rpms/libpng
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2011-3026

Browse Source
This commit is contained in:
Tom Lane 2012-02-16 14:17:27 -05:00
parent c220705aba
commit 403f53232d
3 changed files with 62 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
libpng-cve-2011-3026-15.patch Normal file
View File

@ -0,0 +1,27 @@
Patch for CVE-2011-3026 in libpng 1.4 and up, from John Bowler.
diff -Naur libpng-1.5.8.orig/pngrutil.c libpng-1.5.8/pngrutil.c
--- libpng-1.5.8.orig/pngrutil.c 2012-02-01 00:00:34.000000000 -0500
+++ libpng-1.5.8/pngrutil.c 2012-02-16 13:26:51.627339765 -0500
@@ -432,15 +432,18 @@
/* Now check the limits on this chunk - if the limit fails the
* compressed data will be removed, the prefix will remain.
*/
+ if (prefix_size >= (~(png_size_t)0) - 1 ||
+ expanded_size >= (~(png_size_t)0) - 1 - prefix_size
#ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
- if (png_ptr->user_chunk_malloc_max &&
+ || (png_ptr->user_chunk_malloc_max &&
(prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
#else
# ifdef PNG_USER_CHUNK_MALLOC_MAX
- if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
+ || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
# endif
#endif
+ )
png_warning(png_ptr, "Exceeded size limit while expanding chunk");
/* If the size is zero either there was an error and a message

24
libpng-cve-2011-3026.patch Normal file
View File

@ -0,0 +1,24 @@
Original Chromium patch for CVE-2011-3026.
diff -Naur libpng-1.2.46.orig/pngrutil.c libpng-1.2.46/pngrutil.c
--- libpng-1.2.46.orig/pngrutil.c 2011-07-09 06:30:23.000000000 -0400
+++ libpng-1.2.46/pngrutil.c 2012-02-16 10:28:14.433079740 -0500
@@ -363,8 +363,15 @@
{
/* Success (maybe) - really uncompress the chunk. */
png_size_t new_size = 0;
- png_charp text = png_malloc_warn(png_ptr,
- prefix_size + expanded_size + 1);
+ png_charp text = NULL;
+ /* Need to check for both truncation (64-bit platforms) and integer
+ * overflow.
+ */
+ if (prefix_size + expanded_size > prefix_size &&
+ prefix_size + expanded_size < 0xffffffffU)
+ {
+ text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+ }
if (text != NULL)
{

12
libpng.spec
View File

@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
Name: libpng Name: libpng
Epoch: 2 Epoch: 2
Version: 1.5.8 Version: 1.5.8
Release: 1%{?dist} Release: 2%{?dist}
License: zlib License: zlib
Group: System Environment/Libraries Group: System Environment/Libraries
URL: http://www.libpng.org/pub/png/ URL: http://www.libpng.org/pub/png/
@ -21,6 +21,8 @@ Source0: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2
Source1: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{prevversion}.tar.bz2 Source1: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{prevversion}.tar.bz2
Patch0: libpng-multilib.patch Patch0: libpng-multilib.patch
Patch1: libpng-cve-2011-3026-15.patch
Patch2: libpng-cve-2011-3026.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel, pkgconfig BuildRequires: zlib-devel, pkgconfig
@ -73,9 +75,13 @@ This package contains shared libraries (only) for libpng 1.2.x.
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1
tar xfj %{SOURCE1} tar xfj %{SOURCE1}
# patch the compat package: -p0 is intentional here
%patch2 -p0
%build %build
%configure %configure
make %{?_smp_mflags} make %{?_smp_mflags}
@ -140,6 +146,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%changelog %changelog
* Thu Feb 16 2012 Tom Lane <tgl@redhat.com> 2:1.5.8-2
- Fix CVE-2011-3026
Resolves: #791183
* Fri Feb 3 2012 Tom Lane <tgl@redhat.com> 2:1.5.8-1 * Fri Feb 3 2012 Tom Lane <tgl@redhat.com> 2:1.5.8-1
- Update to libpng 1.5.8, for minor security issue (CVE-2011-3464) - Update to libpng 1.5.8, for minor security issue (CVE-2011-3464)