[OE-core] [PATCH] libpng: whitelist CVE-2019-17371
Adrian Bunk
bunk at stusta.de
Mon Nov 4 14:01:15 UTC 2019
On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
> This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
> recipe.
>
> Signed-off-by: Ross Burton <ross.burton at intel.com>
> ---
> meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> index 66af2f3d60e..07970e14360 100644
> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
> FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
>
> BBCLASSEXTEND = "native nativesdk"
> +
> +# CVE-2019-17371 is actually a memory leak in gif2png 2.x
> +CVE_CHECK_WHITELIST = "CVE-2019-17371"
These should use += to not overwrite whitelists defined by
the distribution or the user.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
More information about the Openembedded-core
mailing list