Update libpng to version 1.4.8

RESOLVED FIXED in mozilla8

Status

()

Core
ImageLib
--
major
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Glenn Randers-Pehrson, Assigned: Glenn Randers-Pehrson)

Tracking

unspecified
mozilla8
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(status1.9.2 wontfix)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

6 years ago
Libpng-1.4.8 was released on July 7, 2011.  It fixes several security problems including CVE-2011-2501.  It is not clear whether any of these affect libimg.
(Assignee)

Updated

6 years ago
Assignee: nobody → glennrp+bmo
Severity: normal → major
Depends on: 624133
(Assignee)

Comment 1

6 years ago
Here is a summary of the vulnerabilities fixed in libpng-1.4.8.
The CERT VRF numbers refer to my submissions that haven't been
published yet:

No CVE
(CERT VRF#GPMVAJZJ)
PDG RESPONSE: Prior to libpng-1.2.45 the error function received a NULL pointer,
expressed erroneously as '\0', instead of the empty string "".  This error was
introduced in libpng-1.2.20, and png_default_error() will crash in this
case.  This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
and libpng-1.0.55.

No CVE
(CERT VRF#GPMUDNZZ)
PDG RESPONSE: libpng reads uninitialized memory when it encounters a
sCAL chunk that is empty, and improperly handles a sCAL chunk that lacks
the terminating zero between the two strings that it conveys.
This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
and libpng-1.0.55.

CVE-2011-2501
libpng "png_format_buffer()" Denial of Service Vulnerability
PDG RESPONSE: This regression of CVE-2004-0421 occurred in libpng-1.2.20.
This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
and libpng-1.0.55.
(Assignee)

Comment 2

6 years ago
I inadvertently omitted this one.  We don't use png_rgb_to_gray() so this
does not affect us.  We also explicitly ignore the sCAL chunk so that one
doesn't affect us either.

No CVE
(CERT VRF#GPMUN5G0)
PDG RESPONSE: libpng overwrites unallocated memory when promoting a
paletted image with transparency (one channel) to gray-alpha (two channels),
only if the application calls png_rgb_to_gray() but fails to call
png_set_expand() (we do not know of any such applications).  This bug exists
in all released versions of libpng (1.0, 1.2, 1.4 and 1.5).  The data
overwritten is entirely controlled by the image data in the PNG file and it
is possible to cause any string of data to be written by fabricating an
appropriate PNG file.  The amount of overwrite is equal to the row length
of the original image. This will be fixed in libpng-1.5.4, libpng-1.4.8,
libpng-1.2.45, and libpng-1.0.55.
(Assignee)

Comment 3

6 years ago
I believe that only DEBUG builds (when PR_LOG() actually does something) are vulnerable to the two error-processing vulnerabilities.
(Assignee)

Comment 4

6 years ago
Also, builds that use the system libpng instead of our embedded one may be vulnerable to the png_error problems.  They also are immune to the png_rgb_to_gray bug and the sCAL bug.  Incidentally, our nsPNGDecoder.cpp also sends a '\0' to the error logger instead of a pointer to an empty string.  I'll open a bug for that.
(Assignee)

Comment 5

6 years ago
Created attachment 547032 [details] [diff] [review]
v00 Ugrade mozilla-central to libpng-1.4.8

Someone please run this through the Try-server.
(Assignee)

Comment 6

6 years ago
Created attachment 547043 [details] [diff] [review]
v01 Ugrade mozilla-central to libpng-1.4.8

The v01 patch also updates CHANGES, LICENSE, README, libpng.txt to 1.4.8
Attachment #547032 - Attachment is obsolete: true
I'll push it to try.

Comment 8

6 years ago
Try run for e0263e9bd992 is complete.
Detailed breakdown of the results available here:
    http://tbpl.mozilla.org/?tree=Try&rev=e0263e9bd992
Results:
    success: 9
    warnings: 1
Total buildrequests: 10
(Assignee)

Comment 9

6 years ago
Was the one warning of any consequence?
Status: NEW → ASSIGNED
No
(Assignee)

Updated

6 years ago
Keywords: checkin-needed
(Assignee)

Updated

6 years ago
No longer depends on: 624133
Can this land without review? What should the commit message say?
(Assignee)

Comment 12

6 years ago
No, I'm requesting a review now.
Keywords: checkin-needed
(Assignee)

Comment 13

6 years ago
Comment on attachment 547043 [details] [diff] [review]
v01 Ugrade mozilla-central to libpng-1.4.8

Review of attachment 547043 [details] [diff] [review]:
-----------------------------------------------------------------
Attachment #547043 - Flags: review?(joe)
(Assignee)

Updated

6 years ago
Depends on: 624133
(Assignee)

Updated

6 years ago
Blocks: 648960
(Assignee)

Updated

6 years ago
Blocks: 648690
No longer blocks: 648960

Comment 14

6 years ago
Glenn, could you please make sure this fix for png_handle_fcTL() is included:

https://bugzilla.mozilla.org/attachment.cgi?id=525794&action=diff
(Assignee)

Comment 15

6 years ago
@ryan, please "try" with the bug #624133 patch v07 on top of this v01 patch.  That v07 patch was reviewed but apparently never checked in.  It shouldn't matter in which order they are applied.
Comment on attachment 547043 [details] [diff] [review]
v01 Ugrade mozilla-central to libpng-1.4.8

Review of attachment 547043 [details] [diff] [review]:
-----------------------------------------------------------------

I haven't reviewed this, but I looked at CHANGES and nothing looked objectionable in any way. Consider this rs=joe
Attachment #547043 - Flags: review?(joe) → review+
(Assignee)

Comment 17

6 years ago
checkin-needed.
Keywords: checkin-needed
For what it's worth, it would be nice to include patch metadata in attachments with checkin-needed...

In any case, pushed to mozilla-inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/e11c69bb7f5f
Flags: in-testsuite-
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/e11c69bb7f5f
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
blocking1.9.2: --- → ?

Updated

6 years ago
blocking1.9.2: ? → ---
status1.9.2: --- → wontfix
You need to log in before you can comment on or make changes to this bug.