[OE-core] [PATCH] libpng: whitelist CVE-2019-17371
Ross Burton
ross.burton at intel.com
Mon Nov 4 14:24:08 UTC 2019
On 04/11/2019 14:01, Adrian Bunk wrote:
> On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
>> This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
>> recipe.
>>
>> Signed-off-by: Ross Burton <ross.burton at intel.com>
>> ---
>> meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
>> index 66af2f3d60e..07970e14360 100644
>> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
>> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
>> @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
>> FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
>>
>> BBCLASSEXTEND = "native nativesdk"
>> +
>> +# CVE-2019-17371 is actually a memory leak in gif2png 2.x
>> +CVE_CHECK_WHITELIST = "CVE-2019-17371"
>
> These should use += to not overwrite whitelists defined by
> the distribution or the user.
IMHO, the distribution or user should be using _append. The whitelist
should be explicitly per-recipe: there's a CVE which is tagged
incorrectly as being in openssl *and* mod_ssl, we don't want to
whitelist it globally but only in openssl.
V2 incoming, just to be safe, though.
Ross
More information about the Openembedded-core
mailing list