Last Comment Bug 763990 - Branch 13 bundles vulnerable libpng
: Branch 13 bundles vulnerable libpng
Status: RESOLVED WORKSFORME
:
Product: Core
Classification: Components
Component: ImageLib (show other bugs)
: 13 Branch
: x86 Linux
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Milan Sreckovic [:milan]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-12 09:14 PDT by andrew
Modified: 2012-06-12 17:18 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
fixed
unaffected


Attachments

Description andrew 2012-06-12 09:14:03 PDT
Libpng 1.5.9, bundled in branch 13.0, is vulnerable to CVE-2011-3048 (see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048 & http://www.libpng.org/pub/png/src/libpng-1.5.10-README.txt).

The bundled version should be updated to version 1.5.10 across the board (firefox, thunderbird, etc.).
Comment 1 Al Billings [:abillings] 2012-06-12 11:35:16 PDT
libpng was updated to 1.5.10 on April 25 for Mozilla Central. This means it is fixed in Firefox 15 and 16 now.

See bug 745178 and https://hg.mozilla.org/mozilla-central/rev/f22a06ee6a6e

Adding flags for affected versions (Firefox 14 and ESR).
Comment 2 Al Billings [:abillings] 2012-06-12 11:38:16 PDT
Andrew, do you know of a testcase to check to see if we're vulnerable? We're not always susceptible to some of the png issues.
Comment 3 Daniel Veditz [:dveditz] 2012-06-12 11:39:49 PDT
see bug 745178 comment from one of the libpng maintainers -- that CVE does not affect Firefox because it's in a feature we don't use.
Comment 4 Daniel Veditz [:dveditz] 2012-06-12 11:41:23 PDT
repeating bug 745178 comment 0 for the convenience of linkability

"The main reason for the release was to fix CVE-2011-3048, but we aren't vulnerable to that."
Comment 5 Daniel Veditz [:dveditz] 2012-06-12 11:44:47 PDT
See also bug 737502
Comment 6 andrew 2012-06-12 16:05:17 PDT
I didn't drill down to see if png_set_text2 (where the problem lies) is used by Mozilla either directly or indirectly. Figured I'd report it just in case.

Good to know it isn't used - makes for an easy fix.
Comment 7 Glenn Randers-Pehrson 2012-06-12 17:18:36 PDT
Not only is it not used, it is totally ignored via the png_set_keep_unknown_chunks() call in the PNG decoder.  Therefore even mozilla builds that use the "system" libpng instead of the bundled libpng are safe.

Note You need to log in before you can comment on or make changes to this bug.