Context Navigation

← Previous Ticket
Next Ticket →

#544 closed task (fixed)

update libpng and libjpeg in binary builds

Reported by:	Antoine Martin	Owned by:	Smo
Priority:	major	Milestone:
Component:	platforms	Version:
Keywords:		Cc:

Description (last modified by Antoine Martin)

We don't use libpng or libjpeg all that much, most of the picture format parsing is done using Pillow, but there are still codepaths that rely on GTK for parsing (ie: window icons), and GTK uses those libraries. In some recent OSX builds, Pillow had gone missing because of packaging issues (see ticket:500#comment:16), which means that we ended up using the GTK fallback.

The problem is that there are many security issues in libpng (and probably also in libjpeg), just look at the libpng home page which is full of CVE entries... So all in all, it isn't too difficult for a hostile server to use PNG or JPEG to attack the client.

For OSX, it isn't too bad, we can probably bump the libpng version in the moduleset (see #533), but for win32... building (Py)GTK from source is very hard, and updating the libpng14-14.dll in place may not be possible.. Ouch! One way to solve this is #300 ("setup a proper build infrastructure for win32 builds")

libjpeg seems to very very slow at making new releases, so maybe we can switch to one of those instead (assuming that those are API compatible):

Change History (7)

comment:1 Changed 7 years ago by Antoine Martin

Description:	modified (diff)

I've bumped by OSX build to libpng-1.6.10 as part of testing for #533 and it seems to work fine, libjpeg can probably be bumped the same way. So OSX isn't too much of a problem.

win32 on the other hand...

comment:2 Changed 7 years ago by Antoine Martin

I've updated my OSX build environment with:

libjpeg-turbo-1.3.1
tiff-4.0.3
libpng-1.6.10

Then:

rebuild gdk-pixbuf:
```
jhbuild buildone -f gdk-pixbuf
```

rebuild Pillow (which does link against libjpeg):

rm -fr ~/gtk/inst/lib/python2.7/site-packages/Pillow* 
easy_install -U Pillow

And it seems OK now.

For reference, you can find the full list of .dylibs and .sos that use those libraries with command lines like:

cd;clear;reset;find gtk/inst/lib -name "*so" -ls -exec otool -L {} \; | egrep "^gtk/inst|jpeg"

Last edited 7 years ago by Antoine Martin (previous) (diff)

comment:3 Changed 7 years ago by Antoine Martin

Owner:	changed from Antoine Martin to Smo

Please update your build environment as per above, preferably by merging the new versions in the moduleset as per #533 - then close this ticket.

For win32, this will have to be done as part of #300 (updated and re-scheduled).

comment:4 Changed 7 years ago by Smo

I did merge these into the moduleset however I think by adding these to .jhbuildrc-custom might also work

branches["libjpeg"] = "http://softlayer-dal.dl.sourceforge.net/project/libjpeg-turbo/1.3.1/libjpeg-turbo-1.3.1.tar.gz"
branches["libpng"] = "http://softlayer-dal.dl.sourceforge.net/project/libpng/libpng16/1.6.10/libpng-1.6.10.tar.gz"
branches["libtiff"] = "http://download.osgeo.org/libtiff/tiff-4.0.3.tar.gz"

It seem to have compiled those versions on my system when building the rest of gtk so that might be an easier way for osx.

comment:5 Changed 7 years ago by Antoine Martin

Resolution:	→ fixed
Status:	new → closed

The versions in the binary win32 GTK3 builds (see #90) are reasonably up to date, and we should be able to update them more easily, if not build the whole thing from source. The OSX ones are updated as per above, will be tracked in #533.

So I think we can close this.