Quote
Doon
If I were to post a security alert in the forum today, to force public awareness, I would post the following: (btw, the securelist and bugzilla links are worth reading)
February 16, 2012 - "The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages. This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image."
Advisories:
http://blog.mozilla.com/security/2012/02/17/mozilla-releases-to-address-cve-2011-3026/
http://www.securelist.com/en/advisories/48026
Technical details:
https://bugzilla.mozilla.org/show_bug.cgi?id=727401
http://www.libpng.org/pub/png/libpng.html
Quote
_Doon
Thank you for researching,
Quote
JohnHell
1.6b2.4 (JamesD) under Windows 2000, first contact, no problem.
Quote
_Doon
Thanks again for your efforts, guenter.
To momentarily drift off-topic regarding your replies above: I used the word "research" to briefly refer to the preliminary technical work and code discovery necessary for you to compile and provide the security fix, and I apologise for the errant capitalization of your nickname, first letter capitalization is a habit. Lastly, I deliberately abandoned my forum profile in 2010, and thus my habit for the forum at the time. As a Win98 user with obsolete hardware I no longer consider myself relevant to KM or the computing world at large but after reading about the potential seriousness of this widespread libpng vulnerability I decided to make contact. End of topic. Cheers.
Quote
Fred
Thanks for the fix. It works OK for me.
By the way : in my variation based on Firefox 3.6.28
the file replacement is not necessary, because the
updated imglib2.dll is already included in the big xul.dll
from Firefox, and not anymore in the folder components.
In Linux I also had to update (in some distros replace
manually) the file libpng12.so.0 (libpng12.so.0.44.0)
and the symbolic links to it.
Fred
Quote
guenter
The problem files were patched BTW replaced with code files from Firefox 3.6.27/3.6.28.
Unpacked code Tarball: C:/Mozilla-1.9.2/modules/libimg/png/...
The resulting compiled files were tested by Doon, JamesD... Win98, Win7/32bit, XPSP3.
This fix is not official! You can however download the fixed files from:
http://dhost.info/kmeleonskins/imglib2_1.5.4/imglib2.dll That file is for GRE 1.8.x = K-Meleon 1.5.4!
http://dhost.info/kmeleonskins/imglib2_1.6/imglib2.dll That file is for GRE 1.9.1.x = K-Meleon 1.6.betas!
The files are provided without any warranties that they are fit for use or anything else under K-Meleon's customary GNU license & under the following additional conditions.