libpng: backport security fixes

This patch includes various security fixes from upstream (though the patches were taken from Debian's packaging) to address the following CVE issues: libpng CVE-2011-2690 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2690 libpng CVE-2011-2692 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2692 libpng CVE-2011-2501 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2501 Signed-off-by: Joshua Lock <josh@linux.intel.com>
author: Joshua Lock <josh@linux.intel.com> 2011-10-13 11:54:24 -0700
committer: Joshua Lock <josh@linux.intel.com> 2011-10-14 09:38:40 -0700
commit: e3e50d2c69a5e78c32ca9717e313c6c79f7efd97 (patch)
tree: 06949101028fe10c745399b7413a88276bb6e3f7 /meta
parent: e5cce8a57d40a16a5133c1a394ab0f3717741344 (diff)
download: poky-e3e50d2c69a5e78c32ca9717e313c6c79f7efd97.tar.gz
4 files changed, 101 insertions, 2 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch
new file mode 100644
index 0000000000..c4f98c69a4
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch
@@ -0,0 +1,29 @@
+This patch is taken from upstream and is a fix for CVE CVE-2011-2501
+Description: fix denial of service via error message data
+Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
+Upstream-Status: Backport
+Signed-off-by: Joshua Lock <josh@linux.intel.com>
+Index: libpng-1.2.44/pngerror.c
+===================================================================
+--- libpng-1.2.44.orig/pngerror.c       2011-07-26 08:18:20.769498103 -0400
+++ libpng-1.2.44/pngerror.c    2011-07-26 08:18:32.819498098 -0400
+@@ -181,8 +181,13 @@
+    {
+       buffer[iout++] = ':';
+       buffer[iout++] = ' ';
+-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
+-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+      iin = 0;
+      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+         buffer[iout++] = error_message[iin++];
+
+      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+      buffer[iout] = '\0';
+    }
+ }
+ 
diff --git a/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch b/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch
new file mode 100644
index 0000000000..f38a222170
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch
@@ -0,0 +1,38 @@
+This patch is taken from upstream and is a fix for CVE CVE-2011-2690
+Description: fix denial of service and possible arbitrary code
+ execution via crafted PNG image
+Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=d572394c2a018ef22e9685ac189f5f05c08ea6f5
+Upstream-Status: Backport
+Signed-off-by: Joshua Lock <josh@linux.intel.com>
+Index: libpng-1.2.44/pngrtran.c
+===================================================================
+--- libpng-1.2.44.orig/pngrtran.c       2011-07-26 08:18:55.489498092 -0400
+++ libpng-1.2.44/pngrtran.c    2011-07-26 08:19:02.079498092 -0400
+@@ -676,10 +676,21 @@
+ png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red,
+    double green)
+ {
+-   int red_fixed = (int)((float)red*100000.0 + 0.5);
+-   int green_fixed = (int)((float)green*100000.0 + 0.5);
