Update libjpeg-turbo to 2.1.1
Categories
(Core :: ImageLib, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox94 | --- | fixed |
People
(Reporter: ionnv, Assigned: aosmond)
References
Details
Attachments
(2 files)
|
||
Comment 1•1 year ago
|
||
My understanding is that this may not be as straightforward as some previous updates and I don't have cycles to look into that.
|
||
Updated•1 year ago
|
For 2.1.0 see also Bug 1705806.
The libjpeg-turbo 2.0.4 used in geckoview-90.0.20210705185941.aar (and earlier versions) has a CVSS v3 8.1 security vulnerability.
https://nvd.nist.gov/vuln/detail/CVE-2020-13790
This is being picked up by the Black Duck Binary Analysis scanner.
Could be used as justification to get libjpeg-turbo updated to 2.1.0?
|
|
||
Comment 4•11 months ago
|
||
1.) We're on version 2.0.6 as of 85+, not 2.0.4. The fix for CVE-2020-13790 was included in version 2.0.5. See bug 1678395.
2.) That vulnerability is in a component which Firefox neither uses nor ships. The relevant source file doesn't even exist in our repo.
https://hg.mozilla.org/mozilla-central/file/default/media/libjpeg/
Hi Ryan, thank you for the speedy information!
This does make me wonder why Black Duck thinks that version 2.0.4 is in use. I will chase that up with our security people.
Hi Ryan, the issue is being picked up in libxul.so - when you upgraded to 2.0.6 you are referring to a version of libjpeg-turbo that you are directly using, rather than a version that could be embedded in libxul.so?
|
|
||
Comment 7•11 months ago
|
||
The version in libxul is compiled in directly from the directory linked in comment 4. Like I said before, we don't even ship the file in question, so clearly there's a bug in the scanner somewhere.
|
|
||
Comment 8•9 months ago
|
||
Significant changes relative to 2.1.0
- Fixed a regression introduced in 2.1.0 that caused build failures with non-GCC-compatible compilers for Un*x/Arm platforms.
- Fixed a regression introduced by 2.1 beta1[13] that prevented the Arm 32-bit (AArch32) Neon SIMD extensions from building unless the C compiler flags included -mfloat-abi=softfp or -mfloat-abi=hard.
- Fixed an issue in the AArch32 Neon SIMD Huffman encoder whereby reliance on undefined C compiler behavior led to crashes ("SIGBUS: illegal alignment") on Android systems when running AArch32/Thumb builds of libjpeg-turbo built with recent versions of Clang.
- Added a command-line argument (-copy icc) to jpegtran that causes it to copy only the ICC profile markers from the source file and discard any other metadata.
- libjpeg-turbo should now build and run on CHERI-enabled architectures, which use capability pointers that are larger than the size of size_t.
- Fixed a regression introduced by 2.1 beta1[5] that caused a segfault in the 64-bit SSE2 Huffman encoder when attempting to losslessly transform a specially-crafted malformed JPEG image.
|
Assignee | |
Updated•8 months ago
|
|
|
Assignee | |
Comment 9•8 months ago
|
||
media/libjpeg/1050342.diff is no longer necessary and a correction
appears to have been made in the library. Chromium no longer uses this
patch either.
media/libjpeg/assembly-tables.diff and media/libjpeg/externalize-table.diff
require significant changes in order to apply. This may be done in a
future followup patch, but is deemed less important than updating
libjpeg-turbo.
With these patches, an update to libjpeg-turbo 2.1.1 should apply
cleanly and build.
|
|
Assignee | |
Comment 10•8 months ago
|
||
|
||
Comment 11•8 months ago
|
||
Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/da5b090edd2b Part 1. Prepare scripts and patches for libjpeg-turbo update. r=jrmuizel,tnikkel https://hg.mozilla.org/integration/autoland/rev/f7c00794d53f Part 2. Update libjpeg-turbo to 2.1.1. r=tnikkel
|
||
Comment 12•8 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/da5b090edd2b
https://hg.mozilla.org/mozilla-central/rev/f7c00794d53f
Description
•