diff options
Diffstat (limited to 'meta/recipes-multimedia')
5 files changed, 290 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch new file mode 100644 index 0000000000..7d4c3fe80b --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_1.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Thu, 29 Oct 2015 09:26:41 -0500 | ||
4 | Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 | ||
8 | |||
9 | CVE: CVE-2015-8126 patch #1 | ||
10 | |||
11 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | |||
14 | diff -ruN a/libpng.3 b/libpng.3 | ||
15 | --- a/libpng.3 2014-08-21 12:53:36.000000000 +0200 | ||
16 | +++ b/libpng.3 2016-03-14 12:32:29.071935164 +0100 | ||
17 | @@ -5611,6 +5611,11 @@ | ||
18 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
19 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
20 | |||
21 | +Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
22 | +is an error. Previously this requirement of the PNG specification was not | ||
23 | +enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
24 | +but does not make any use of the extra entries. | ||
25 | + | ||
26 | .SH XIII. Detecting libpng | ||
27 | |||
28 | The png_get_io_ptr() function has been present since libpng-0.88, has never | ||
29 | diff -ruN a/libpng-manual.txt b/libpng-manual.txt | ||
30 | --- a/libpng-manual.txt 2014-08-21 12:53:36.000000000 +0200 | ||
31 | +++ b/libpng-manual.txt 2016-03-14 12:32:29.067935336 +0100 | ||
32 | @@ -5107,6 +5107,11 @@ | ||
33 | chunk. This error was fixed in libpng-1.6.3, and a tool (called | ||
34 | contrib/tools/png-fix-itxt) has been added to the libpng distribution. | ||
35 | |||
36 | +Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk | ||
37 | +is an error. Previously this requirement of the PNG specification was not | ||
38 | +enforced. Libpng continues to accept over-length PLTE chunks when reading, | ||
39 | +but does not make any use of the extra entries. | ||
40 | + | ||
41 | XIII. Detecting libpng | ||
42 | |||
43 | The png_get_io_ptr() function has been present since libpng-0.88, has never | ||
44 | diff -ruN a/pngwutil.c b/pngwutil.c | ||
45 | --- a/pngwutil.c 2014-08-21 12:53:37.000000000 +0200 | ||
46 | +++ b/pngwutil.c 2016-03-14 12:35:00.001454124 +0100 | ||
47 | @@ -919,17 +919,20 @@ | ||
48 | png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, | ||
49 | png_uint_32 num_pal) | ||
50 | { | ||
51 | - png_uint_32 i; | ||
52 | + png_uint_32 max_num_pal, i; | ||
53 | png_const_colorp pal_ptr; | ||
54 | png_byte buf[3]; | ||
55 | |||
56 | png_debug(1, "in png_write_PLTE"); | ||
57 | |||
58 | + max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
59 | + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
60 | + | ||
61 | if (( | ||
62 | #ifdef PNG_MNG_FEATURES_SUPPORTED | ||
63 | !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) && | ||
64 | #endif | ||
65 | - num_pal == 0) || num_pal > 256) | ||
66 | + num_pal == 0) || num_pal > max_num_pal) | ||
67 | { | ||
68 | if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
69 | { | ||
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch new file mode 100644 index 0000000000..69cb565901 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_2.patch | |||
@@ -0,0 +1,88 @@ | |||
1 | From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Fri, 30 Oct 2015 07:57:49 -0500 | ||
4 | Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin | ||
5 | Truta). | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d | ||
9 | |||
10 | Many changes involved date and version updates with don't apply in this case. | ||
11 | |||
12 | CVE: CVE-2015-8126 patch #2 | ||
13 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | |||
16 | diff -ruN a/pngrutil.c b/pngrutil.c | ||
17 | --- a/pngrutil.c 2014-08-21 12:53:36.000000000 +0200 | ||
18 | +++ b/pngrutil.c 2016-03-14 13:05:12.419581068 +0100 | ||
19 | @@ -997,6 +997,9 @@ | ||
20 | * confusing. | ||
21 | * | ||
22 | * Fix this by not sharing the palette in this way. | ||
23 | + * | ||
24 | + * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when | ||
25 | + * it attempts to set a palette length that is too large for the bit depth. | ||
26 | */ | ||
27 | png_set_PLTE(png_ptr, info_ptr, palette, num); | ||
28 | |||
29 | diff -ruN a/pngset.c b/pngset.c | ||
30 | --- a/pngset.c 2014-08-21 12:53:36.000000000 +0200 | ||
31 | +++ b/pngset.c 2016-03-14 13:05:12.439580208 +0100 | ||
32 | @@ -503,12 +503,17 @@ | ||
