summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-05 06:03:48 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-07 22:55:24 +0000
commit21a816c73a09031ba7634f7a32f2c2e7dc3f0bc9 (patch)
treed72c4e2bff32775c91b5568f28985402b68dec39
parent6a0fbfaeb59f573afc970fd8cc481afddd832109 (diff)
downloadpoky-21a816c73a09031ba7634f7a32f2c2e7dc3f0bc9.tar.gz
libpng: Security fix CVE-2015-8126
libpng: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions (From OE-Core rev: d0a8313a03711ff881ad89b6cfc545f66a0bc018) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch91
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch134
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch79
-rw-r--r--meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch48
-rw-r--r--meta/recipes-multimedia/libpng/libpng_1.6.17.bb7
5 files changed, 359 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch
new file mode 100644
index 0000000000..25fe1364d3
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch
@@ -0,0 +1,91 @@
1From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Thu, 29 Oct 2015 09:26:41 -0500
4Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk
5
6Upstream-Status: Backport
7https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766
8
9CVE: CVE-2015-8126 patch #1
10
11Signed-off-by: Armin Kuster <akuster@mvista.com>
12
13---
14 libpng-manual.txt | 5 +++++
15 libpng.3 | 5 +++++
16 pngwrite.c | 4 ++--
17 pngwutil.c | 7 +++++--
18 4 files changed, 17 insertions(+), 4 deletions(-)
19
20Index: libpng-1.6.17/libpng-manual.txt
21===================================================================
22--- libpng-1.6.17.orig/libpng-manual.txt
23+++ libpng-1.6.17/libpng-manual.txt
24@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that
25 chunk. This error was fixed in libpng-1.6.3, and a tool (called
26 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
27
28+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
29+is an error. Previously this requirement of the PNG specification was not
30+enforced. Libpng continues to accept over-length PLTE chunks when reading,
31+but does not make any use of the extra entries.
32+
33 XIII. Detecting libpng
34
35 The png_get_io_ptr() function has been present since libpng-0.88, has never
36Index: libpng-1.6.17/libpng.3
37===================================================================
38--- libpng-1.6.17.orig/libpng.3
39+++ libpng-1.6.17/libpng.3
40@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that
41 chunk. This error was fixed in libpng-1.6.3, and a tool (called
42 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
43
44+Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
45+is an error. Previously this requirement of the PNG specification was not
46+enforced. Libpng continues to accept over-length PLTE chunks when reading,
47+but does not make any use of the extra entries.
48+
49 .SH XIII. Detecting libpng
50
51 The png_get_io_ptr() function has been present since libpng-0.88, has never
52Index: libpng-1.6.17/pngwrite.c
53===================================================================
54--- libpng-1.6.17.orig/pngwrite.c
55+++ libpng-1.6.17/pngwrite.c
56@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png
57 png_write_PLTE(png_ptr, info_ptr->palette,
58 (png_uint_32)info_ptr->num_palette);
59
60- else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0)
61+ else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
62 png_error(png_ptr, "Valid palette required for paletted images");
63
64 #ifdef PNG_WRITE_tRNS_SUPPORTED
65Index: libpng-1.6.17/pngwutil.c
66===================================================================
67--- libpng-1.6.17.orig/pngwutil.c
68+++ libpng-1.6.17/pngwutil.c
69@@ -922,17 +922,20 @@ void /* PRIVATE */
70 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
71 png_uint_32 num_pal)
72 {
73- png_uint_32 i;
74+ png_uint_32 max_num_pal, i;
75 png_const_colorp pal_ptr;
76 png_byte buf[3];
77
78 png_debug(1, "in png_write_PLTE");
79
80+ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
81+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
82+
83 if ((
84 #ifdef PNG_MNG_FEATURES_SUPPORTED
85 (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
86 #endif
87- num_pal == 0) || num_pal > 256)
88+ num_pal == 0) || num_pal > max_num_pal)
89 {
90 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
91 {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
new file mode 100644
index 0000000000..4aa917084a
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch
@@ -0,0 +1,134 @@
1From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Fri, 30 Oct 2015 07:57:49 -0500
4Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin
5 Truta).
6
7Upstream-Status: Backport
8https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d
9
10Many changes involved date and version updates with don't apply in this case.
