763990 - Branch 13 bundles vulnerable libpng

Status: RESOLVED WORKSFORME

(Core :: Graphics: ImageLib, defect)

Description

[andrew]

Libpng 1.5.9, bundled in branch 13.0, is vulnerable to CVE-2011-3048 (see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048 & http://www.libpng.org/pub/png/src/libpng-1.5.10-README.txt).

The bundled version should be updated to version 1.5.10 across the board (firefox, thunderbird, etc.).

Comment 1

[Al Billings [:abillings - ex-MoCo]]

libpng was updated to 1.5.10 on April 25 for Mozilla Central. This means it is fixed in Firefox 15 and 16 now.

See bug 745178 and https://hg.mozilla.org/mozilla-central/rev/f22a06ee6a6e

Adding flags for affected versions (Firefox 14 and ESR).

Comment 2

[Al Billings [:abillings - ex-MoCo]]

Andrew, do you know of a testcase to check to see if we're vulnerable? We're not always susceptible to some of the png issues.

Comment 3

[Daniel Veditz [:dveditz]]

see bug 745178 comment from one of the libpng maintainers -- that CVE does not affect Firefox because it's in a feature we don't use.

Comment 4

[Daniel Veditz [:dveditz]]

repeating bug 745178 comment 0 for the convenience of linkability

"The main reason for the release was to fix CVE-2011-3048, but we aren't vulnerable to that."

Comment 5

[Daniel Veditz [:dveditz]]

See also bug 737502

Comment 6

[andrew]

I didn't drill down to see if png_set_text2 (where the problem lies) is used by Mozilla either directly or indirectly. Figured I'd report it just in case.

Good to know it isn't used - makes for an easy fix.

Comment 7

[Glenn Randers-Pehrson]

Not only is it not used, it is totally ignored via the png_set_keep_unknown_chunks() call in the PNG decoder.  Therefore even mozilla builds that use the "system" libpng instead of the bundled libpng are safe.