33 | png_const_colorp palette, int num_palette) | ||
34 | { | ||
35 | |||
36 | + png_uint_32 max_palette_length; | ||
37 | + | ||
38 | png_debug1(1, "in %s storage function", "PLTE"); | ||
39 | |||
40 | if (png_ptr == NULL || info_ptr == NULL) | ||
41 | return; | ||
42 | |||
43 | - if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) | ||
44 | + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
45 | + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
46 | + | ||
47 | + if (num_palette < 0 || num_palette > max_palette_length) | ||
48 | { | ||
49 | if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
50 | png_error(png_ptr, "Invalid palette length"); | ||
51 | @@ -541,8 +546,8 @@ | ||
52 | png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); | ||
53 | |||
54 | /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead | ||
55 | - * of num_palette entries, in case of an invalid PNG file that has | ||
56 | - * too-large sample values. | ||
57 | + * of num_palette entries, in case of an invalid PNG file or incorrect | ||
58 | + * call to png_set_PLTE() with too-large sample values. | ||
59 | */ | ||
60 | png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, | ||
61 | PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); | ||
62 | diff -ruN a/pngwutil.c b/pngwutil.c | ||
63 | --- a/pngwutil.c 2016-03-14 13:01:23.433428517 +0100 | ||
64 | +++ b/pngwutil.c 2016-03-14 13:07:42.933108329 +0100 | ||
65 | @@ -919,20 +919,20 @@ | ||
66 | png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, | ||
67 | png_uint_32 num_pal) | ||
68 | { | ||
69 | - png_uint_32 max_num_pal, i; | ||
70 | + png_uint_32 max_palette_length, i; | ||
71 | png_const_colorp pal_ptr; | ||
72 | png_byte buf[3]; | ||
73 | |||
74 | png_debug(1, "in png_write_PLTE"); | ||
75 | |||
76 | - max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
77 | + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
78 | (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
79 | |||
80 | if (( | ||
81 | #ifdef PNG_MNG_FEATURES_SUPPORTED | ||
82 | !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) && | ||
83 | #endif | ||
84 | - num_pal == 0) || num_pal > max_num_pal) | ||
85 | + num_pal == 0) || num_pal > max_palette_length) | ||
86 | { | ||
87 | if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
88 | { | ||
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch new file mode 100644 index 0000000000..0e0ad23200 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch | |||
@@ -0,0 +1,79 @@ | |||
1 | From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Fri, 30 Oct 2015 11:34:37 -0500 | ||
4 | Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while | ||
5 | reading. | ||
6 | |||
7 | Upstream-Status: Backport | ||
8 | https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 | ||
9 | |||
10 | Normal Issues is date and version conflicts not applied. | ||
11 | |||
12 | CVE: CVE-2015-8i26 patch #3 | ||
13 | |||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | |||
17 | --- | ||
18 | ANNOUNCE | 3 ++- | ||
19 | CHANGES | 3 ++- | ||
20 | pngrutil.c | 15 +++++++++++---- | ||
21 | pngset.c | 2 +- | ||
22 | 4 files changed, 16 insertions(+), 7 deletions(-) | ||
23 | |||
24 | Index: libpng-1.6.17/pngrutil.c | ||
25 | =================================================================== | ||
26 | --- libpng-1.6.17.orig/pngrutil.c | ||
27 | +++ libpng-1.6.17/pngrutil.c | ||
28 | @@ -867,7 +867,7 @@ void /* PRIVATE */ | ||
29 | png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) | ||
30 | { | ||
31 | png_color palette[PNG_MAX_PALETTE_LENGTH]; | ||
32 | - int num, i; | ||
33 | + int max_palette_length, num, i; | ||
34 | #ifdef PNG_POINTER_INDEXING_SUPPORTED | ||
35 | png_colorp pal_ptr; | ||
36 | #endif | ||
37 | @@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn | ||
38 | return; | ||
39 | } | ||
40 | |||
41 | + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
42 | + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
43 | + | ||
44 | /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ | ||
45 | num = (int)length / 3; | ||
46 | |||
47 | + /* If the palette has 256 or fewer entries but is too large for the bit depth, | ||
48 | + * we don't issue an error, to preserve the behavior of previous libpng versions. | ||
49 | + * We silently truncate the unused extra palette entries here. | ||
50 | + */ | ||
51 | + if (num > max_palette_length) | ||
52 | + num = max_palette_length; | ||
53 | + | ||
54 | #ifdef PNG_POINTER_INDEXING_SUPPORTED | ||
55 | for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) | ||
56 | { | ||
57 | @@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn | ||
58 | * confusing. | ||
59 | * | ||
60 | * Fix this by not sharing the palette in this way. | ||
61 | - * | ||
62 | - * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when | ||
63 | - * it attempts to set a palette length that is too large for the bit depth. | ||
64 | */ | ||
65 | png_set_PLTE(png_ptr, info_ptr, palette, num); | ||
66 | |||
67 | Index: libpng-1.6.17/pngset.c | ||
68 | =================================================================== | ||
69 | --- libpng-1.6.17.orig/pngset.c | ||
70 | +++ libpng-1.6.17/pngset.c | ||
71 | @@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i | ||
72 | max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
73 | (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
74 | |||
75 | - if (num_palette < 0 || num_palette > max_palette_length) | ||
76 | + if (num_palette < 0 || num_palette > (int) max_palette_length) | ||
77 | { | ||
78 | if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
79 | png_error(png_ptr, "Invalid palette length"); | ||
diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch new file mode 100644 index 0000000000..2622630d10 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_4.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001 | ||
2 | From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | ||
3 | Date: Thu, 5 Nov 2015 11:18:44 -0600 | ||
4 | Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE() | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466 | ||
8 | |||
9 | CVE: CVE-2015-8126 patch #4 | ||
10 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
11 | |||
12 | --- | ||
13 | pngrutil.c | 17 ++++++++++------- | ||
14 | 1 file changed, 10 insertions(+), 7 deletions(-) | ||
15 | |||
16 | Index: libpng-1.6.17/pngrutil.c | ||
17 | =================================================================== | ||
18 | --- libpng-1.6.17.orig/pngrutil.c | ||
19 | +++ libpng-1.6.17/pngrutil.c | ||
20 | @@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn | ||
21 | return; | ||
22 | } | ||
23 | |||
24 | - max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? | ||
25 | - (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; | ||
26 | - | ||
27 | /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ | ||
28 | num = (int)length / 3; | ||
29 | |||
30 | - /* If the palette has 256 or fewer entries but is too large for the bit depth, | ||
31 | - * we don't issue an error, to preserve the behavior of previous libpng versions. | ||
32 | - * We silently truncate the unused extra palette entries here. | ||
33 | + /* If the palette has 256 or fewer entries but is too large for the bit | ||
34 | + * depth, we don't issue an error, to preserve the behavior of previous | ||
35 | + * libpng versions. We silently truncate the unused extra palette entries | ||
36 | + * here. | ||
37 | */ | ||
38 | + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) | ||
39 | + max_palette_length = (1 << png_ptr->bit_depth); | ||
40 | + else | ||
41 | + max_palette_length = PNG_MAX_PALETTE_LENGTH; | ||
42 | + | ||
43 | if (num > max_palette_length) | ||
44 | - num = max_palette_length; | ||
45 | + num = max_palette_length; | ||
46 | |||
47 | #ifdef PNG_POINTER_INDEXING_SUPPORTED | ||
48 | for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) | ||
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.13.bb b/meta/recipes-multimedia/libpng/libpng_1.6.13.bb index 3d32bfea2c..80dcc0a63f 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.13.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.13.bb | |||
@@ -10,6 +10,12 @@ LIBV = "16" | |||
10 | 10 | ||
11 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \ | 11 | SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \ |
12 | " | 12 | " |
13 | SRC_URI += "\ | ||
14 | file://CVE-2015-8126_1.patch \ | ||
15 | file://CVE-2015-8126_2.patch \ | ||
16 | file://CVE-2015-8126_3.patch \ | ||
17 | file://CVE-2015-8126_4.patch \ | ||
18 | " | ||
13 | 19 | ||
14 | SRC_URI[md5sum] = "9822c25466f060142359f80ed142c9e5" | 20 | SRC_URI[md5sum] = "9822c25466f060142359f80ed142c9e5" |
15 | SRC_URI[sha256sum] = "d9c8ce54a5fc8052ed794ca65b553384a74c0608b09ae163cbbb07176018e625" | 21 | SRC_URI[sha256sum] = "d9c8ce54a5fc8052ed794ca65b553384a74c0608b09ae163cbbb07176018e625" |