Opened 9 years ago

Closed 9 years ago

Last modified 3 years ago

#5144 closed defect (fixed)

Another libpng security hole

Reported by: rransom Owned by: erinn
Priority: Immediate Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Normal Keywords:
Cc: Sebastian Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


libpng (1.2.44-1+squeeze2) stable-security; urgency=high

  * Fix integer overflow (chromium #112822)

 -- Moritz Muehlenhoff <jmm@pisco>  Wed, 15 Feb 2012 18:07:34 +0000

We ship libpng in TBB for Linux. Do we ship a copy anywhere else?

Child Tickets

Change History (7)

comment:1 Changed 9 years ago by erinn

No, we only use libpng on Linux, and we only began using it there for Arch Linux users, if I'm remembering correctly.

I'll begin making the new bundles.

comment:2 Changed 9 years ago by rransom

Does Firefox's source tarball contain a copy of libpng to be used on Windows? If so, we will need to update that or delete it as well.

comment:3 Changed 9 years ago by Sebastian

Firefox ships a copy too old to be vulnerable here

comment:4 Changed 9 years ago by Sebastian

And just as I say that, maybe the information about the affected libpng versions is wrong. Firefox just updated to 10.0.2

comment:5 Changed 9 years ago by erinn

I've updated Windows and OSX (Windows will be uploaded soon), but I just realized I have to rebuild Qt for the Linux bundles, so they'll be a bit longer...

comment:6 Changed 9 years ago by rransom

Resolution: fixed
Status: newclosed

We think this is fixed in TBB 2.2.35-7 for MacOS i386, TBB 2.2.35-7.1 for MacOS AMD64 and Windows, and TBB 2.2.35-7.2 for Linux.

comment:7 Changed 3 years ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.