diff --git a/libpng-ztxt-bug.patch b/libpng-ztxt-bug.patch new file mode 100644 index 0000000..7168cf7 --- /dev/null +++ b/libpng-ztxt-bug.patch @@ -0,0 +1,17 @@ +Patch for CVE-2008-3964 + + +diff -ru4NwbB libpng-1.2.31/pngpread.c libpng-1.2.32beta01/pngpread.c +--- libpng-1.2.31/pngpread.c 2008-08-21 05:54:13.254898477 -0500 ++++ libpng-1.2.32beta01/pngpread.c 2008-09-06 07:03:43.043602194 -0500 +@@ -1278,9 +1278,9 @@ + + tmp = text; + text = (png_charp)png_malloc(png_ptr, text_size + + (png_uint_32)(png_ptr->zbuf_size +- - png_ptr->zstream.avail_out)); ++ - png_ptr->zstream.avail_out + 1)); + png_memcpy(text, tmp, text_size); + png_free(png_ptr, tmp); + png_memcpy(text + text_size, png_ptr->zbuf, + png_ptr->zbuf_size - png_ptr->zstream.avail_out); diff --git a/libpng.spec b/libpng.spec index b8dda60..2cb8e2a 100644 --- a/libpng.spec +++ b/libpng.spec @@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files Name: libpng Epoch: 2 Version: 1.2.31 -Release: 1%{?dist} +Release: 2%{?dist} License: zlib Group: System Environment/Libraries URL: http://www.libpng.org/pub/png/ @@ -10,6 +10,7 @@ URL: http://www.libpng.org/pub/png/ Source: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2 Patch0: libpng-multilib.patch Patch1: libpng-pngconf.patch +Patch2: libpng-ztxt-bug.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel @@ -53,6 +54,7 @@ necessary for some boot packages. %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %configure @@ -91,6 +93,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/libpng12.la rm -rf $RPM_BUILD_ROOT %changelog +* Tue Sep 9 2008 Tom Lane 2:1.2.31-2 +- Apply upstream patch for zTXT buffer overrun (CVE-2008-3964) +Related: #461599 + * Sat Aug 23 2008 Tom Lane 2:1.2.31-1 - Update to libpng 1.2.31