Closed Bug 669863 Opened 8 years ago Closed 8 years ago
Update libpng to version 1
Libpng-1.4.8 was released on July 7, 2011. It fixes several security problems including CVE-2011-2501. It is not clear whether any of these affect libimg.
Assignee: nobody → glennrp+bmo
Severity: normal → major
Here is a summary of the vulnerabilities fixed in libpng-1.4.8. The CERT VRF numbers refer to my submissions that haven't been published yet: No CVE (CERT VRF#GPMVAJZJ) PDG RESPONSE: Prior to libpng-1.2.45 the error function received a NULL pointer, expressed erroneously as '\0', instead of the empty string "". This error was introduced in libpng-1.2.20, and png_default_error() will crash in this case. This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55. No CVE (CERT VRF#GPMUDNZZ) PDG RESPONSE: libpng reads uninitialized memory when it encounters a sCAL chunk that is empty, and improperly handles a sCAL chunk that lacks the terminating zero between the two strings that it conveys. This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55. CVE-2011-2501 libpng "png_format_buffer()" Denial of Service Vulnerability PDG RESPONSE: This regression of CVE-2004-0421 occurred in libpng-1.2.20. This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55.
I inadvertently omitted this one. We don't use png_rgb_to_gray() so this does not affect us. We also explicitly ignore the sCAL chunk so that one doesn't affect us either. No CVE (CERT VRF#GPMUN5G0) PDG RESPONSE: libpng overwrites unallocated memory when promoting a paletted image with transparency (one channel) to gray-alpha (two channels), only if the application calls png_rgb_to_gray() but fails to call png_set_expand() (we do not know of any such applications). This bug exists in all released versions of libpng (1.0, 1.2, 1.4 and 1.5). The data overwritten is entirely controlled by the image data in the PNG file and it is possible to cause any string of data to be written by fabricating an appropriate PNG file. The amount of overwrite is equal to the row length of the original image. This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55.
I believe that only DEBUG builds (when PR_LOG() actually does something) are vulnerable to the two error-processing vulnerabilities.
Also, builds that use the system libpng instead of our embedded one may be vulnerable to the png_error problems. They also are immune to the png_rgb_to_gray bug and the sCAL bug. Incidentally, our nsPNGDecoder.cpp also sends a '\0' to the error logger instead of a pointer to an empty string. I'll open a bug for that.
Someone please run this through the Try-server.
The v01 patch also updates CHANGES, LICENSE, README, libpng.txt to 1.4.8
Attachment #547032 - Attachment is obsolete: true
I'll push it to try.
Try run for e0263e9bd992 is complete. Detailed breakdown of the results available here: http://tbpl.mozilla.org/?tree=Try&rev=e0263e9bd992 Results: success: 9 warnings: 1 Total buildrequests: 10
Was the one warning of any consequence?
Status: NEW → ASSIGNED
Can this land without review? What should the commit message say?
No, I'm requesting a review now.
Comment on attachment 547043 [details] [diff] [review] v01 Ugrade mozilla-central to libpng-1.4.8 Review of attachment 547043 [details] [diff] [review]: -----------------------------------------------------------------
Attachment #547043 - Flags: review?(joe)
Glenn, could you please make sure this fix for png_handle_fcTL() is included: https://bugzilla.mozilla.org/attachment.cgi?id=525794&action=diff
@ryan, please "try" with the bug #624133 patch v07 on top of this v01 patch. That v07 patch was reviewed but apparently never checked in. It shouldn't matter in which order they are applied.
Comment on attachment 547043 [details] [diff] [review] v01 Ugrade mozilla-central to libpng-1.4.8 Review of attachment 547043 [details] [diff] [review]: ----------------------------------------------------------------- I haven't reviewed this, but I looked at CHANGES and nothing looked objectionable in any way. Consider this rs=joe
Attachment #547043 - Flags: review?(joe) → review+
For what it's worth, it would be nice to include patch metadata in attachments with checkin-needed... In any case, pushed to mozilla-inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/e11c69bb7f5f
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in before you can comment on or make changes to this bug.