch on Aurora would be fine, but I'd like the release drivers' input, since that effectively adds a second libjpeg upgrade, which adds some risk.
Comment 17•12 years ago
|
||
Comment on attachment 630080 [details] [diff] [review] Part 2: Update the code. Let's just take the patch in bug 759802 for all branches, and wait till FF16 to take the rest of the updates to libjpeg since there doesn't appear to be any significant user benefit at this time.
Attachment #630080 -
Flags: approval-mozilla-esr10?
Attachment #630080 -
Flags: approval-mozilla-esr10-
Attachment #630080 -
Flags: approval-mozilla-beta?
Attachment #630080 -
Flags: approval-mozilla-beta-
Attachment #630080 -
Flags: approval-mozilla-aurora?
Attachment #630080 -
Flags: approval-mozilla-aurora-
Updated•12 years ago
|
Updated•12 years ago
|
Whiteboard: [sg:dupe 759802] → [sg:dupe 759802][advisory-tracking+]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•