summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-03-15 06:17:13 (GMT)
committerPaul Vaduva <Paul.Vaduva@enea.com>2016-03-17 12:27:37 (GMT)
commite556bbcee03a7ffab00b3748f3370be7f915c772 (patch)
tree24289fc33e88e2e2c7bfffd5a7c953568cb84ae0
parent0b13cc2376a5bf69fcbf809ddad8a4bf928970be (diff)
downloadpoky-e556bbcee03a7ffab00b3748f3370be7f915c772.tar.gz
libpng: CVE-2015-8126
Fixes buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126 Upstream patches: https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Paul Vaduva <Paul.Vaduva@enea.com>
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch69
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch88
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch79
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch48
-rw-r--r--meta/recipes-multimedia/libpng/libpng_1.6.13.bb6
5 files changed, 290 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch
new file mode 100644
index 0000000..7d4c3fe
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch
@@ -0,0 +1,69 @@
1From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Thu, 29 Oct 2015 09:26:41 -0500
4Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
5
6Upstream-Status: Backport
7https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
8
9CVE: CVE-2015-8126 patch #1
10
11Signed-off-by: Armin Kuster <akuster@mvista.com>
12Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
13
14diff -ruN a/libpng.3 b/libpng.3
15--- a/libpng.3 2014-08-21 12:53:36.000000000 +0200
16+++ b/libpng.3 2016-03-14 12:32:29.071935164 +0100
17@@ -5611,6 +5611,11 @@
18 chunk. This error was fixed in libpng-1.6.3, and a tool (called
19 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
20
21+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
22+is an error. Previously this requirement of the PNG specification was not
23+enforced. Libpng continues to accept over-length PLTE chunks when reading,
24+but does not make any use of the extra entries.
25+
26 .SH XIII. Detecting libpng
27
28 The png_get_io_ptr() function has been present since libpng-0.88, has never
29diff -ruN a/libpng-manual.txt b/libpng-manual.txt
30--- a/libpng-manual.txt 2014-08-21 12:53:36.000000000 +0200
31+++ b/libpng-manual.txt 2016-03-14 12:32:29.067935336 +0100
32@@ -5107,6 +5107,11 @@
33 chunk. This error was fixed in libpng-1.6.3, and a tool (called
34 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
35
36+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
37+is an error. Previously this requirement of the PNG specification was not
38+enforced. Libpng continues to accept over-length PLTE chunks when reading,
39+but does not make any use of the extra entries.
40+
41 XIII. Detecting libpng
42
43 The png_get_io_ptr() function has been present since libpng-0.88, has never
44diff -ruN a/pngwutil.c b/pngwutil.c
45--- a/pngwutil.c 2014-08-21 12:53:37.000000000 +0200
46+++ b/pngwutil.c 2016-03-14 12:35:00.001454124 +0100
47@@ -919,17 +919,20 @@
48 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
49 png_uint_32 num_pal)
50 {
51- png_uint_32 i;
52+ png_uint_32 max_num_pal, i;
53 png_const_colorp pal_ptr;
54 png_byte buf[3];
55
56 png_debug(1, "in png_write_PLTE");
57
58+ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
59+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
60+
61 if ((
62 #ifdef PNG_MNG_FEATURES_SUPPORTED
63 !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
64 #endif
65- num_pal == 0) || num_pal > 256)
66+ num_pal == 0) || num_pal > max_num_pal)
67 {
68 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
69 {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
new file mode 100644
index 0000000..69cb565
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch
@@ -0,0 +1,88 @@
1From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Fri, 30 Oct 2015 07:57:49 -0500
4Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
5 Truta).
6
7Upstream-Status: Backport
8https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
9
10Many changes involved date and version updates with don't apply in this case.
11
12CVE: CVE-2015-8126 patch #2
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15
16diff -ruN a/pngrutil.c b/pngrutil.c
17--- a/pngrutil.c 2014-08-21 12:53:36.000000000 +0200
18+++ b/pngrutil.c 2016-03-14 13:05:12.419581068 +0100
19@@ -997,6 +997,9 @@
20 * confusing.
21 *
22 * Fix this by not sharing the palette in this way.
23+ *
24+ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
25+ * it attempts to set a palette length that is too large for the bit depth.
26 */
27 png_set_PLTE(png_ptr, info_ptr, palette, num);
28
29diff -ruN a/pngset.c b/pngset.c
30--- a/pngset.c 2014-08-21 12:53:36.000000000 +0200
31+++ b/pngset.c 2016-03-14 13:05:12.439580208 +0100
32@@ -503,12 +503,17 @@
33 png_const_colorp palette, int num_palette)
34 {
35
36+ png_uint_32 max_palette_length;
37+
38 png_debug1(1, "in %s storage function", "PLTE");
39
40 if (png_ptr == NULL || info_ptr == NULL)
41 return;
42
43- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
44+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
45+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
46+
47+ if (num_palette < 0 || num_palette > max_palette_length)
48 {
49 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
50 png_error(png_ptr, "Invalid palette length");
51@@ -541,8 +546,8 @@
52 png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
53
54 /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
55- * of num_palette entries, in case of an invalid PNG file that has
56- * too-large sample values.
57+ * of num_palette entries, in case of an invalid PNG file or incorrect
58+ * call to png_set_PLTE() with too-large sample values.
