Closed
Bug 1534564
Opened 5 years ago
Closed 5 years ago
Security-relevant update libjpeg-turbo to 2.0.2
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
DUPLICATE
of bug 1508198
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox65 | --- | wontfix |
| firefox66 | --- | wontfix |
| firefox67 | --- | wontfix |
People
(Reporter: cr, Unassigned)
References
Details
(Keywords: sec-audit, Whiteboard: [third-party-lib-audit])
Minor updates libjpeg-turbo version 2.0.1 and 2.0.2 contained important security fixes (out-of-bounds read, buffer underrun, and integer overflow leading to segfault). Exploitability in Firefox is unclear at this point, but updating is likely not a breaking change, so we should try to land this as soon as possible, perhaps even before release?
See https://github.com/libjpeg-turbo/libjpeg-turbo/releases for changelog.
|
Reporter | |
Comment 1•5 years ago
|
||
Ryan, you were assigned the last update, is this something you would take on this time as well?
Flags: needinfo?(ryanvm)
|
|
Reporter | |
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
Those fixes were in components we don't use, no? See also: bug 1508198.
Flags: needinfo?(ryanvm)
|
|
||
Updated•5 years ago
|
Flags: needinfo?(cr)
|
|
Reporter | |
Comment 3•5 years ago
•
|
||
If there's confidence that our code is not affected by those bugs, there's no need to update.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(cr)
Resolution: --- → DUPLICATE
|
|
||
Updated•5 years ago
|
|
||
Updated•6 months ago
|
Group: mozilla-employee-confidential, core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•