Closed Bug 461935 Opened 13 years ago Closed 13 years ago

Update libpng to 1.2.34

Categories

(Core :: ImageLib, defect, P3)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: masa141421356, Assigned: glennrp+bmo)

References

()

Details

(6 keywords, Whiteboard: [sg:nse] libpr0n not vulnerable)

Attachments

(1 file, 2 obsolete files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Build Identifier: 

libpng 1.0.32 or older has DoS vulnerability.

http://sourceforge.net/project/shownotes.php?release_id=635463&group_id=5624
http://secunia.com/advisories/32418/

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Keywords: mlk
According to advisory of secunia, This can be exploited to potentially exhaust all available memory via a specially crafted PNG image.
Keywords: hang
Flags: wanted1.9.0.x?
Flags: blocking1.9.1?
Flags: blocking1.9.0.5?
Whiteboard: [sg:low dos]
(In reply to comment #0)
> 
> libpng 1.0.32 or older has DoS vulnerability.
> 
Sorry. It's 1.2.32 or older.
Glenn: is this an update mozilla clients should take?
Summary: Update libpng to 1.0.33rc2 or later → Update libpng to 1.2.33rc2 or later
Anything that uses the PNG decoder in libpr0n is not vulnerable, whether is uses the embedded libpng or the system libpng, since it ignores the tEXt chunk.  Firefox and Seamonkey are not vulnerable.

This is the crucial statement, which appears in libpr0n/decoders/png/nsPNGDecoder.cpp:

  png_set_keep_unknown_chunks(mPNG, 1, unused_chunks,
     (int)sizeof(unused_chunks)/5);

If there are any clients that omit that statement then they would be vulnerable.

Glenn
This vulnerablity has been mentioned publicly in the libpng-1.2.33 release which came out today and in libpng-1.2.33rc02 which came out last week, so the security flag can be cleared on this bug.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:low dos] → [sg:nse] libpr0n not vulnerable
Not blocking, given that libpr0n isn't vulnerable, but we should stay up to date anyway.
Assignee: nobody → joe
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1-
Priority: -- → P3
Attached patch Update trunk to libpng-1.2.33 (obsolete) — Splinter Review
Flags: wanted1.9.0.x?
Flags: blocking1.9.0.5?
Summary: Update libpng to 1.2.33rc2 or later → Update libpng to 1.2.33
Version: unspecified → Trunk
Attachment #345941 - Flags: review?(vladimir)
Since libpng-1.2.34 will be out in a few days, at this point we may as well
skip 1.2.33.  Changing summary.
Summary: Update libpng to 1.2.33 → Update libpng to 1.2.34
Attachment #345941 - Flags: review?(vladimir)
This is a preview of libpng-1.2.34 which is due out about December 12th.
Attachment #345941 - Attachment is obsolete: true
Upgrading to libpng-1.2.34 will take care of the "changes to libpng"
referred to in bug #460520, comment 53.
Libpng beta is now at version 1.2.34beta05.  There are no differences between
beta04 and beta05 that are relevant to mozilla, so there is no need to update
the "preview" patch at this time.  I mis-stated the "due out" date.  Libpng-1.2.34
should be out on December 18th.
Libpng-1.2.34 has been released.  This fixes some potential double-free situations but those do not affect libpr0n.  There are some new checks for bogus cHRM chunk data (in addition to the ones that lcms was recently modified to reject).
Attachment #351200 - Attachment is obsolete: true
Attachment #353675 - Flags: superreview?(joe)
Attachment #353675 - Flags: review?(joe)
Attachment #353675 - Flags: superreview?(joe)
Attachment #353675 - Flags: superreview+
Attachment #353675 - Flags: review?(joe)
Attachment #353675 - Flags: review+
Pushed in http://hg.mozilla.org/mozilla-central/rev/10272628f541

Glenn/Ryan, if you want this for 1.9.1/Firefox 3.1, you'll have to ask for approval1.9.1 on attachment 353675 [details] [diff] [review].
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 353675 [details] [diff] [review]
Update trunk to libpng-1.2.34

Requesting 1.9.1 approval based on the updated version fixing issues with bogus cHRM chunks, which can cause issues with color management enabled.
Attachment #353675 - Flags: approval1.9.1?
Attachment #353675 - Flags: approval1.9.1? → approval1.9.1+
Comment on attachment 353675 [details] [diff] [review]
Update trunk to libpng-1.2.34

a191=beltzner
Flags: wanted1.9.0.x-
This bug was fixed1.8.1.21, fixed1.9.0.7, fixed1.9.0.8, fixed1.9.1 in the process of upgrading libpng to version 1.2.35 (bug #478901).
Keywords: 4xp
Verified for 1.9.0.9 via bug 478901.
->Verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.