Closed Bug 1709303 Opened 1 year ago Closed 8 months ago

Update libjpeg-turbo to 2.1.1


(Core :: ImageLib, defect)




94 Branch
Tracking Status
firefox94 --- fixed


(Reporter: ionnv, Assigned: aosmond)




(2 files)

Depends on: 1678395

My understanding is that this may not be as straightforward as some previous updates and I don't have cycles to look into that.

Ever confirmed: true
Severity: -- → S4

For 2.1.0 see also Bug 1705806.

See Also: → 1705806

The libjpeg-turbo 2.0.4 used in geckoview-90.0.20210705185941.aar (and earlier versions) has a CVSS v3 8.1 security vulnerability.

This is being picked up by the Black Duck Binary Analysis scanner.

Could be used as justification to get libjpeg-turbo updated to 2.1.0?

1.) We're on version 2.0.6 as of 85+, not 2.0.4. The fix for CVE-2020-13790 was included in version 2.0.5. See bug 1678395.
2.) That vulnerability is in a component which Firefox neither uses nor ships. The relevant source file doesn't even exist in our repo.

Hi Ryan, thank you for the speedy information!
This does make me wonder why Black Duck thinks that version 2.0.4 is in use. I will chase that up with our security people.

Hi Ryan, the issue is being picked up in - when you upgraded to 2.0.6 you are referring to a version of libjpeg-turbo that you are directly using, rather than a version that could be embedded in

The version in libxul is compiled in directly from the directory linked in comment 4. Like I said before, we don't even ship the file in question, so clearly there's a bug in the scanner somewhere.

Significant changes relative to 2.1.0

  • Fixed a regression introduced in 2.1.0 that caused build failures with non-GCC-compatible compilers for Un*x/Arm platforms.
  • Fixed a regression introduced by 2.1 beta1[13] that prevented the Arm 32-bit (AArch32) Neon SIMD extensions from building unless the C compiler flags included -mfloat-abi=softfp or -mfloat-abi=hard.
  • Fixed an issue in the AArch32 Neon SIMD Huffman encoder whereby reliance on undefined C compiler behavior led to crashes ("SIGBUS: illegal alignment") on Android systems when running AArch32/Thumb builds of libjpeg-turbo built with recent versions of Clang.
  • Added a command-line argument (-copy icc) to jpegtran that causes it to copy only the ICC profile markers from the source file and discard any other metadata.
  • libjpeg-turbo should now build and run on CHERI-enabled architectures, which use capability pointers that are larger than the size of size_t.
  • Fixed a regression introduced by 2.1 beta1[5] that caused a segfault in the 64-bit SSE2 Huffman encoder when attempting to losslessly transform a specially-crafted malformed JPEG image.
Summary: Update libjpeg-turbo to 2.1.0 → Update libjpeg-turbo to 2.1.1
Assignee: nobody → aosmond

media/libjpeg/1050342.diff is no longer necessary and a correction
appears to have been made in the library. Chromium no longer uses this
patch either.

media/libjpeg/assembly-tables.diff and media/libjpeg/externalize-table.diff
require significant changes in order to apply. This may be done in a
future followup patch, but is deemed less important than updating

With these patches, an update to libjpeg-turbo 2.1.1 should apply
cleanly and build.

Pushed by
Part 1. Prepare scripts and patches for libjpeg-turbo update. r=jrmuizel,tnikkel
Part 2. Update libjpeg-turbo to 2.1.1. r=tnikkel
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → 94 Branch
Regressions: 1730812
You need to log in before you can comment on or make changes to this bug.