diff --git a/libpng-cve-2011-3026-15.patch b/libpng-cve-2011-3026-15.patch new file mode 100644 index 0000000..9280f42 --- /dev/null +++ b/libpng-cve-2011-3026-15.patch @@ -0,0 +1,27 @@ +Patch for CVE-2011-3026 in libpng 1.4 and up, from John Bowler. + + +diff -Naur libpng-1.5.8.orig/pngrutil.c libpng-1.5.8/pngrutil.c +--- libpng-1.5.8.orig/pngrutil.c 2012-02-01 00:00:34.000000000 -0500 ++++ libpng-1.5.8/pngrutil.c 2012-02-16 13:26:51.627339765 -0500 +@@ -432,15 +432,18 @@ + /* Now check the limits on this chunk - if the limit fails the + * compressed data will be removed, the prefix will remain. + */ ++ if (prefix_size >= (~(png_size_t)0) - 1 || ++ expanded_size >= (~(png_size_t)0) - 1 - prefix_size + #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED +- if (png_ptr->user_chunk_malloc_max && ++ || (png_ptr->user_chunk_malloc_max && + (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1)) + #else + # ifdef PNG_USER_CHUNK_MALLOC_MAX +- if ((PNG_USER_CHUNK_MALLOC_MAX > 0) && ++ || ((PNG_USER_CHUNK_MALLOC_MAX > 0) && + prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1) + # endif + #endif ++ ) + png_warning(png_ptr, "Exceeded size limit while expanding chunk"); + + /* If the size is zero either there was an error and a message diff --git a/libpng-cve-2011-3026.patch b/libpng-cve-2011-3026.patch new file mode 100644 index 0000000..56c9a8a --- /dev/null +++ b/libpng-cve-2011-3026.patch @@ -0,0 +1,24 @@ +Original Chromium patch for CVE-2011-3026. + + +diff -Naur libpng-1.2.46.orig/pngrutil.c libpng-1.2.46/pngrutil.c +--- libpng-1.2.46.orig/pngrutil.c 2011-07-09 06:30:23.000000000 -0400 ++++ libpng-1.2.46/pngrutil.c 2012-02-16 10:28:14.433079740 -0500 +@@ -363,8 +363,15 @@ + { + /* Success (maybe) - really uncompress the chunk. */ + png_size_t new_size = 0; +- png_charp text = png_malloc_warn(png_ptr, +- prefix_size + expanded_size + 1); ++ png_charp text = NULL; ++ /* Need to check for both truncation (64-bit platforms) and integer ++ * overflow. ++ */ ++ if (prefix_size + expanded_size > prefix_size && ++ prefix_size + expanded_size < 0xffffffffU) ++ { ++ text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1); ++ } + + if (text != NULL) + { diff --git a/libpng.spec b/libpng.spec index ae36556..fc4274a 100644 --- a/libpng.spec +++ b/libpng.spec @@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files Name: libpng Epoch: 2 Version: 1.5.8 -Release: 1%{?dist} +Release: 2%{?dist} License: zlib Group: System Environment/Libraries URL: http://www.libpng.org/pub/png/ @@ -21,6 +21,8 @@ Source0: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2 Source1: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{prevversion}.tar.bz2 Patch0: libpng-multilib.patch +Patch1: libpng-cve-2011-3026-15.patch +Patch2: libpng-cve-2011-3026.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel, pkgconfig @@ -73,9 +75,13 @@ This package contains shared libraries (only) for libpng 1.2.x. %setup -q %patch0 -p1 +%patch1 -p1 tar xfj %{SOURCE1} +# patch the compat package: -p0 is intentional here +%patch2 -p0 + %build %configure make %{?_smp_mflags} @@ -140,6 +146,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la rm -rf $RPM_BUILD_ROOT %changelog +* Thu Feb 16 2012 Tom Lane 2:1.5.8-2 +- Fix CVE-2011-3026 +Resolves: #791183 + * Fri Feb 3 2012 Tom Lane 2:1.5.8-1 - Update to libpng 1.5.8, for minor security issue (CVE-2011-3464)