[OE-core] [PATCH] libpng: whitelist CVE-2019-17371

Ross Burton ross.burton at intel.com
Mon Nov 4 14:24:08 UTC 2019


On 04/11/2019 14:01, Adrian Bunk wrote:
> On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
>> This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
>> recipe.
>>
>> Signed-off-by: Ross Burton <ross.burton at intel.com>
>> ---
>>   meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
>> index 66af2f3d60e..07970e14360 100644
>> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
>> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
>> @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
>>   FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
>>   
>>   BBCLASSEXTEND = "native nativesdk"
>> +
>> +# CVE-2019-17371 is actually a memory leak in gif2png 2.x
>> +CVE_CHECK_WHITELIST = "CVE-2019-17371"
> 
> These should use += to not overwrite whitelists defined by
> the distribution or the user.

IMHO, the distribution or user should be using _append.   The whitelist 
should be explicitly per-recipe: there's a CVE which is tagged 
incorrectly as being in openssl *and* mod_ssl, we don't want to 
whitelist it globally but only in openssl.

V2 incoming, just to be safe, though.

Ross


More information about the Openembedded-core mailing list