Closed Bug 1709303 Opened 1 year ago Closed 8 months ago

Update libjpeg-turbo to 2.1.1

Categories

(Core :: ImageLib, defect)

defect

Tracking

()

RESOLVED FIXED
94 Branch
Tracking Status
firefox94 --- fixed

People

(Reporter: ionnv, Assigned: aosmond)

References

Details

Attachments

(2 files)

Depends on: 1678395

My understanding is that this may not be as straightforward as some previous updates and I don't have cycles to look into that.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: -- → S4

For 2.1.0 see also Bug 1705806.

See Also: → 1705806

The libjpeg-turbo 2.0.4 used in geckoview-90.0.20210705185941.aar (and earlier versions) has a CVSS v3 8.1 security vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2020-13790

This is being picked up by the Black Duck Binary Analysis scanner.

Could be used as justification to get libjpeg-turbo updated to 2.1.0?

1.) We're on version 2.0.6 as of 85+, not 2.0.4. The fix for CVE-2020-13790 was included in version 2.0.5. See bug 1678395.
2.) That vulnerability is in a component which Firefox neither uses nor ships. The relevant source file doesn't even exist in our repo.
https://hg.mozilla.org/mozilla-central/file/default/media/libjpeg/

Hi Ryan, thank you for the speedy information!
This does make me wonder why Black Duck thinks that version 2.0.4 is in use. I will chase that up with our security people.

Hi Ryan, the issue is being picked up in libxul.so - when you upgraded to 2.0.6 you are referring to a version of libjpeg-turbo that you are directly using, rather than a version that could be embedded in libxul.so?

The version in libxul is compiled in directly from the directory linked in comment 4. Like I said before, we don't even ship the file in question, so clearly there's a bug in the scanner somewhere.

Significant changes relative to 2.1.0

  • Fixed a regression introduced in 2.1.0 that caused build failures with non-GCC-compatible compilers for Un*x/Arm platforms.
  • Fixed a regression introduced by 2.1 beta1[13] that prevented the Arm 32-bit (AArch32) Neon SIMD extensions from building unless the C compiler flags included -mfloat-abi=softfp or -mfloat-abi=hard.
  • Fixed an issue in the AArch32 Neon SIMD Huffman encoder whereby reliance on undefined C compiler behavior led to crashes ("SIGBUS: illegal alignment") on Android systems when running AArch32/Thumb builds of libjpeg-turbo built with recent versions of Clang.
  • Added a command-line argument (-copy icc) to jpegtran that causes it to copy only the ICC profile markers from the source file and discard any other metadata.
  • libjpeg-turbo should now build and run on CHERI-enabled architectures, which use capability pointers that are larger than the size of size_t.
  • Fixed a regression introduced by 2.1 beta1[5] that caused a segfault in the 64-bit SSE2 Huffman encoder when attempting to losslessly transform a specially-crafted malformed JPEG image.
Summary: Update libjpeg-turbo to 2.1.0 → Update libjpeg-turbo to 2.1.1
Assignee: nobody → aosmond

media/libjpeg/1050342.diff is no longer necessary and a correction
appears to have been made in the library. Chromium no longer uses this
patch either.

media/libjpeg/assembly-tables.diff and media/libjpeg/externalize-table.diff
require significant changes in order to apply. This may be done in a
future followup patch, but is deemed less important than updating
libjpeg-turbo.

With these patches, an update to libjpeg-turbo 2.1.1 should apply
cleanly and build.

Pushed by aosmond@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/da5b090edd2b
Part 1. Prepare scripts and patches for libjpeg-turbo update. r=jrmuizel,tnikkel
https://hg.mozilla.org/integration/autoland/rev/f7c00794d53f
Part 2. Update libjpeg-turbo to 2.1.1. r=tnikkel
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → 94 Branch
Regressions: 1730812
You need to log in before you can comment on or make changes to this bug.