Closed Bug 1542829 (CVE-2019-7317) Opened 5 years ago Closed 5 years ago

libpng use-after-free in png_image_free

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 67+ fixed
firefox66 --- wontfix
firefox67 + fixed
firefox68 + fixed

People

(Reporter: RyanVM, Assigned: RyanVM)

References

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [adv-main67+][adv-esr60.7+])

Attachments

(1 file)

Bug 1542829 - Backport an upstream libpng patch. r=aosmond
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
lizzard
: approval-mozilla-esr60+
abillings
: sec-approval+
Details | Review

Comment on attachment 9056639 [details]
Bug 1542829 - Backport an upstream libpng patch. r=aosmond

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Unknown, but it's a publicly-disclosed bug so we should assume the worst.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Patch applies cleanly to all affected branches.
  • How likely is this patch to cause regressions; how much testing does it need?: Patch is green on Try and passes upstream tests also.
    https://treeherder.mozilla.org/#/jobs?repo=try&revision=9485a09f1a16cce885371c6d99ca22aad02c21a0
Attachment #9056639 - Flags: sec-approval?

Comment on attachment 9056639 [details]
Bug 1542829 - Backport an upstream libpng patch. r=aosmond

Well, dang.

sec-approval+ on mozilla-central. We'll need it everywhere.

Attachment #9056639 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/mozilla-central/rev/ffaff6fb1fe3

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Group: gfx-core-security → core-security-release

Comment on attachment 9056639 [details]
Bug 1542829 - Backport an upstream libpng patch. r=aosmond

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: N/A
  • User impact if declined: Publicly-disclosed libpng security vulnerability.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is just a cherry-pick of a trivial fix landed upstream.
  • String changes made/needed: None
Attachment #9056639 - Flags: approval-mozilla-esr60?
Attachment #9056639 - Flags: approval-mozilla-beta?

Comment on attachment 9056639 [details]
Bug 1542829 - Backport an upstream libpng patch. r=aosmond

Uplift approved for 67 beta, thanks.

Attachment #9056639 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Setting qe-verify - flag based on comment 7.

Flags: qe-verify-

Comment on attachment 9056639 [details]
Bug 1542829 - Backport an upstream libpng patch. r=aosmond

Sec high issue, public disclosure. OK for ESR 60.7.0.

Attachment #9056639 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Whiteboard: [adv-main67+][adv-esr60.7+]
Alias: CVE-2019-7317
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: