Closed
Bug 461935
Opened 16 years ago
Closed 16 years ago
Update libpng to 1.2.34
Categories
(Core :: Graphics: ImageLib, defect, P3)
Core
Graphics: ImageLib
Tracking
()
VERIFIED
FIXED
People
(Reporter: masa141421356, Assigned: glennrp+bmo)
References
()
Details
(6 keywords, Whiteboard: [sg:nse] libpr0n not vulnerable)
Attachments
(1 file, 2 obsolete files)
208.26 KB,
patch
|
joe
:
review+
joe
:
superreview+
beltzner
:
approval1.9.1+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 Build Identifier: libpng 1.0.32 or older has DoS vulnerability. http://sourceforge.net/project/shownotes.php?release_id=635463&group_id=5624 http://secunia.com/advisories/32418/ Reproducible: Always Steps to Reproduce: 1. 2. 3.
Reporter | ||
Comment 1•16 years ago
|
||
According to advisory of secunia, This can be exploited to potentially exhaust all available memory via a specially crafted PNG image.
Keywords: hang
Updated•16 years ago
|
Flags: wanted1.9.0.x?
Flags: blocking1.9.1?
Flags: blocking1.9.0.5?
Updated•16 years ago
|
Whiteboard: [sg:low dos]
Reporter | ||
Comment 2•16 years ago
|
||
(In reply to comment #0) > > libpng 1.0.32 or older has DoS vulnerability. > Sorry. It's 1.2.32 or older.
Comment 3•16 years ago
|
||
Glenn: is this an update mozilla clients should take?
Summary: Update libpng to 1.0.33rc2 or later → Update libpng to 1.2.33rc2 or later
Assignee | ||
Comment 4•16 years ago
|
||
Anything that uses the PNG decoder in libpr0n is not vulnerable, whether is uses the embedded libpng or the system libpng, since it ignores the tEXt chunk. Firefox and Seamonkey are not vulnerable. This is the crucial statement, which appears in libpr0n/decoders/png/nsPNGDecoder.cpp: png_set_keep_unknown_chunks(mPNG, 1, unused_chunks, (int)sizeof(unused_chunks)/5); If there are any clients that omit that statement then they would be vulnerable. Glenn
Assignee | ||
Comment 5•16 years ago
|
||
This vulnerablity has been mentioned publicly in the libpng-1.2.33 release which came out today and in libpng-1.2.33rc02 which came out last week, so the security flag can be cleared on this bug.
Updated•16 years ago
|
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:low dos] → [sg:nse] libpr0n not vulnerable
Not blocking, given that libpr0n isn't vulnerable, but we should stay up to date anyway.
Assignee: nobody → joe
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1-
Priority: -- → P3
Assignee | ||
Comment 7•16 years ago
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x?
Flags: blocking1.9.0.5?
Assignee | ||
Updated•16 years ago
|
Summary: Update libpng to 1.2.33rc2 or later → Update libpng to 1.2.33
Version: unspecified → Trunk
Assignee | ||
Updated•16 years ago
|
Attachment #345941 -
Flags: review?(vladimir)
Assignee | ||
Comment 8•16 years ago
|
||
Since libpng-1.2.34 will be out in a few days, at this point we may as well skip 1.2.33. Changing summary.
Summary: Update libpng to 1.2.33 → Update libpng to 1.2.34
Assignee | ||
Updated•16 years ago
|
Attachment #345941 -
Flags: review?(vladimir)
Assignee | ||
Comment 9•16 years ago
|
||
This is a preview of libpng-1.2.34 which is due out about December 12th.
Attachment #345941 -
Attachment is obsolete: true
Assignee | ||
Comment 10•16 years ago
|
||
Upgrading to libpng-1.2.34 will take care of the "changes to libpng" referred to in bug #460520, comment 53.
Assignee | ||
Comment 11•16 years ago
|
||
Libpng beta is now at version 1.2.34beta05. There are no differences between beta04 and beta05 that are relevant to mozilla, so there is no need to update the "preview" patch at this time. I mis-stated the "due out" date. Libpng-1.2.34 should be out on December 18th.
Assignee | ||
Comment 12•16 years ago
|
||
Libpng-1.2.34 has been released. This fixes some potential double-free situations but those do not affect libpr0n. There are some new checks for bogus cHRM chunk data (in addition to the ones that lcms was recently modified to reject).
Attachment #351200 -
Attachment is obsolete: true
Updated•16 years ago
|
Attachment #353675 -
Flags: superreview?(joe)
Attachment #353675 -
Flags: review?(joe)
Updated•16 years ago
|
Attachment #353675 -
Flags: superreview?(joe)
Attachment #353675 -
Flags: superreview+
Attachment #353675 -
Flags: review?(joe)
Attachment #353675 -
Flags: review+
Comment 13•16 years ago
|
||
Pushed in http://hg.mozilla.org/mozilla-central/rev/10272628f541 Glenn/Ryan, if you want this for 1.9.1/Firefox 3.1, you'll have to ask for approval1.9.1 on attachment 353675 [details] [diff] [review].
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 14•15 years ago
|
||
Comment on attachment 353675 [details] [diff] [review] Update trunk to libpng-1.2.34 Requesting 1.9.1 approval based on the updated version fixing issues with bogus cHRM chunks, which can cause issues with color management enabled.
Attachment #353675 -
Flags: approval1.9.1?
Updated•15 years ago
|
Attachment #353675 -
Flags: approval1.9.1? → approval1.9.1+
Comment 15•15 years ago
|
||
Comment on attachment 353675 [details] [diff] [review] Update trunk to libpng-1.2.34 a191=beltzner
Updated•15 years ago
|
Keywords: checkin-needed
Comment 16•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/6dd7e1c8340c
Assignee: joe → glennrp
Keywords: checkin-needed → fixed1.9.1
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Assignee | ||
Comment 17•15 years ago
|
||
This bug was fixed1.8.1.21, fixed1.9.0.7, fixed1.9.0.8, fixed1.9.1 in the process of upgrading libpng to version 1.2.35 (bug #478901).
Comment 18•15 years ago
|
||
Verified for 1.9.0.9 via bug 478901.
Keywords: fixed1.9.0.9 → verified1.9.0.9
You need to log in
before you can comment on or make changes to this bug.
Description
•