Closed Bug 461935 Opened 13 years ago Closed 13 years ago
Update libpng to 1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv:184.108.40.206) Gecko/2008092417 Firefox/3.0.3 Build Identifier: libpng 1.0.32 or older has DoS vulnerability. http://sourceforge.net/project/shownotes.php?release_id=635463&group_id=5624 http://secunia.com/advisories/32418/ Reproducible: Always Steps to Reproduce: 1. 2. 3.
According to advisory of secunia, This can be exploited to potentially exhaust all available memory via a specially crafted PNG image.
(In reply to comment #0) > > libpng 1.0.32 or older has DoS vulnerability. > Sorry. It's 1.2.32 or older.
Glenn: is this an update mozilla clients should take?
Summary: Update libpng to 1.0.33rc2 or later → Update libpng to 1.2.33rc2 or later
Anything that uses the PNG decoder in libpr0n is not vulnerable, whether is uses the embedded libpng or the system libpng, since it ignores the tEXt chunk. Firefox and Seamonkey are not vulnerable. This is the crucial statement, which appears in libpr0n/decoders/png/nsPNGDecoder.cpp: png_set_keep_unknown_chunks(mPNG, 1, unused_chunks, (int)sizeof(unused_chunks)/5); If there are any clients that omit that statement then they would be vulnerable. Glenn
This vulnerablity has been mentioned publicly in the libpng-1.2.33 release which came out today and in libpng-1.2.33rc02 which came out last week, so the security flag can be cleared on this bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:low dos] → [sg:nse] libpr0n not vulnerable
Not blocking, given that libpr0n isn't vulnerable, but we should stay up to date anyway.
Assignee: nobody → joe
Priority: -- → P3
Summary: Update libpng to 1.2.33rc2 or later → Update libpng to 1.2.33
Version: unspecified → Trunk
Since libpng-1.2.34 will be out in a few days, at this point we may as well skip 1.2.33. Changing summary.
Summary: Update libpng to 1.2.33 → Update libpng to 1.2.34
This is a preview of libpng-1.2.34 which is due out about December 12th.
Attachment #345941 - Attachment is obsolete: true
Upgrading to libpng-1.2.34 will take care of the "changes to libpng" referred to in bug #460520, comment 53.
Libpng beta is now at version 1.2.34beta05. There are no differences between beta04 and beta05 that are relevant to mozilla, so there is no need to update the "preview" patch at this time. I mis-stated the "due out" date. Libpng-1.2.34 should be out on December 18th.
Libpng-1.2.34 has been released. This fixes some potential double-free situations but those do not affect libpr0n. There are some new checks for bogus cHRM chunk data (in addition to the ones that lcms was recently modified to reject).
Attachment #351200 - Attachment is obsolete: true
Pushed in http://hg.mozilla.org/mozilla-central/rev/10272628f541 Glenn/Ryan, if you want this for 1.9.1/Firefox 3.1, you'll have to ask for approval1.9.1 on attachment 353675 [details] [diff] [review].
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 353675 [details] [diff] [review] Update trunk to libpng-1.2.34 Requesting 1.9.1 approval based on the updated version fixing issues with bogus cHRM chunks, which can cause issues with color management enabled.
Attachment #353675 - Flags: approval1.9.1?
Attachment #353675 - Flags: approval1.9.1? → approval1.9.1+
This bug was fixed220.127.116.11, fixed18.104.22.168, fixed22.214.171.124, fixed1.9.1 in the process of upgrading libpng to version 1.2.35 (bug #478901).
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.