11
12CVE: CVE-2015-8126 patch #2
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15---
16 ANNOUNCE | 6 +++---
17 CHANGES | 4 ++--
18 libpng-manual.txt | 11 +++++------
19 libpng.3 | 19 +++++++++----------
20 pngrutil.c | 3 +++
21 pngset.c | 13 +++++++++----
22 pngwutil.c | 6 +++---
23 7 files changed, 34 insertions(+), 28 deletions(-)
24
25Index: libpng-1.6.17/libpng-manual.txt
26===================================================================
27--- libpng-1.6.17.orig/libpng-manual.txt
28+++ libpng-1.6.17/libpng-manual.txt
29@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that
30 chunk. This error was fixed in libpng-1.6.3, and a tool (called
31 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
32
33-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
34+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
35 is an error. Previously this requirement of the PNG specification was not
36-enforced. Libpng continues to accept over-length PLTE chunks when reading,
37-but does not make any use of the extra entries.
38+enforced, and the palette was always limited to 256 entries.
39
40 XIII. Detecting libpng
41
42Index: libpng-1.6.17/libpng.3
43===================================================================
44--- libpng-1.6.17.orig/libpng.3
45+++ libpng-1.6.17/libpng.3
46@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that
47 chunk. This error was fixed in libpng-1.6.3, and a tool (called
48 contrib/tools/png-fix-itxt) has been added to the libpng distribution.
49
50-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk
51+Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk
52 is an error. Previously this requirement of the PNG specification was not
53-enforced. Libpng continues to accept over-length PLTE chunks when reading,
54-but does not make any use of the extra entries.
55+enforced, and the palette was always limited to 256 entries.
56
57 .SH XIII. Detecting libpng
58
59Index: libpng-1.6.17/pngrutil.c
60===================================================================
61--- libpng-1.6.17.orig/pngrutil.c
62+++ libpng-1.6.17/pngrutil.c
63@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn
64 * confusing.
65 *
66 * Fix this by not sharing the palette in this way.
67+ *
68+ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
69+ * it attempts to set a palette length that is too large for the bit depth.
70 */
71 png_set_PLTE(png_ptr, info_ptr, palette, num);
72
73Index: libpng-1.6.17/pngset.c
74===================================================================
75--- libpng-1.6.17.orig/pngset.c
76+++ libpng-1.6.17/pngset.c
77@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i
78 png_const_colorp palette, int num_palette)
79 {
80
81+ png_uint_32 max_palette_length;
82+
83 png_debug1(1, "in %s storage function", "PLTE");
84
85 if (png_ptr == NULL || info_ptr == NULL)
86 return;
87
88- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
89+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
90+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
91+
92+ if (num_palette < 0 || num_palette > max_palette_length)
93 {
94 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
95 png_error(png_ptr, "Invalid palette length");
96@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i
97 png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
98
99 /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
100- * of num_palette entries, in case of an invalid PNG file that has
101- * too-large sample values.
102+ * of num_palette entries, in case of an invalid PNG file or incorrect
103+ * call to png_set_PLTE() with too-large sample values.
104 */
105 png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
106 PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
107Index: libpng-1.6.17/pngwutil.c
108===================================================================
109--- libpng-1.6.17.orig/pngwutil.c
110+++ libpng-1.6.17/pngwutil.c
111@@ -922,20 +922,20 @@ void /* PRIVATE */
112 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
113 png_uint_32 num_pal)
114 {
115- png_uint_32 max_num_pal, i;
116+ png_uint_32 max_palette_length, i;
117 png_const_colorp pal_ptr;
118 png_byte buf[3];
119
120 png_debug(1, "in png_write_PLTE");
121
122- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
123+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
124 (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
125
126 if ((
127 #ifdef PNG_MNG_FEATURES_SUPPORTED
128 (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
129 #endif
130- num_pal == 0) || num_pal > max_num_pal)
131+ num_pal == 0) || num_pal > max_palette_length)
132 {
133 if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
134 {
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
new file mode 100644
index 0000000000..0e0ad23200
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch
@@ -0,0 +1,79 @@
1From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Fri, 30 Oct 2015 11:34:37 -0500
4Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while
5 reading.
6
7Upstream-Status: Backport
8https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978
9
10Normal Issues is date and version conflicts not applied.
