Last Comment Bug 669863 - Update libpng to version 1.4.8
: Update libpng to version 1.4.8
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: ImageLib (show other bugs)
: unspecified
: All All
: -- major (vote)
: mozilla8
Assigned To: Glenn Randers-Pehrson
:
Mentors:
Depends on: 624133
Blocks: 648690
  Show dependency treegraph
 
Reported: 2011-07-07 06:07 PDT by Glenn Randers-Pehrson
Modified: 2011-10-31 11:26 PDT (History)
14 users (show)
bzbarsky: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix


Attachments
v00 Ugrade mozilla-central to libpng-1.4.8 (29.17 KB, patch)
2011-07-20 04:43 PDT, Glenn Randers-Pehrson
no flags Details | Diff | Splinter Review
v01 Ugrade mozilla-central to libpng-1.4.8 (53.52 KB, patch)
2011-07-20 05:14 PDT, Glenn Randers-Pehrson
joe: review+
Details | Diff | Splinter Review

Description Glenn Randers-Pehrson 2011-07-07 06:07:20 PDT
Libpng-1.4.8 was released on July 7, 2011.  It fixes several security problems including CVE-2011-2501.  It is not clear whether any of these affect libimg.
Comment 1 Glenn Randers-Pehrson 2011-07-07 06:22:07 PDT
Here is a summary of the vulnerabilities fixed in libpng-1.4.8.
The CERT VRF numbers refer to my submissions that haven't been
published yet:

No CVE
(CERT VRF#GPMVAJZJ)
PDG RESPONSE: Prior to libpng-1.2.45 the error function received a NULL pointer,
expressed erroneously as '\0', instead of the empty string "".  This error was
introduced in libpng-1.2.20, and png_default_error() will crash in this
case.  This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
and libpng-1.0.55.

No CVE
(CERT VRF#GPMUDNZZ)
PDG RESPONSE: libpng reads uninitialized memory when it encounters a
sCAL chunk that is empty, and improperly handles a sCAL chunk that lacks
the terminating zero between the two strings that it conveys.
This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
and libpng-1.0.55.

CVE-2011-2501
libpng "png_format_buffer()" Denial of Service Vulnerability
PDG RESPONSE: This regression of CVE-2004-0421 occurred in libpng-1.2.20.
This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
and libpng-1.0.55.
Comment 2 Glenn Randers-Pehrson 2011-07-07 06:26:35 PDT
I inadvertently omitted this one.  We don't use png_rgb_to_gray() so this
does not affect us.  We also explicitly ignore the sCAL chunk so that one
doesn't affect us either.

No CVE
(CERT VRF#GPMUN5G0)
PDG RESPONSE: libpng overwrites unallocated memory when promoting a
paletted image with transparency (one channel) to gray-alpha (two channels),
only if the application calls png_rgb_to_gray() but fails to call
png_set_expand() (we do not know of any such applications).  This bug exists
in all released versions of libpng (1.0, 1.2, 1.4 and 1.5).  The data
overwritten is entirely controlled by the image data in the PNG file and it
is possible to cause any string of data to be written by fabricating an
appropriate PNG file.  The amount of overwrite is equal to the row length
of the original image. This will be fixed in libpng-1.5.4, libpng-1.4.8,
libpng-1.2.45, and libpng-1.0.55.
Comment 3 Glenn Randers-Pehrson 2011-07-07 06:58:53 PDT
I believe that only DEBUG builds (when PR_LOG() actually does something) are vulnerable to the two error-processing vulnerabilities.
Comment 4 Glenn Randers-Pehrson 2011-07-07 15:13:11 PDT
Also, builds that use the system libpng instead of our embedded one may be vulnerable to the png_error problems.  They also are immune to the png_rgb_to_gray bug and the sCAL bug.  Incidentally, our nsPNGDecoder.cpp also sends a '\0' to the error logger instead of a pointer to an empty string.  I'll open a bug for that.
Comment 5 Glenn Randers-Pehrson 2011-07-20 04:43:06 PDT
Created attachment 547032 [details] [diff] [review]
v00 Ugrade mozilla-central to libpng-1.4.8

Someone please run this through the Try-server.
Comment 6 Glenn Randers-Pehrson 2011-07-20 05:14:28 PDT
Created attachment 547043 [details] [diff] [review]
v01 Ugrade mozilla-central to libpng-1.4.8

The v01 patch also updates CHANGES, LICENSE, README, libpng.txt to 1.4.8
Comment 7 Ryan VanderMeulen [:RyanVM] 2011-07-20 15:02:20 PDT
I'll push it to try.
Comment 8 Mozilla RelEng Bot 2011-07-20 22:21:05 PDT
Try run for e0263e9bd992 is complete.
Detailed breakdown of the results available here:
    http://tbpl.mozilla.org/?tree=Try&rev=e0263e9bd992
Results:
    success: 9
    warnings: 1
Total buildrequests: 10
Comment 9 Glenn Randers-Pehrson 2011-07-24 04:35:45 PDT
Was the one warning of any consequence?
Comment 10 Ryan VanderMeulen [:RyanVM] 2011-07-24 05:58:45 PDT
No
Comment 11 Dão Gottwald [:dao] 2011-07-25 03:14:16 PDT
Can this land without review? What should the commit message say?
Comment 12 Glenn Randers-Pehrson 2011-07-25 03:41:56 PDT
No, I'm requesting a review now.
Comment 13 Glenn Randers-Pehrson 2011-07-25 03:47:33 PDT
Comment on attachment 547043 [details] [diff] [review]
v01 Ugrade mozilla-central to libpng-1.4.8

Review of attachment 547043 [details] [diff] [review]:
-----------------------------------------------------------------
Comment 14 Max Stepin 2011-07-27 03:55:19 PDT
Glenn, could you please make sure this fix for png_handle_fcTL() is included:

https://bugzilla.mozilla.org/attachment.cgi?id=525794&action=diff
Comment 15 Glenn Randers-Pehrson 2011-07-27 04:54:45 PDT
@ryan, please "try" with the bug #624133 patch v07 on top of this v01 patch.  That v07 patch was reviewed but apparently never checked in.  It shouldn't matter in which order they are applied.
Comment 16 Joe Drew (not getting mail) 2011-07-28 11:21:44 PDT
Comment on attachment 547043 [details] [diff] [review]
v01 Ugrade mozilla-central to libpng-1.4.8

Review of attachment 547043 [details] [diff] [review]:
-----------------------------------------------------------------

I haven't reviewed this, but I looked at CHANGES and nothing looked objectionable in any way. Consider this rs=joe
Comment 17 Glenn Randers-Pehrson 2011-07-28 11:51:04 PDT
checkin-needed.
Comment 18 Boris Zbarsky [:bz] (TPAC) 2011-07-29 11:31:34 PDT
For what it's worth, it would be nice to include patch metadata in attachments with checkin-needed...

In any case, pushed to mozilla-inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/e11c69bb7f5f
Comment 19 Marco Bonardo [::mak] 2011-08-01 07:50:32 PDT
http://hg.mozilla.org/mozilla-central/rev/e11c69bb7f5f

Note You need to log in before you can comment on or make changes to this bug.