Fix CVE-2011-3026

2012-02-16 14:17:27 -05:00 · 2012-02-16 14:17:27 -05:00 · 403f53232d
commit 403f53232d
parent c220705aba
3 changed files with 62 additions and 1 deletions
--- a/libpng-cve-2011-3026-15.patch
+++ b/libpng-cve-2011-3026-15.patch
@ -0,0 +1,27 @@
+Patch for CVE-2011-3026 in libpng 1.4 and up, from John Bowler.
+
+
+diff -Naur libpng-1.5.8.orig/pngrutil.c libpng-1.5.8/pngrutil.c
+--- libpng-1.5.8.orig/pngrutil.c	2012-02-01 00:00:34.000000000 -0500
+++ libpng-1.5.8/pngrutil.c	2012-02-16 13:26:51.627339765 -0500
+@@ -432,15 +432,18 @@
+       /* Now check the limits on this chunk - if the limit fails the
+        * compressed data will be removed, the prefix will remain.
+        */
+      if (prefix_size >= (~(png_size_t)0) - 1 ||
+         expanded_size >= (~(png_size_t)0) - 1 - prefix_size
+ #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
+-      if (png_ptr->user_chunk_malloc_max &&
+         || (png_ptr->user_chunk_malloc_max &&
+           (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
+ #else
+ #  ifdef PNG_USER_CHUNK_MALLOC_MAX
+-      if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
+         || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
+           prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
+ #  endif
+ #endif
+         )
+          png_warning(png_ptr, "Exceeded size limit while expanding chunk");
+ 
+       /* If the size is zero either there was an error and a message
--- a/libpng-cve-2011-3026.patch
+++ b/libpng-cve-2011-3026.patch
@ -0,0 +1,24 @@
+Original Chromium patch for CVE-2011-3026.
+
+
+diff -Naur libpng-1.2.46.orig/pngrutil.c libpng-1.2.46/pngrutil.c
+--- libpng-1.2.46.orig/pngrutil.c	2011-07-09 06:30:23.000000000 -0400
+++ libpng-1.2.46/pngrutil.c	2012-02-16 10:28:14.433079740 -0500
+@@ -363,8 +363,15 @@
+       {
+          /* Success (maybe) - really uncompress the chunk. */
+          png_size_t new_size = 0;
+-         png_charp text = png_malloc_warn(png_ptr,
+-                        prefix_size + expanded_size + 1);
+         png_charp text = NULL;
+         /* Need to check for both truncation (64-bit platforms) and integer
+          * overflow.
+          */
+         if (prefix_size + expanded_size > prefix_size &&
+             prefix_size + expanded_size < 0xffffffffU)
+         {
+            text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
+         }
+ 
+          if (text != NULL)
+          {
--- a/libpng.spec
+++ b/libpng.spec
@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
 Name: libpng
 Epoch: 2
 Version: 1.5.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: zlib
 Group: System Environment/Libraries
 URL: http://www.libpng.org/pub/png/
@ -21,6 +21,8 @@ Source0: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2
 Source1: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{prevversion}.tar.bz2

 Patch0: libpng-multilib.patch
+Patch1: libpng-cve-2011-3026-15.patch
+Patch2: libpng-cve-2011-3026.patch

 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel, pkgconfig
@ -73,9 +75,13 @@ This package contains shared libraries (only) for libpng 1.2.x.
 %setup -q

 %patch0 -p1
+%patch1 -p1

 tar xfj %{SOURCE1}

+# patch the compat package: -p0 is intentional here
+%patch2 -p0
+
 %build
 %configure
 make %{?_smp_mflags}
@ -140,6 +146,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la
 rm -rf $RPM_BUILD_ROOT

 %changelog
+* Thu Feb 16 2012 Tom Lane <tgl@redhat.com> 2:1.5.8-2
+- Fix CVE-2011-3026
+Resolves: #791183
+
 * Fri Feb  3 2012 Tom Lane <tgl@redhat.com> 2:1.5.8-1
 - Update to libpng 1.5.8, for minor security issue (CVE-2011-3464)