11
12CVE: CVE-2015-8i26 patch #3
13
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16
17---
18 ANNOUNCE | 3 ++-
19 CHANGES | 3 ++-
20 pngrutil.c | 15 +++++++++++----
21 pngset.c | 2 +-
22 4 files changed, 16 insertions(+), 7 deletions(-)
23
24Index: libpng-1.6.17/pngrutil.c
25===================================================================
26--- libpng-1.6.17.orig/pngrutil.c
27+++ libpng-1.6.17/pngrutil.c
28@@ -867,7 +867,7 @@ void /* PRIVATE */
29 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
30 {
31 png_color palette[PNG_MAX_PALETTE_LENGTH];
32- int num, i;
33+ int max_palette_length, num, i;
34 #ifdef PNG_POINTER_INDEXING_SUPPORTED
35 png_colorp pal_ptr;
36 #endif
37@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn
38 return;
39 }
40
41+ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
42+ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
43+
44 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
45 num = (int)length / 3;
46
47+ /* If the palette has 256 or fewer entries but is too large for the bit depth,
48+ * we don't issue an error, to preserve the behavior of previous libpng versions.
49+ * We silently truncate the unused extra palette entries here.
50+ */
51+ if (num > max_palette_length)
52+ num = max_palette_length;
53+
54 #ifdef PNG_POINTER_INDEXING_SUPPORTED
55 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
56 {
57@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn
58 * confusing.
59 *
60 * Fix this by not sharing the palette in this way.
61- *
62- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when
63- * it attempts to set a palette length that is too large for the bit depth.
64 */
65 png_set_PLTE(png_ptr, info_ptr, palette, num);
66
67Index: libpng-1.6.17/pngset.c
68===================================================================
69--- libpng-1.6.17.orig/pngset.c
70+++ libpng-1.6.17/pngset.c
71@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i
72 max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
73 (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
74
75- if (num_palette < 0 || num_palette > max_palette_length)
76+ if (num_palette < 0 || num_palette > (int) max_palette_length)
77 {
78 if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
79 png_error(png_ptr, "Invalid palette length");
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch
new file mode 100644
index 0000000000..2622630d10
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch
@@ -0,0 +1,48 @@
1From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001
2From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
3Date: Thu, 5 Nov 2015 11:18:44 -0600
4Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE()
5
6Upstream-Status: Backport
7https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466
8
9CVE: CVE-2015-8126 patch #4
10Signed-off-by: Armin Kuster <akuster@mvista.com>
11
12---
13 pngrutil.c | 17 ++++++++++-------
14 1 file changed, 10 insertions(+), 7 deletions(-)
15
16Index: libpng-1.6.17/pngrutil.c
17===================================================================
18--- libpng-1.6.17.orig/pngrutil.c
19+++ libpng-1.6.17/pngrutil.c
20@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn
21 return;
22 }
23
24- max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
25- (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
26-
27 /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
28 num = (int)length / 3;
29
30- /* If the palette has 256 or fewer entries but is too large for the bit depth,
31- * we don't issue an error, to preserve the behavior of previous libpng versions.
32- * We silently truncate the unused extra palette entries here.
33+ /* If the palette has 256 or fewer entries but is too large for the bit
34+ * depth, we don't issue an error, to preserve the behavior of previous
35+ * libpng versions. We silently truncate the unused extra palette entries
36+ * here.
37 */
38+ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
39+ max_palette_length = (1 << png_ptr->bit_depth);
40+ else
41+ max_palette_length = PNG_MAX_PALETTE_LENGTH;
42+
43 if (num > max_palette_length)
44- num = max_palette_length;
45+ num = max_palette_length;
46
47 #ifdef PNG_POINTER_INDEXING_SUPPORTED
48 for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.17.bb b/meta/recipes-multimedia/libpng/libpng_1.6.17.bb
index 2d9835cf8c..110c43daf1 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.17.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.17.bb
@@ -10,6 +10,13 @@ LIBV = "16"
10 10
11SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/older-releases/${PV}/libpng-${PV}.tar.xz \ 11SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/older-releases/${PV}/libpng-${PV}.tar.xz \
12 " 12 "
13SRC_URI += "\
14 file://CVE-2015-8126_1.patch \
15 file://CVE-2015-8126_2.patch \
16 file://CVE-2015-8126_3.patch \
17 file://CVE-2015-8126_4.patch \
18 "
19
13SRC_URI[md5sum] = "430a9b76b78533235cd4b9b26ce75c7e" 20SRC_URI[md5sum] = "430a9b76b78533235cd4b9b26ce75c7e"
14SRC_URI[sha256sum] = "98507b55fbe5cd43c51981f2924e4671fd81fe35d52dc53357e20f2c77fa5dfd" 21SRC_URI[sha256sum] = "98507b55fbe5cd43c51981f2924e4671fd81fe35d52dc53357e20f2c77fa5dfd"
15 22