Bugs :  K-Meleon Forum
You can talk about issues with k-meleon here.  
libpng integer overflow
Posted by: guenter
Date: March 18, 2012 03:27AM

On Friday, March 16, 2012 5:12 AM Doon wrote to undisclosed recipients.

Quote
Doon
If I were to post a security alert in the forum today, to force public awareness, I would post the following: (btw, the securelist and bugzilla links are worth reading)


February 16, 2012 - "The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages. This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image."

Advisories:
http://blog.mozilla.com/security/2012/02/17/mozilla-releases-to-address-cve-2011-3026/
http://www.securelist.com/en/advisories/48026

Technical details:
https://bugzilla.mozilla.org/show_bug.cgi?id=727401
http://www.libpng.org/pub/png/libpng.html


Some days before that, Tuesday, March 13, 2012 10:02 AM, Doon had submitted a detailed bug description which pointed to a way for a fix.


The problem files were patched BTW replaced with code files from Firefox 3.6.27/3.6.28.
Unpacked code Tarball: C:/Mozilla-1.9.2/modules/libimg/png/...

The resulting compiled files were tested by Doon, JamesD... Win98, Win7/32bit, XPSP3.

This fix is not official! You can however download the fixed files from:

http://dhost.info/kmeleonskins/imglib2_1.5.4/imglib2.dll That file is for GRE 1.8.x = K-Meleon 1.5.4!

http://dhost.info/kmeleonskins/imglib2_1.6/imglib2.dll That file is for GRE 1.9.1.x = K-Meleon 1.6.betas!

The files are provided without any warranties that they are fit for use or anything else under K-Meleon's customary GNU license & under the following additional conditions.

Before use. You must backup Your ./components/imglib2.dll in case the one downloaded is not compatible. After download. You must virus scan the downloaded file with Your own updated anti virus software.

Before first use. You must delete Your ./components/compreg.dat and xpti.dat.
In rare cases keeping the old files has caused a crash. K-Meleon will write these 2 files new with updated info every time they are deleted.



Edited 2 time(s). Last edit at 03/19/2012 09:08PM by guenter.

Options: ReplyQuote
Re: libpng integer overflow
Posted by: _Doon
Date: March 18, 2012 04:25AM

Thank you for researching, compiling
and providing the fix, Guenter!

I can confirm the new DLL for Gecko 1.8.x
works flawlessly in K-Meleon 1.5.3 and 1.5.4

Options: ReplyQuote
Re: libpng integer overflow
Posted by: JohnHell
Date: March 18, 2012 04:58AM

1.6b2.4 (JamesD) under Windows 2000, first contact, no problem.

Options: ReplyQuote
Re: libpng integer overflow
Posted by: guenter
Date: March 18, 2012 05:04AM

Quote
_Doon
Thank you for researching,

I did not research.


What is wrong with Your forum profile? You chose a new aka.


Quote
JohnHell
1.6b2.4 (JamesD) under Windows 2000, first contact, no problem.

Thx for trying and testing under Win2000.



BTW My chosen nick is guenter. All lower case.



Edited 1 time(s). Last edit at 03/18/2012 05:08AM by guenter.

Options: ReplyQuote
Re: libpng integer overflow
Posted by: _Doon
Date: March 18, 2012 06:49AM

Thanks again for your efforts, guenter.

To momentarily drift off-topic regarding your replies above: I used the word "research" to briefly refer to the preliminary technical work and code discovery necessary for you to compile and provide the security fix, and I apologise for the errant capitalization of your nickname, first letter capitalization is a habit. Lastly, I deliberately abandoned my forum profile in 2010, and thus my habit for the forum at the time. As a Win98 user with obsolete hardware I no longer consider myself relevant to KM or the computing world at large but after reading about the potential seriousness of this widespread libpng vulnerability I decided to make contact. End of topic. ;) Cheers.

Options: ReplyQuote
Re: libpng integer overflow
Posted by: guenter
Date: March 18, 2012 03:06PM

Quote
_Doon
Thanks again for your efforts, guenter.

To momentarily drift off-topic regarding your replies above: I used the word "research" to briefly refer to the preliminary technical work and code discovery necessary for you to compile and provide the security fix, and I apologise for the errant capitalization of your nickname, first letter capitalization is a habit. Lastly, I deliberately abandoned my forum profile in 2010, and thus my habit for the forum at the time. As a Win98 user with obsolete hardware I no longer consider myself relevant to KM or the computing world at large but after reading about the potential seriousness of this widespread libpng vulnerability I decided to make contact. End of topic. ;) Cheers.

The info provided by Your research led to finding the relevant fixes.

No apology about writing nicks needed I just wanted to mention it.

Your contributions could be still relevant and valuable epecially to other users with Win98 hardware.

siria is not here any more - so nobody can counsel on Win98.



Edited 1 time(s). Last edit at 03/19/2012 09:06PM by guenter.

Options: ReplyQuote
Re: libpng integer overflow
Posted by: km2
Date: March 19, 2012 08:24PM

Thanks, guys!

Options: ReplyQuote
Re: libpng integer overflow
Posted by: Fred
Date: March 21, 2012 09:27PM

Thanks for the fix. It works OK for me.
By the way : in my variation based on Firefox 3.6.28
the file replacement is not necessary, because the
updated imglib2.dll is already included in the big xul.dll
from Firefox, and not anymore in the folder components.
In Linux I also had to update (in some distros replace
manually) the file libpng12.so.0 (libpng12.so.0.44.0)
and the symbolic links to it.

Fred

Options: ReplyQuote
Re: libpng integer overflow
Posted by: guenter
Date: March 22, 2012 01:02AM

Quote
Fred
Thanks for the fix. It works OK for me.
By the way : in my variation based on Firefox 3.6.28
the file replacement is not necessary, because the
updated imglib2.dll is already included in the big xul.dll
from Firefox, and not anymore in the folder components.

In Linux I also had to update (in some distros replace
manually) the file libpng12.so.0 (libpng12.so.0.44.0)
and the symbolic links to it.

Fred

1.) Good if it works.

2.) The updated fies are for GRE 1.8.x and GRE 1.9.1.x respectively.

Based on Firefox 3.6.28 means that it is based on GRE 1.9.2.28.
Folks that use 1.7 would have to update to the GRE You used in Your update.


If anyone is interested in an imglib2.dll for GRE 1.9.2.x compiled with the options

ac_add_options --disable-static
ac_add_options --disable-libxul
ac_add_options --enable-shared

- that are the original 1.7.alpha GREs with no big XUL.dll - imglib2.dll can be created.

3.) Thx for the Linux info.



Edited 1 time(s). Last edit at 03/22/2012 02:22AM by guenter.

Options: ReplyQuote


K-Meleon forum is powered by Phorum.