+   int red_fixed, green_fixed;
+    if (png_ptr == NULL)
+       return;
+   if (red > 21474.83647 || red < -21474.83648 ||
+       green > 21474.83647 || green < -21474.83648)
+   {
+      png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
+      red_fixed = -1;
+      green_fixed = -1;
+   }
+   else
+   {
+      red_fixed = (int)((float)red*100000.0 + 0.5);
+      green_fixed = (int)((float)green*100000.0 + 0.5);
+   }
+    png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed);
+ }
+ #endif
diff --git a/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch b/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch
new file mode 100644
index 0000000000..5a0f51e269
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch
@@ -0,0 +1,29 @@
+This patch is taken from upstream and is a fix for CVE CVE-2011-2962
+Description: fix denial of service and possible arbitrary code
+ execution via invalid sCAL chunks
+Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=61a2d8a2a7b03023e63eae9a3e64607aaaa6d339
+Upstream-Status: Backport
+Signed-off-by: Joshua Lock <josh@linux.intel.com>
+Index: libpng-1.2.44/pngrutil.c
+===================================================================
+--- libpng-1.2.44.orig/pngrutil.c       2011-07-26 08:19:22.619498085 -0400
+++ libpng-1.2.44/pngrutil.c    2011-07-26 08:19:26.909498086 -0400
+@@ -1812,6 +1812,14 @@
+       return;
+    }
+ 
+   /* Need unit type, width, \0, height: minimum 4 bytes */
+   else if (length < 4)
+   {
+      png_warning(png_ptr, "sCAL chunk too short");
+      png_crc_finish(png_ptr, length);
+      return;
+   }
+
+    png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
+       length + 1);
+    png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);
diff --git a/meta/recipes-multimedia/libpng/libpng_1.2.44.bb b/meta/recipes-multimedia/libpng/libpng_1.2.44.bb
index 4a8d5c30ed..58c20f0314 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.2.44.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.2.44.bb
@@ -6,9 +6,12 @@ LICENSE = "libpng"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=a294a2bb08b7f25558119edbfd6b2e92 \
                    file://png.h;startline=172;endline=261;md5=3253923f0093658f470e52a06ddcf4e7"
 DEPENDS = "zlib"
-PR = "r0"
+PR = "r1"
-SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/libpng-${PV}.tar.bz2"
+SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/libpng-${PV}.tar.bz2 \
+           file://02-CVE-2011-2501.patch \
+           file://03-CVE-2011-2690.patch \
+           file://04-CVE-2011-2692.patch"
 SRC_URI[md5sum] = "e3ac7879d62ad166a6f0c7441390d12b"
 SRC_URI[sha256sum] = "b9ab20f1c2c3bf6c4448fd9bd8a4a8905b918114d5fada56c97bb758a17b7215"
author	Joshua Lock <josh@linux.intel.com>	2011-10-13 11:54:24 -0700
committer	Joshua Lock <josh@linux.intel.com>	2011-10-14 09:38:40 -0700
commit	e3e50d2c69a5e78c32ca9717e313c6c79f7efd97 (patch)
tree	06949101028fe10c745399b7413a88276bb6e3f7 /meta
parent	e5cce8a57d40a16a5133c1a394ab0f3717741344 (diff)
download	poky-e3e50d2c69a5e78c32ca9717e313c6c79f7efd97.tar.gz

