New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Last visit > 30 days ago
Closed: Dec 2015
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

Sign in to add a comment

Security: security vulnerabilities in libpng (CVE-2015-7981, CVE-2015-8126)

Reported by, Nov 23 2015

Issue description

The libpng copy that's bundled in chromium is currently at version 1.2.52. This version is vulnerable to out-of-bound reads and writes as described on the libpng home page.
See CVE-2015-8126,

libpng should be updated to 1.2.54.
Status: Started

Comment 3 by, Nov 23 2015

Labels: Security_Severity-High Security_Impact-Stable Pri-1
Project Member

Comment 4 by ClusterFuzz, Nov 23 2015

Labels: M-47

Comment 5 by, Nov 24 2015

Labels: Cr-Internals
 Issue 561979  has been merged into this issue.
Summary: Security: security vulnerabilities in libpng (CVE-2015-7981, CVE-2015-8126) (was: Security: security vulnerabilities in libpng)
For the record, updating to 1.2.54 will address CVE-2015-7981 too.

Comment 8 by, Nov 29 2015

Can't find or access  issue 561979  for some reason.
It's Restrict-View-SecurityTeam.  I've CC'd you.

Comment 10 by, Dec 1 2015

Thanks, adding Matt and Leon.  You guys may need to update Skia similarly, if you don't already have the fixed libpng there ...

Comment 11 by, Dec 1 2015

... the Chromium fix is for reference.
Project Member

Comment 12 by, Dec 1 2015

The following revision refers to this bug:

commit 7f3d85b096f66870a15b37c2f40b219b2e292693
Author: mdempsky <>
Date: Tue Dec 01 00:48:53 2015

third_party/libpng: update to 1.2.54
BUG= 560291 

Review URL:

Cr-Commit-Position: refs/heads/master@{#362298}


Status: Fixed
Updated to 1.2.54.  We'll still want to update to 1.2.55, but since that's not security relevant, I'm tracking it separately in issue 563803.
Project Member

Comment 14 by ClusterFuzz, Dec 1 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-48 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on

- Your friendly ClusterFuzz
Labels: -M-47 -Merge-Triage -M-48 merge-NA Release-0-M49 M-49
Spoke to mdempsky - we're going to let this roll in with M49 and not merge to M48.

Comment 16 by, Jan 9 2016


Comment 17 by, Jan 9 2016

mdempsky@  Note sure if the original report had any example images that tickled these sec-bugs?  A stretch goal would be to get some examples and add them our blink layout tests and also to cluster fuzz.

Comment 18 by, Jan 9 2016

CVE-2015-7981 - Glen tested libpng on and made the following note:

 "Note that only applications that call png_convert_to_rfc1123() are vulnerable."

Grepping our updated libpng code, no callers of that code so CVE-2015-7981 was benign in Chrome.

Labels: -merge-NA reward-topanel merge-na
Adding reward-topanel label so that we can consider this report under the Chrome Reward program. Full details here:
Labels: -reward-topanel reward-unpaid Reward-500
Hi Joerg, just letting you know that our reward panel decided to award you $500 for bringing this issue to our attention. Congratulations!

We'll thank you in our Chrome 49 release notes as "joerg.bornemann". If you'd like to update the release notes to a different credit name, please let me know. I'll use CVE-2015-8126 to refer to this issue, as based on #18 it seems that CVE-2015-7981 didn't apply. 

Someone from our finance team will follow-up within 7 days to collect payment details. If this doesn't happen, please either update this bug or email me at timwillis@

Thanks for your report and helping keep Chrome libraries up to date!
Cool, thanks!
Project Member

Comment 22 by ClusterFuzz, Mar 8 2016

Labels: -Restrict-View-SecurityNotify
This security bug has been closed for more than 14 weeks. Removing view restrictions.

- Your friendly Sheriffbot
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 24 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 25 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment