From e556bbcee03a7ffab00b3748f3370be7f915c772 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 15 Mar 2016 07:17:13 +0100 Subject: libpng: CVE-2015-8126 Fixes buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126 Upstream patches: https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466 Signed-off-by: Sona Sarmadi Signed-off-by: Paul Vaduva --- .../libpng/libpng-1.6.13/CVE-2015-8126_3.patch | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch (limited to 'meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch') diff --git a/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch new file mode 100644 index 0000000000..0e0ad23200 --- /dev/null +++ b/meta/recipes-multimedia/libpng/libpng-1.6.13/CVE-2015-8126_3.patch @@ -0,0 +1,79 @@ +From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson +Date: Fri, 30 Oct 2015 11:34:37 -0500 +Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while + reading. + +Upstream-Status: Backport +https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 + +Normal Issues is date and version conflicts not applied. + +CVE: CVE-2015-8i26 patch #3 + +Signed-off-by: Armin Kuster + + +--- + ANNOUNCE | 3 ++- + CHANGES | 3 ++- + pngrutil.c | 15 +++++++++++---- + pngset.c | 2 +- + 4 files changed, 16 insertions(+), 7 deletions(-) + +Index: libpng-1.6.17/pngrutil.c +=================================================================== +--- libpng-1.6.17.orig/pngrutil.c ++++ libpng-1.6.17/pngrutil.c +@@ -867,7 +867,7 @@ void /* PRIVATE */ + png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) + { + png_color palette[PNG_MAX_PALETTE_LENGTH]; +- int num, i; ++ int max_palette_length, num, i; + #ifdef PNG_POINTER_INDEXING_SUPPORTED + png_colorp pal_ptr; + #endif +@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn + return; + } + ++ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? ++ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; ++ + /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ + num = (int)length / 3; + ++ /* If the palette has 256 or fewer entries but is too large for the bit depth, ++ * we don't issue an error, to preserve the behavior of previous libpng versions. ++ * We silently truncate the unused extra palette entries here. ++ */ ++ if (num > max_palette_length) ++ num = max_palette_length; ++ + #ifdef PNG_POINTER_INDEXING_SUPPORTED + for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) + { +@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn + * confusing. + * + * Fix this by not sharing the palette in this way. +- * +- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when +- * it attempts to set a palette length that is too large for the bit depth. + */ + png_set_PLTE(png_ptr, info_ptr, palette, num); + +Index: libpng-1.6.17/pngset.c +=================================================================== +--- libpng-1.6.17.orig/pngset.c ++++ libpng-1.6.17/pngset.c +@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + +- if (num_palette < 0 || num_palette > max_palette_length) ++ if (num_palette < 0 || num_palette > (int) max_palette_length) + { + if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + png_error(png_ptr, "Invalid palette length"); -- cgit v1.2.3-54-g00ecf