diff --git a/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch new file mode 100644 index 0000000000..c4f98c69a4 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/02-CVE-2011-2501.patch
@@ -0,0 +1,29 @@
		1	This patch is taken from upstream and is a fix for CVE CVE-2011-2501
		2
		3	Description: fix denial of service via error message data
		4	Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
		5
		6	Upstream-Status: Backport
		7
		8	Signed-off-by: Joshua Lock <josh@linux.intel.com>
		9
		10	Index: libpng-1.2.44/pngerror.c
		11	===================================================================
		12	--- libpng-1.2.44.orig/pngerror.c 2011-07-26 08:18:20.769498103 -0400
		13	+++ libpng-1.2.44/pngerror.c 2011-07-26 08:18:32.819498098 -0400
		14	@@ -181,8 +181,13 @@
		15	{
		16	buffer[iout++] = ':';
		17	buffer[iout++] = ' ';
		18	- png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
		19	- buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
		20	+
		21	+ iin = 0;
		22	+ while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
		23	+ buffer[iout++] = error_message[iin++];
		24	+
		25	+ /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
		26	+ buffer[iout] = '\0';
		27	}
		28	}
		29


diff --git a/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch b/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch new file mode 100644 index 0000000000..f38a222170 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/03-CVE-2011-2690.patch
@@ -0,0 +1,38 @@
		1	This patch is taken from upstream and is a fix for CVE CVE-2011-2690
		2
		3	Description: fix denial of service and possible arbitrary code
		4	execution via crafted PNG image
		5	Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=d572394c2a018ef22e9685ac189f5f05c08ea6f5
		6
		7	Upstream-Status: Backport
		8
		9	Signed-off-by: Joshua Lock <josh@linux.intel.com>
		10
		11	Index: libpng-1.2.44/pngrtran.c
		12	===================================================================
		13	--- libpng-1.2.44.orig/pngrtran.c 2011-07-26 08:18:55.489498092 -0400
		14	+++ libpng-1.2.44/pngrtran.c 2011-07-26 08:19:02.079498092 -0400
		15	@@ -676,10 +676,21 @@
		16	png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red,
		17	double green)
		18	{
		19	- int red_fixed = (int)((float)red*100000.0 + 0.5);
		20	- int green_fixed = (int)((float)green*100000.0 + 0.5);
		21	+ int red_fixed, green_fixed;
		22	if (png_ptr == NULL)
		23	return;
		24	+ if (red > 21474.83647 \|\| red < -21474.83648 \|\|
		25	+ green > 21474.83647 \|\| green < -21474.83648)
		26	+ {
		27	+ png_warning(png_ptr, "ignoring out of range rgb_to_gray coefficients");
		28	+ red_fixed = -1;
		29	+ green_fixed = -1;
		30	+ }
		31	+ else
		32	+ {
		33	+ red_fixed = (int)((float)red*100000.0 + 0.5);
		34	+ green_fixed = (int)((float)green*100000.0 + 0.5);
		35	+ }
		36	png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed);
		37	}
		38	#endif


diff --git a/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch b/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch new file mode 100644 index 0000000000..5a0f51e269 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng/04-CVE-2011-2692.patch
@@ -0,0 +1,29 @@
		1	This patch is taken from upstream and is a fix for CVE CVE-2011-2962
		2
		3	Description: fix denial of service and possible arbitrary code
		4	execution via invalid sCAL chunks
		5	Origin: upstream, http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=61a2d8a2a7b03023e63eae9a3e64607aaaa6d339
		6
		7	Upstream-Status: Backport
		8
		9	Signed-off-by: Joshua Lock <josh@linux.intel.com>
		10
		11	Index: libpng-1.2.44/pngrutil.c
		12	===================================================================
		13	--- libpng-1.2.44.orig/pngrutil.c 2011-07-26 08:19:22.619498085 -0400
		14	+++ libpng-1.2.44/pngrutil.c 2011-07-26 08:19:26.909498086 -0400
		15	@@ -1812,6 +1812,14 @@
		16	return;
		17	}
		18
		19	+ /* Need unit type, width, \0, height: minimum 4 bytes */
		20	+ else if (length < 4)
		21	+ {
		22	+ png_warning(png_ptr, "sCAL chunk too short");
		23	+ png_crc_finish(png_ptr, length);
		24	+ return;
		25	+ }
		26	+
		27	png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)",
		28	length + 1);
		29	png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1);


diff --git a/meta/recipes-multimedia/libpng/libpng_1.2.44.bb b/meta/recipes-multimedia/libpng/libpng_1.2.44.bb index 4a8d5c30ed..58c20f0314 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.2.44.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.2.44.bb
@@ -6,9 +6,12 @@ LICENSE = "libpng"
6	LIC_FILES_CHKSUM = "file://LICENSE;md5=a294a2bb08b7f25558119edbfd6b2e92 \	6	LIC_FILES_CHKSUM = "file://LICENSE;md5=a294a2bb08b7f25558119edbfd6b2e92 \
7	file://png.h;startline=172;endline=261;md5=3253923f0093658f470e52a06ddcf4e7"	7	file://png.h;startline=172;endline=261;md5=3253923f0093658f470e52a06ddcf4e7"
8	DEPENDS = "zlib"	8	DEPENDS = "zlib"
9	PR = "r0"	9	PR = "r1"
10		10
11	SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/libpng-${PV}.tar.bz2"	11	SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/libpng-${PV}.tar.bz2 \
		12	file://02-CVE-2011-2501.patch \
		13	file://03-CVE-2011-2690.patch \
		14	file://04-CVE-2011-2692.patch"
12		15
13	SRC_URI[md5sum] = "e3ac7879d62ad166a6f0c7441390d12b"	16	SRC_URI[md5sum] = "e3ac7879d62ad166a6f0c7441390d12b"
14	SRC_URI[sha256sum] = "b9ab20f1c2c3bf6c4448fd9bd8a4a8905b918114d5fada56c97bb758a17b7215"	17	SRC_URI[sha256sum] = "b9ab20f1c2c3bf6c4448fd9bd8a4a8905b918114d5fada56c97bb758a17b7215"