Fix CVE-2019-7317 (#1672411)

2019-02-08 13:17:25 +01:00 · 2019-02-08 13:17:25 +01:00 · 7d73b987b4
commit 7d73b987b4
parent b21b237950
2 changed files with 20 additions and 1 deletions
--- a/libpng-CVE-2019-7317.patch
+++ b/libpng-CVE-2019-7317.patch
@ -0,0 +1,14 @@
+diff --git a/png.c b/png.c
+index a25afeb..ff9da3f 100644
+--- a/png.c
+++ b/png.c
+@@ -4594,8 +4594,7 @@ png_image_free(png_imagep image)
+    if (image != NULL && image->opaque != NULL &&
+       image->opaque->error_buf == NULL)
+    {
+-      /* Ignore errors here: */
+-      (void)png_safe_execute(image, png_image_free_function, image);
+      png_image_free_function(image);
+       image->opaque = NULL;
+    }
+ }
--- a/libpng.spec
+++ b/libpng.spec
@ -2,7 +2,7 @@ Summary:       A library of functions for manipulating PNG image format files
 Name:          libpng
 Epoch:         2
 Version:       1.6.35
-Release:       2%{?dist}
+Release:       3%{?dist}
 License:       zlib
 URL:           http://www.libpng.org/pub/png/

@ -10,6 +10,7 @@ Source0:       https://github.com/glennrp/%{name}/archive/v%{version}/%{name}-%{
 Source1:       pngusr.dfa
 Patch0:        libpng-multilib.patch
 Patch1:        libpng-fix-arm-neon.patch
+Patch2:        libpng-CVE-2019-7317.patch

 BuildRequires: gcc
 BuildRequires: zlib-devel
@ -61,6 +62,7 @@ cp -p %{SOURCE1} .

 %patch0 -p1
 %patch1 -p1 -b .arm
+%patch2 -p1 -b .CVE-2019-7317

 %build
 autoreconf -vif
@ -102,6 +104,9 @@ make check
 %{_bindir}/pngfix

 %changelog
+* Fri Feb 08 2019 Nikola Forró <nforro@redhat.com> - 2:1.6.35-3
+- Fix CVE-2019-7317 (#1672411)
+
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2:1.6.35-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild