Closed Bug 759891 Opened 7 years ago Closed 7 years ago

Update libjpeg-turbo to 1.2.x branch r831 (or later)

Categories

(Core :: ImageLib, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla16
Tracking Status
firefox13 --- unaffected
firefox14 --- fixed
firefox15 --- fixed
firefox16 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: justin.lebar+bug, Assigned: justin.lebar+bug)

References

Details

(Keywords: sec-other, Whiteboard: [sg:dupe 759802][advisory-tracking+])

Attachments

(2 files)

libjpeg-turbo 1.2.x r831 fixes a potential security vulnerability.  We should update ASAP.

Ryan, are you interested in doing this again?
I'm traveling until the end of next week. I can do it if nobody else does first.
Summary: Update libjpeg to 1.2.x branch r831 (or later) → Update libjpeg-turbo to 1.2.x branch r831 (or later)
Assignee: nobody → justin.lebar+bug
Attachment #630079 - Flags: review?(jmuizelaar)
I'll probably fold these two csets together when I check them in, but I thought it would be easier to review separately.
Attachment #630080 - Flags: review?(jmuizelaar)
The process I used to generate part 2 was:

 * Update my svn clone to r831
 * diff -r -U8 media/libjpeg ~/my/libjpeg-turbo/clone > ~/patch
 * Clean up ~/patch (remove spurious differences, e.g. because libjpeg-turbo has a different Makefile.in)
Attachment #630079 - Flags: review?(jmuizelaar) → review+
Looks good on try; I'll land once I get r+ on the other patch.
Comment on attachment 630080 [details] [diff] [review]
Part 2: Update the code.

Review of attachment 630080 [details] [diff] [review]:
-----------------------------------------------------------------

Sure
Attachment #630080 - Flags: review?(jmuizelaar) → review+
Comment on attachment 630080 [details] [diff] [review]
Part 2: Update the code.

[Approval Request Comment]
Security fix.  No string changes.

If we wanted a smaller patch, we could probably cherry-pick the fix from libjpeg-turbo, instead of upgrading wholesale.  But I think landing what we're landing in nightly onto branches makes sense, because that's what we're testing.

Happy to let this bake on trunk for a day or two, but nom'ing now so it's on everyone's radar.
Attachment #630080 - Flags: approval-mozilla-esr10?
Attachment #630080 - Flags: approval-mozilla-beta?
Attachment #630080 - Flags: approval-mozilla-aurora?
I would much rather have a targeted patch.
(In reply to Joe Drew (:JOEDREW!) from comment #10)
> I would much rather have a targeted patch.

My concern is just that we're going to test the full r831 on Nightly, so we'd be introducing an effectively new version of the jpeg decoder just for branches.

Maybe DRC could verify for us that cherry-picking the fix is safe.  I'll post a patch.
> I'll post a patch.

...to bug 759802.
830->831 does not depend on any prior patches, so it should be safe to apply it without any of the other 1.2.1 patches.
https://hg.mozilla.org/mozilla-central/rev/d10a38139eb8
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Group: core-security
Despite the approval requests here, do we want the smaller patch in bug 759802 instead? Definitely for ESR we'd want the small one, for Aurora we could go with this one, and Beta is a toss-up in my mind.
Keywords: sec-other
Whiteboard: [sg:dupe 759802]
I think taking the smaller patch on Beta and ESR and the larger patch on Aurora would be fine, but I'd like the release drivers' input, since that effectively adds a second libjpeg upgrade, which adds some risk.
Comment on attachment 630080 [details] [diff] [review]
Part 2: Update the code.

Let's just take the patch in bug 759802 for all branches, and wait till FF16 to take the rest of the updates to libjpeg since there doesn't appear to be any significant user benefit at this time.
Attachment #630080 - Flags: approval-mozilla-esr10?
Attachment #630080 - Flags: approval-mozilla-esr10-
Attachment #630080 - Flags: approval-mozilla-beta?
Attachment #630080 - Flags: approval-mozilla-beta-
Attachment #630080 - Flags: approval-mozilla-aurora?
Attachment #630080 - Flags: approval-mozilla-aurora-
Whiteboard: [sg:dupe 759802] → [sg:dupe 759802][advisory-tracking+]
Group: core-security
You need to log in before you can comment on or make changes to this bug.