Closed
Bug 669863
Opened 13 years ago
Closed 13 years ago
Update libpng to version 1.4.8
Categories
(Core :: Graphics: ImageLib, defect)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
FIXED
mozilla8
Tracking | Status | |
---|---|---|
status1.9.2 | --- | wontfix |
People
(Reporter: glennrp+bmo, Assigned: glennrp+bmo)
References
Details
Attachments
(1 file, 1 obsolete file)
53.52 KB,
patch
|
joe
:
review+
|
Details | Diff | Splinter Review |
Libpng-1.4.8 was released on July 7, 2011. It fixes several security problems including CVE-2011-2501. It is not clear whether any of these affect libimg.
Assignee | ||
Updated•13 years ago
|
Assignee | ||
Comment 1•13 years ago
|
||
Here is a summary of the vulnerabilities fixed in libpng-1.4.8. The CERT VRF numbers refer to my submissions that haven't been published yet: No CVE (CERT VRF#GPMVAJZJ) PDG RESPONSE: Prior to libpng-1.2.45 the error function received a NULL pointer, expressed erroneously as '\0', instead of the empty string "". This error was introduced in libpng-1.2.20, and png_default_error() will crash in this case. This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55. No CVE (CERT VRF#GPMUDNZZ) PDG RESPONSE: libpng reads uninitialized memory when it encounters a sCAL chunk that is empty, and improperly handles a sCAL chunk that lacks the terminating zero between the two strings that it conveys. This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55. CVE-2011-2501 libpng "png_format_buffer()" Denial of Service Vulnerability PDG RESPONSE: This regression of CVE-2004-0421 occurred in libpng-1.2.20. This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55.
Assignee | ||
Comment 2•13 years ago
|
||
I inadvertently omitted this one. We don't use png_rgb_to_gray() so this does not affect us. We also explicitly ignore the sCAL chunk so that one doesn't affect us either. No CVE (CERT VRF#GPMUN5G0) PDG RESPONSE: libpng overwrites unallocated memory when promoting a paletted image with transparency (one channel) to gray-alpha (two channels), only if the application calls png_rgb_to_gray() but fails to call png_set_expand() (we do not know of any such applications). This bug exists in all released versions of libpng (1.0, 1.2, 1.4 and 1.5). The data overwritten is entirely controlled by the image data in the PNG file and it is possible to cause any string of data to be written by fabricating an appropriate PNG file. The amount of overwrite is equal to the row length of the original image. This will be fixed in libpng-1.5.4, libpng-1.4.8, libpng-1.2.45, and libpng-1.0.55.
Assignee | ||
Comment 3•13 years ago
|
||
I believe that only DEBUG builds (when PR_LOG() actually does something) are vulnerable to the two error-processing vulnerabilities.
Assignee | ||
Comment 4•13 years ago
|
||
Also, builds that use the system libpng instead of our embedded one may be vulnerable to the png_error problems. They also are immune to the png_rgb_to_gray bug and the sCAL bug. Incidentally, our nsPNGDecoder.cpp also sends a '\0' to the error logger instead of a pointer to an empty string. I'll open a bug for that.
Assignee | ||
Comment 5•13 years ago
|
||
Someone please run this through the Try-server.
Assignee | ||
Comment 6•13 years ago
|
||
The v01 patch also updates CHANGES, LICENSE, README, libpng.txt to 1.4.8
Attachment #547032 -
Attachment is obsolete: true
Comment 7•13 years ago
|
||
I'll push it to try.
Comment 8•13 years ago
|
||
Try run for e0263e9bd992 is complete. Detailed breakdown of the results available here: http://tbpl.mozilla.org/?tree=Try&rev=e0263e9bd992 Results: success: 9 warnings: 1 Total buildrequests: 10
Comment 10•13 years ago
|
||
No
Assignee | ||
Updated•13 years ago
|
Keywords: checkin-needed
Comment 11•13 years ago
|
||
Can this land without review? What should the commit message say?
Assignee | ||
Comment 13•13 years ago
|
||
Comment on attachment 547043 [details] [diff] [review] v01 Ugrade mozilla-central to libpng-1.4.8 Review of attachment 547043 [details] [diff] [review]: -----------------------------------------------------------------
Attachment #547043 -
Flags: review?(joe)
Assignee | ||
Updated•13 years ago
|
Comment 14•13 years ago
|
||
Glenn, could you please make sure this fix for png_handle_fcTL() is included: https://bugzilla.mozilla.org/attachment.cgi?id=525794&action=diff
Assignee | ||
Comment 15•13 years ago
|
||
@ryan, please "try" with the bug #624133 patch v07 on top of this v01 patch. That v07 patch was reviewed but apparently never checked in. It shouldn't matter in which order they are applied.
Comment 16•13 years ago
|
||
Comment on attachment 547043 [details] [diff] [review] v01 Ugrade mozilla-central to libpng-1.4.8 Review of attachment 547043 [details] [diff] [review]: ----------------------------------------------------------------- I haven't reviewed this, but I looked at CHANGES and nothing looked objectionable in any way. Consider this rs=joe
Attachment #547043 -
Flags: review?(joe) → review+
Comment 18•13 years ago
|
||
For what it's worth, it would be nice to include patch metadata in attachments with checkin-needed... In any case, pushed to mozilla-inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/e11c69bb7f5f
Flags: in-testsuite-
Keywords: checkin-needed
Comment 19•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/e11c69bb7f5f
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
Updated•13 years ago
|
blocking1.9.2: --- → ?
Updated•13 years ago
|
blocking1.9.2: ? → ---
status1.9.2:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•