diff options
author | Dengke Du <dengke.du@windriver.com> | 2017-08-17 02:19:46 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-18 23:46:38 +0100 |
commit | 163d2a34c776bd3709b4622984cddd9582bf2678 (patch) | |
tree | 65d59284e17cb596b1d2c2799ccb6335619b67cd /meta/recipes-graphics | |
parent | 3577a8277e151b00e63825f9154f19e91496bbaf (diff) | |
download | poky-163d2a34c776bd3709b4622984cddd9582bf2678.tar.gz |
cairo: Fix CVE-2017-9814
Backport patch from the following link to fix CVE-2017-9814:
https://bugs.freedesktop.org/show_bug.cgi?id=101547
(From OE-Core rev: 4ff22f4bb10b83ea61218a01e12907a90edcd594)
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r-- | meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch | 45 | ||||
-rw-r--r-- | meta/recipes-graphics/cairo/cairo_1.14.10.bb | 1 |
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch b/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch new file mode 100644 index 0000000000..7d02ab9474 --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/0001-cairo-Fix-CVE-2017-9814.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 042421e9e3d266ad0bb7805132041ef51ad3234d Mon Sep 17 00:00:00 2001 | ||
2 | From: Adrian Johnson <ajohnson@redneon.com> | ||
3 | Date: Wed, 16 Aug 2017 22:52:35 -0400 | ||
4 | Subject: [PATCH] cairo: Fix CVE-2017-9814 | ||
5 | |||
6 | The bug happens because in some scenarios the variable size can | ||
7 | have a value of 0 at line 1288. And malloc(0) is not returning | ||
8 | NULL as some people could expect: | ||
9 | |||
10 | https://stackoverflow.com/questions/1073157/zero-size-malloc | ||
11 | |||
12 | malloc(0) returns the smallest chunk possible. So the line 1290 | ||
13 | with the return is not execute. And the execution continues with | ||
14 | an invalid map. | ||
15 | |||
16 | Since the size is 0 the variable map is not initialized correctly | ||
17 | at load_trutype_table. So, later when the variable map is accessed | ||
18 | previous values from a freed chunk are used. This could allows an | ||
19 | attacker to control the variable map. | ||
20 | |||
21 | This patch have not merge in upstream now. | ||
22 | |||
23 | Upstream-Status: Backport [https://bugs.freedesktop.org/show_bug.cgi?id=101547] | ||
24 | CVE: CVE-2017-9814 | ||
25 | Signed-off-by: Dengke Du <dengke.du@windriver.com> | ||
26 | --- | ||
27 | src/cairo-truetype-subset.c | 2 +- | ||
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c | ||
31 | index e3449a0..f77d11c 100644 | ||
32 | --- a/src/cairo-truetype-subset.c | ||
33 | +++ b/src/cairo-truetype-subset.c | ||
34 | @@ -1285,7 +1285,7 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font, | ||
35 | return CAIRO_INT_STATUS_UNSUPPORTED; | ||
36 | |||
37 | size = be16_to_cpu (map->length); | ||
38 | - map = malloc (size); | ||
39 | + map = _cairo_malloc (size); | ||
40 | if (unlikely (map == NULL)) | ||
41 | return _cairo_error (CAIRO_STATUS_NO_MEMORY); | ||
42 | |||
43 | -- | ||
44 | 2.8.1 | ||
45 | |||
diff --git a/meta/recipes-graphics/cairo/cairo_1.14.10.bb b/meta/recipes-graphics/cairo/cairo_1.14.10.bb index ba38c34f0a..fcdddc6d9e 100644 --- a/meta/recipes-graphics/cairo/cairo_1.14.10.bb +++ b/meta/recipes-graphics/cairo/cairo_1.14.10.bb | |||
@@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e73e999e0c72b5ac9012424fa157ad77" | |||
4 | 4 | ||
5 | SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ | 5 | SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ |
6 | file://cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff \ | 6 | file://cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff \ |
7 | file://0001-cairo-Fix-CVE-2017-9814.patch \ | ||
7 | " | 8 | " |
8 | 9 | ||
9 | SRC_URI[md5sum] = "146f5f4d0b4439fc3792fd3452b7b12a" | 10 | SRC_URI[md5sum] = "146f5f4d0b4439fc3792fd3452b7b12a" |