New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 677930 link

Starred by 0 users
Status: WontFix
Owner:
msarett@chromium.org
Last visit > 30 days ago
Closed: Feb 2017
Cc:
scroggo@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Chrome/ChromeOS uses vulnerable version of libpng

Reported by steffz...@gmail.com, Jan 3 2017 
UserAgent: Mozilla/5.0 (X11; CrOS x86_64 9000.29.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.28 Safari/537.36
Platform: 9000.29.0 (Official Build) beta-channel edgar

Steps to reproduce the problem:
1. visit chrome://os-credits/ and note libpng version 1.6.25
2. read vulnerability report https://www.cert-bund.de/advisoryshort/CB-K17-0003
3. notice that version prior to 1.6.27 are vulnerable

What is the expected behavior?
Chrome should use software without known and corrected vulnerabilities.

What went wrong?
See https://www.cert-bund.de/advisoryshort/CB-K17-0003

Did this work before? N/A 

Chrome version: 56.0.2924.28  Channel: beta
OS Version: 9000.29.0
Flash Version:

Comment 1 by elawrence@chromium.org, Jan 3 2017

Components: Internals>Images>Codecs
The cited vulnerability doesn't sound terribly interesting, but perhaps there are other fixes since the shipping version. https://cs.chromium.org/chromium/src/third_party/libpng/png.h?q=libpng&sq=package:chromium&l=4 seems to be version 1.6.22

https://sourceforge.net/p/png-mng/mailman/message/35575076/
These all fix a potential "NULL dereference" bug that has existed in libpng
since version 0.71 of June 26, 1995.  To be vulnerable, an application
has to load a text chunk into the png structure, then delete all text, then
add another text chunk to the same png structure, which seems to be
an unlikely sequence, but it has happened.

Comment 2 by rsesek@chromium.org, Jan 3 2017

Cc: scroggo@chromium.org
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Owner: msarett@chromium.org
Status: Assigned (was: Unconfirmed)
We don't consider NULL dereferences to be a security bug because they are not exploitable (see http://dev.chromium.org/Home/chromium-security/reporting-security-bugs, "Signs A Crash Is Not A Security Bug").

That said, what elawrence@ writes at #1 is relevant and we should probably update libpng.

Comment 3 by msarett@chromium.org, Feb 9 2017

Status: WontFix (was: Assigned)
Sure, we should absolutely keep our copy of libpng up to date.

However, I can verify that we do not do the sequence of operations described in #1, so we are not vulnerable.

Closing this bug.

Sign in to add a comment