59 */
60 png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
61 PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
62diff -ruN a/pngwutil.c b/pngwutil.c
63--- a/pngwutil.c 2016-03-14 13:01:23.433428517 +0100
64+++ b/pngwutil.c 2016-03-14 13:07:42.933108329 +0100
65@@ -919,20 +919,20 @@
66 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
67 png_uint_32 num_pal)
68 {
69- png_uint_32 max_num_pal, i;
70+ png_uint_32 max_palette_length, i;
71 png_const_colorp pal_ptr;
72 png_byte buf[3];
73
74 png_debug(1, "in png_write_PLTE");
75
76- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
77+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
78 (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
79
80 if ((
81 #ifdef PNG_MNG_FEATURES_SUPPORTED
82 !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
83 #endif
84- num_pal == 0) || num_pal > max_num_pal)
85+ num_pal == 0) || num_pal > max_palette_length)
86 {
87 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
88 {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
new file mode 100644
index 0000000..0e0ad23
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
1From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Fri, 30 Oct 2015 11:34:37 -0500
4Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
5 reading.
6
7Upstream-Status: Backport
8https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
9
10Normal Issues is date and version conflicts not applied.
11
12CVE: CVE-2015-8i26 patch #3
13
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16
17---
18 ANNOUNCE | 3 ++-
19 CHANGES | 3 ++-
20 pngrutil.c | 15 +++++++++++----
21 pngset.c | 2 +-
22 4 files changed, 16 insertions(+), 7 deletions(-)
23
24Index: libpng-1.6.17/pngrutil.c
25===================================================================
26--- libpng-1.6.17.orig/pngrutil.c
27+++ libpng-1.6.17/pngrutil.c
28@@ -867,7 +867,7 @@ void /* PRIVATE */
29 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
30 {
31 png_color palette[PNG_MAX_PALETTE_LENGTH];
32- int num, i;
33+ int max_palette_length, num, i;
34 #ifdef PNG_POINTER_INDEXING_SUPPORTED
35 png_colorp pal_ptr;
36 #endif
37@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
38 return;
39 }
40
41+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
42+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
43+
44 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
45 num = (int)length / 3;
46
47+ /* If the palette has 256 or fewer entries but is too large for the bit depth,
48+ * we don't issue an error, to preserve the behavior of previous libpng versions.
49+ * We silently truncate the unused extra palette entries here.
50+ */
51+ if (num > max_palette_length)
52+ num = max_palette_length;
53+
54 #ifdef PNG_POINTER_INDEXING_SUPPORTED
55 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
56 {
57@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
58 * confusing.
59 *
60 * Fix this by not sharing the palette in this way.
61- *
62- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
63- * it attempts to set a palette length that is too large for the bit depth.
64 */
65 png_set_PLTE(png_ptr, info_ptr, palette, num);
66
67Index: libpng-1.6.17/pngset.c
68===================================================================
69--- libpng-1.6.17.orig/pngset.c
70+++ libpng-1.6.17/pngset.c
71@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
72 max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
73 (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
74
75- if (num_palette < 0 || num_palette > max_palette_length)
76+ if (num_palette < 0 || num_palette > (int) max_palette_length)
77 {
78 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
79 png_error(png_ptr, "Invalid palette length");
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
new file mode 100644
index 0000000..2622630
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch
@@ -0,0 +1,48 @@
1From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Thu, 5 Nov 2015 11:18:44 -0600
4Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE()
5
6Upstream-Status: Backport
7https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
8
9CVE: CVE-2015-8126 patch #4
10Signed-off-by: Armin Kuster <akuster@mvista.com>
11
12---
13 pngrutil.c | 17 ++++++++++-------
14 1 file changed, 10 insertions(+), 7 deletions(-)
15
16Index: libpng-1.6.17/pngrutil.c
17===================================================================
18--- libpng-1.6.17.orig/pngrutil.c
19+++ libpng-1.6.17/pngrutil.c
20@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn
21 return;
22 }
23
24- max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
25- (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
26-
27 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
28 num = (int)length / 3;
29
30- /* If the palette has 256 or fewer entries but is too large for the bit depth,
31- * we don't issue an error, to preserve the behavior of previous libpng versions.
32- * We silently truncate the unused extra palette entries here.
33+ /* If the palette has 256 or fewer entries but is too large for the bit
34+ * depth, we don't issue an error, to preserve the behavior of previous
35+ * libpng versions. We silently truncate the unused extra palette entries
36+ * here.
37 */
38+ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
39+ max_palette_length = (1 << png_ptr->bit_depth);
40+ else
41+ max_palette_length = PNG_MAX_PALETTE_LENGTH;
42+
43 if (num > max_palette_length)
44- num = max_palette_length;
45+ num = max_palette_length;
46
47 #ifdef PNG_POINTER_INDEXING_SUPPORTED
48 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.13.bb b/meta/recipes-multimedia/libpng/libpng_1.6.13.bb
index 3d32bfe..80dcc0a 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.13.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.13.bb
@@ -10,6 +10,12 @@ LIBV = "16"
10 10
11SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \ 11SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \
12 " 12 "
13SRC_URI += "\
14 file://CVE-2015-8126_1.patch \
15 file://CVE-2015-8126_2.patch \
16 file://CVE-2015-8126_3.patch \
17 file://CVE-2015-8126_4.patch \
18 "
13 19
14SRC_URI[md5sum] = "9822c25466f060142359f80ed142c9e5" 20SRC_URI[md5sum] = "9822c25466f060142359f80ed142c9e5"
15SRC_URI[sha256sum] = "d9c8ce54a5fc8052ed794ca65b553384a74c0608b09ae163cbbb07176018e625" 21SRC_URI[sha256sum] = "d9c8ce54a5fc8052ed794ca65b553384a74c0608b09ae163cbbb07176018e625"