New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Dec 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: security vulnerabilities in libpng (CVE-2015-7981, CVE-2015-8126)

Reported by joerg.bo...@gmail.com, Nov 23 2015

Issue description

VULNERABILITY DETAILS
The libpng copy that's bundled in chromium is currently at version 1.2.52. This version is vulnerable to out-of-bound reads and writes as described on the libpng home page.
See CVE-2015-8126, http://www.libpng.org/pub/png/libpng.html

libpng should be updated to 1.2.54.
 
Cc: noel@chromium.org mdempsky@chromium.org infe...@chromium.org
Owner: mdempsky@chromium.org
Status: Started
;_;

Comment 3 by wfh@chromium.org, Nov 23 2015

Labels: Security_Severity-High Security_Impact-Stable Pri-1
Project Member

Comment 4 by ClusterFuzz, Nov 23 2015

Labels: M-47

Comment 5 by wfh@chromium.org, Nov 24 2015

Labels: Cr-Internals
 Issue 561979  has been merged into this issue.
Summary: Security: security vulnerabilities in libpng (CVE-2015-7981, CVE-2015-8126) (was: Security: security vulnerabilities in libpng)
For the record, updating to 1.2.54 will address CVE-2015-7981 too.

Comment 8 by noel@chromium.org, Nov 29 2015

Can't find or access  issue 561979  for some reason.
It's Restrict-View-SecurityTeam.  I've CC'd you.

Comment 10 by noel@chromium.org, Dec 1 2015

Cc: scroggo@chromium.org msarett@chromium.org
Thanks, adding Matt and Leon.  You guys may need to update Skia similarly, if you don't already have the fixed libpng there ...

Comment 11 by noel@chromium.org, Dec 1 2015

... the Chromium fix is https://codereview.chromium.org/1467263003 for reference.
Project Member

Comment 12 by bugdroid1@chromium.org, Dec 1 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7f3d85b096f66870a15b37c2f40b219b2e292693

commit 7f3d85b096f66870a15b37c2f40b219b2e292693
Author: mdempsky <mdempsky@chromium.org>
Date: Tue Dec 01 00:48:53 2015

third_party/libpng: update to 1.2.54

TBR=darin@chromium.org
BUG= 560291 

Review URL: https://codereview.chromium.org/1467263003

Cr-Commit-Position: refs/heads/master@{#362298}

[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/LICENSE
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/README
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/README.chromium
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/png.c
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/png.h
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/pngconf.h
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/pngget.c
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/pngpread.c
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/pngread.c
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/pngrtran.c
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/pngrutil.c
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/pngset.c
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/pngwrite.c
[modify] http://crrev.com/7f3d85b096f66870a15b37c2f40b219b2e292693/third_party/libpng/pngwutil.c

Status: Fixed
Updated to 1.2.54.  We'll still want to update to 1.2.55, but since that's not security relevant, I'm tracking it separately in issue 563803.
Project Member

Comment 14 by ClusterFuzz, Dec 1 2015

Labels: -Restrict-View-SecurityTeam Merge-Triage M-48 Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz
Labels: -M-47 -Merge-Triage -M-48 merge-NA Release-0-M49 M-49
Spoke to mdempsky - we're going to let this roll in with M49 and not merge to M48.

Comment 16 by noel@chromium.org, Jan 9 2016

SGTM.

Comment 17 by noel@chromium.org, Jan 9 2016

mdempsky@  Note sure if the original report had any example images that tickled these sec-bugs?  A stretch goal would be to get some examples and add them our blink layout tests and also to cluster fuzz.

Comment 18 by noel@chromium.org, Jan 9 2016

CVE-2015-7981 - Glen tested libpng on http://sourceforge.net/p/libpng/bugs/241/#b234 and made the following note:

 "Note that only applications that call png_convert_to_rfc1123() are vulnerable."

Grepping our updated libpng code, no callers of that code so CVE-2015-7981 was benign in Chrome.

Labels: -merge-NA reward-topanel merge-na
Adding reward-topanel label so that we can consider this report under the Chrome Reward program. Full details here: https://www.google.com/about/appsecurity/chrome-rewards/
Cc: timwillis@chromium.org
Labels: -reward-topanel reward-unpaid Reward-500
Hi Joerg, just letting you know that our reward panel decided to award you $500 for bringing this issue to our attention. Congratulations!

We'll thank you in our Chrome 49 release notes as "joerg.bornemann". If you'd like to update the release notes to a different credit name, please let me know. I'll use CVE-2015-8126 to refer to this issue, as based on #18 it seems that CVE-2015-7981 didn't apply. 

Someone from our finance team will follow-up within 7 days to collect payment details. If this doesn't happen, please either update this bug or email me at timwillis@

Thanks for your report and helping keep Chrome libraries up to date!
Cool, thanks!
Project Member

Comment 22 by ClusterFuzz, Mar 8 2016

Labels: -Restrict-View-SecurityNotify
This security bug has been closed for more than 14 weeks. Removing view restrictions.

- Your friendly Sheriffbot
Labels: -reward-unpaid reward-inprocess
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 25 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment