Update libjpeg-turbo to 1.2.x branch r831 (or later)

RESOLVED FIXED in Firefox 14

Status

()

Core
ImageLib
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Justin Lebar (not reading bugmail), Assigned: Justin Lebar (not reading bugmail))

Tracking

({sec-other})

Trunk
mozilla16
sec-other
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox13 unaffected, firefox14 fixed, firefox15 fixed, firefox16 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [sg:dupe 759802][advisory-tracking+])

Attachments

(2 attachments)

(Assignee)

Description

5 years ago
libjpeg-turbo 1.2.x r831 fixes a potential security vulnerability.  We should update ASAP.

Ryan, are you interested in doing this again?
(Assignee)

Updated

5 years ago
Blocks: 759802
I'm traveling until the end of next week. I can do it if nobody else does first.
(Assignee)

Updated

5 years ago
Summary: Update libjpeg to 1.2.x branch r831 (or later) → Update libjpeg-turbo to 1.2.x branch r831 (or later)
(Assignee)

Updated

5 years ago
Assignee: nobody → justin.lebar+bug
(Assignee)

Comment 2

5 years ago
Created attachment 630079 [details] [diff] [review]
Part 1: Update MOZCHANGES file.
Attachment #630079 - Flags: review?(jmuizelaar)
(Assignee)

Comment 3

5 years ago
Created attachment 630080 [details] [diff] [review]
Part 2: Update the code.

I'll probably fold these two csets together when I check them in, but I thought it would be easier to review separately.
Attachment #630080 - Flags: review?(jmuizelaar)
(Assignee)

Comment 4

5 years ago
The process I used to generate part 2 was:

 * Update my svn clone to r831
 * diff -r -U8 media/libjpeg ~/my/libjpeg-turbo/clone > ~/patch
 * Clean up ~/patch (remove spurious differences, e.g. because libjpeg-turbo has a different Makefile.in)
(Assignee)

Comment 5

5 years ago
https://tbpl.mozilla.org/?tree=Try&rev=26474b1d7fee
Attachment #630079 - Flags: review?(jmuizelaar) → review+
(Assignee)

Comment 6

5 years ago
Looks good on try; I'll land once I get r+ on the other patch.
Comment on attachment 630080 [details] [diff] [review]
Part 2: Update the code.

Review of attachment 630080 [details] [diff] [review]:
-----------------------------------------------------------------

Sure
Attachment #630080 - Flags: review?(jmuizelaar) → review+
(Assignee)

Comment 8

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/d10a38139eb8
Target Milestone: --- → mozilla16
(Assignee)

Comment 9

5 years ago
Comment on attachment 630080 [details] [diff] [review]
Part 2: Update the code.

[Approval Request Comment]
Security fix.  No string changes.

If we wanted a smaller patch, we could probably cherry-pick the fix from libjpeg-turbo, instead of upgrading wholesale.  But I think landing what we're landing in nightly onto branches makes sense, because that's what we're testing.

Happy to let this bake on trunk for a day or two, but nom'ing now so it's on everyone's radar.
Attachment #630080 - Flags: approval-mozilla-esr10?
Attachment #630080 - Flags: approval-mozilla-beta?
Attachment #630080 - Flags: approval-mozilla-aurora?
(Assignee)

Updated

5 years ago
status-firefox-esr10: --- → affected
status-firefox12: --- → affected
status-firefox13: --- → affected
status-firefox14: --- → affected
status-firefox15: --- → affected
status-firefox16: --- → affected
I would much rather have a targeted patch.
(Assignee)

Comment 11

5 years ago
(In reply to Joe Drew (:JOEDREW!) from comment #10)
> I would much rather have a targeted patch.

My concern is just that we're going to test the full r831 on Nightly, so we'd be introducing an effectively new version of the jpeg decoder just for branches.

Maybe DRC could verify for us that cherry-picking the fix is safe.  I'll post a patch.
(Assignee)

Comment 12

5 years ago
> I'll post a patch.

...to bug 759802.

Comment 13

5 years ago
830->831 does not depend on any prior patches, so it should be safe to apply it without any of the other 1.2.1 patches.
https://hg.mozilla.org/mozilla-central/rev/d10a38139eb8
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Group: core-security
Despite the approval requests here, do we want the smaller patch in bug 759802 instead? Definitely for ESR we'd want the small one, for Aurora we could go with this one, and Beta is a toss-up in my mind.
Keywords: sec-other
Whiteboard: [sg:dupe 759802]
(Assignee)

Comment 16

5 years ago
I think taking the smaller patch on Beta and ESR and the larger patch on Aurora would be fine, but I'd like the release drivers' input, since that effectively adds a second libjpeg upgrade, which adds some risk.
Comment on attachment 630080 [details] [diff] [review]
Part 2: Update the code.

Let's just take the patch in bug 759802 for all branches, and wait till FF16 to take the rest of the updates to libjpeg since there doesn't appear to be any significant user benefit at this time.
Attachment #630080 - Flags: approval-mozilla-esr10?
Attachment #630080 - Flags: approval-mozilla-esr10-
Attachment #630080 - Flags: approval-mozilla-beta?
Attachment #630080 - Flags: approval-mozilla-beta-
Attachment #630080 - Flags: approval-mozilla-aurora?
Attachment #630080 - Flags: approval-mozilla-aurora-
status-firefox-esr10: affected → unaffected
status-firefox12: affected → ---
status-firefox13: affected → unaffected
status-firefox14: affected → fixed
status-firefox15: affected → fixed
status-firefox16: affected → fixed
Whiteboard: [sg:dupe 759802] → [sg:dupe 759802][advisory-tracking+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.