Closed Bug 669863 Opened 8 years ago Closed 8 years ago

Update libpng to version 1.4.8

Categories

(Core :: ImageLib, defect, major)

defect
Not set
major

Tracking

()

RESOLVED FIXED
mozilla8
Tracking Status
status1.9.2 --- wontfix

People

(Reporter: glennrp+bmo, Assigned: glennrp+bmo)

References

Details

Attachments

(1 file, 1 obsolete file)

Libpng-1.4.8 was released on July 7, 2011.  It fixes several security problems including CVE-2011-2501.  It is not clear whether any of these affect libimg.
Assignee: nobody → glennrp+bmo
Severity: normal → major
Depends on: 624133
Here is a summary of the vulnerabilities fixed in libpng-1.4.8.
The CERT VRF numbers refer to my submissions that haven't been
published yet:

No CVE
(CERT VRF#GPMVAJZJ)
PDG RESPONSE: Prior to libpng-1.2.45 the error function received a NULL pointer,
expressed erroneously as '\0', instead of the empty string "".  This error was
introduced in libpng-1.2.20, and png_default_error() will crash in this
case.  This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
and libpng-1.0.55.

No CVE
(CERT VRF#GPMUDNZZ)
PDG RESPONSE: libpng reads uninitialized memory when it encounters a
sCAL chunk that is empty, and improperly handles a sCAL chunk that lacks
the terminating zero between the two strings that it conveys.
This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
and libpng-1.0.55.

CVE-2011-2501
libpng "png_format_buffer()" Denial of Service Vulnerability
PDG RESPONSE: This regression of CVE-2004-0421 occurred in libpng-1.2.20.
This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45,
and libpng-1.0.55.
I inadvertently omitted this one.  We don't use png_rgb_to_gray() so this
does not affect us.  We also explicitly ignore the sCAL chunk so that one
doesn't affect us either.

No CVE
(CERT VRF#GPMUN5G0)
PDG RESPONSE: libpng overwrites unallocated memory when promoting a
paletted image with transparency (one channel) to gray-alpha (two channels),
only if the application calls png_rgb_to_gray() but fails to call
png_set_expand() (we do not know of any such applications).  This bug exists
in all released versions of libpng (1.0, 1.2, 1.4 and 1.5).  The data
overwritten is entirely controlled by the image data in the PNG file and it
is possible to cause any string of data to be written by fabricating an
appropriate PNG file.  The amount of overwrite is equal to the row length
of the original image. This will be fixed in libpng-1.5.4, libpng-1.4.8,
libpng-1.2.45, and libpng-1.0.55.
I believe that only DEBUG builds (when PR_LOG() actually does something) are vulnerable to the two error-processing vulnerabilities.
Also, builds that use the system libpng instead of our embedded one may be vulnerable to the png_error problems.  They also are immune to the png_rgb_to_gray bug and the sCAL bug.  Incidentally, our nsPNGDecoder.cpp also sends a '\0' to the error logger instead of a pointer to an empty string.  I'll open a bug for that.
Someone please run this through the Try-server.
The v01 patch also updates CHANGES, LICENSE, README, libpng.txt to 1.4.8
Attachment #547032 - Attachment is obsolete: true
I'll push it to try.
Try run for e0263e9bd992 is complete.
Detailed breakdown of the results available here:
    http://tbpl.mozilla.org/?tree=Try&rev=e0263e9bd992
Results:
    success: 9
    warnings: 1
Total buildrequests: 10
Was the one warning of any consequence?
Status: NEW → ASSIGNED
Keywords: checkin-needed
No longer depends on: 624133
Can this land without review? What should the commit message say?
No, I'm requesting a review now.
Keywords: checkin-needed
Comment on attachment 547043 [details] [diff] [review]
v01 Ugrade mozilla-central to libpng-1.4.8

Review of attachment 547043 [details] [diff] [review]:
-----------------------------------------------------------------
Attachment #547043 - Flags: review?(joe)
Depends on: 624133
Blocks: 648960
Blocks: 648690
No longer blocks: 648960
Glenn, could you please make sure this fix for png_handle_fcTL() is included:

https://bugzilla.mozilla.org/attachment.cgi?id=525794&action=diff
@ryan, please "try" with the bug #624133 patch v07 on top of this v01 patch.  That v07 patch was reviewed but apparently never checked in.  It shouldn't matter in which order they are applied.
Comment on attachment 547043 [details] [diff] [review]
v01 Ugrade mozilla-central to libpng-1.4.8

Review of attachment 547043 [details] [diff] [review]:
-----------------------------------------------------------------

I haven't reviewed this, but I looked at CHANGES and nothing looked objectionable in any way. Consider this rs=joe
Attachment #547043 - Flags: review?(joe) → review+
checkin-needed.
Keywords: checkin-needed
For what it's worth, it would be nice to include patch metadata in attachments with checkin-needed...

In any case, pushed to mozilla-inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/e11c69bb7f5f
Flags: in-testsuite-
Keywords: checkin-needed
http://hg.mozilla.org/mozilla-central/rev/e11c69bb7f5f
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
blocking1.9.2: --- → ?
blocking1.9.2: ? → ---
You need to log in before you can comment on or make changes to this bug.