[oe-commits] [openembedded-core] 27/29: libpng: CVE-2018-13785
git at git.openembedded.org
git at git.openembedded.org
Thu Sep 27 11:18:32 UTC 2018
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch sumo
in repository openembedded-core.
commit 4cc1862695c6899b61e3900216376c1b2f338a19
Author: Sinan Kaya <okaya at kernel.org>
AuthorDate: Sat Sep 22 02:16:49 2018 +0000
libpng: CVE-2018-13785
* CVE-2018-13785
In libpng 1.6.34, a wrong calculation of row_factor in the
png_check_chunk_length function (pngrutil.c) may trigger an
integer overflow and resultant divide-by-zero while processing
a crafted PNG file, leading to a denial of service.
(cherry picked from 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2)
Affects libpng <= 1.6.34
CVE: CVE-2018-13785
Ref: https://access.redhat.com/security/cve/cve-2018-13785
Signed-off-by: Sinan Kaya <okaya at kernel.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../libpng/files/CVE-2018-13785.patch | 37 ++++++++++++++++++++++
meta/recipes-multimedia/libpng/libpng_1.6.34.bb | 4 ++-
2 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
new file mode 100644
index 0000000..84b1af1
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2018-13785.patch
@@ -0,0 +1,37 @@
+From 8a05766cb74af05c04c53e6c9d60c13fc4d59bf2 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta at gmail.com>
+Date: Sun, 17 Jun 2018 22:56:29 -0400
+Subject: [PATCH] [libpng16] Fix the calculation of row_factor in
+ png_check_chunk_length
+
+(Bug report by Thuan Pham, SourceForge issue #278)
+Upstream-Status: Backport [https://github.com/glennrp/libpng/commit/8a05766cb74af05c04c53e6c9d60c13fc4d59bf2]
+Signed-off-by: Sinan Kaya <okaya at kernel.org>
+---
+ pngrutil.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pngrutil.c b/pngrutil.c
+index 95571b517..5ba995abf 100644
+--- a/pngrutil.c
++++ b/pngrutil.c
+@@ -3167,10 +3167,13 @@ png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
+ {
+ png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
+ size_t row_factor =
+- (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
+- + 1 + (png_ptr->interlaced? 6: 0));
++ (size_t)png_ptr->width
++ * (size_t)png_ptr->channels
++ * (png_ptr->bit_depth > 8? 2: 1)
++ + 1
++ + (png_ptr->interlaced? 6: 0);
+ if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
+- idat_limit=PNG_UINT_31_MAX;
++ idat_limit = PNG_UINT_31_MAX;
+ else
+ idat_limit = png_ptr->height * row_factor;
+ row_factor = row_factor > 32566? 32566 : row_factor;
+--
+2.19.0
+
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
index e52d032..3877d6c 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.34.bb
@@ -8,7 +8,9 @@ DEPENDS = "zlib"
LIBV = "16"
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \
+ file://CVE-2018-13785.patch \
+"
SRC_URI[md5sum] = "c05b6ca7190a5e387b78657dbe5536b2"
SRC_URI[sha256sum] = "2f1e960d92ce3b3abd03d06dfec9637dfbd22febf107a536b44f7a47c60659f6"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list