commit d5822ee6b6d826070134edd3a9e1480b5df83496
Author: Richard W.M. Jones <rjones(a)redhat.com>
Date: Wed Jun 29 10:35:04 2011 +0100
Include fix for CVE-2011-2501 (RHBZ#717510, RHBZ#717511).
(Cherry picked from commit d3842962c9533415d668efe7751864cd7a5df2aa).
libpng-CVE-2011-2501.patch | 49 ++++++++++++++++++++++++++++++++++++++++++++
mingw32-libpng.spec | 16 +++++++++++++-
2 files changed, 64 insertions(+), 1 deletions(-)
---
diff --git a/libpng-CVE-2011-2501.patch b/libpng-CVE-2011-2501.patch
new file mode 100644
index 0000000..487d8fd
--- /dev/null
+++ b/libpng-CVE-2011-2501.patch
@@ -0,0 +1,49 @@
+Patch from:
+
+
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit...
+
+to fix:
+
+
https://bugzilla.redhat.com/show_bug.cgi?id=717510
+
https://bugzilla.redhat.com/show_bug.cgi?id=717511
+ CVE-2011-2501
+
+I have modified this patch to remove the changes to ANNOUNCE
+and CHANGES files, and the hunk in pngerror.c which just updates
+a comment.
+
+ - RWMJ.
+
+From 65e6d5a34f49acdb362a0625a706c6b914e670af Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
+Date: Tue, 7 Jun 2011 14:58:07 -0500
+Subject: [PATCH] [master] Fixed 1-byte uninitialized memory reference in
png_format_buffer()
+
+(Bug report by Frank Busse, related to CVE-2004-0421).
+---
+ ANNOUNCE | 6 ++++--
+ CHANGES | 4 +++-
+ pngerror.c | 11 ++++++++---
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+--- a/pngerror.c
++++ b/pngerror.c
+@@ -186,8 +186,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer,
png_const_charp
+ {
+ buffer[iout++] = ':';
+ buffer[iout++] = ' ';
+- png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
+- buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
++
++ iin = 0;
++ while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] !=
'\0')
++ buffer[iout++] = error_message[iin++];
++
++ /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
++ buffer[iout] = '\0';
+ }
+ }
+
+--
+1.7.0.1
+
diff --git a/mingw32-libpng.spec b/mingw32-libpng.spec
index f73d0dc..c9d5a67 100644
--- a/mingw32-libpng.spec
+++ b/mingw32-libpng.spec
@@ -6,7 +6,7 @@
Name: mingw32-libpng
Version: 1.2.37
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: MinGW Windows Libpng library
License: zlib
@@ -15,6 +15,14 @@ Source0:
ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz
Patch0: libpng-multilib.patch
Patch1: libpng-pngconf.patch
+#
https://bugzilla.redhat.com/show_bug.cgi?id=717510
+#
https://bugzilla.redhat.com/show_bug.cgi?id=717511
+# CVE-2011-2501
+#
+# *** NOTE *** When updating the package, please ensure the
+# new version either contains this fix, or this patch is retained.
+Patch3: libpng-CVE-2011-2501.patch
+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -36,6 +44,9 @@ MinGW Windows Libpng library.
%patch0 -p1
%patch1 -p1
+%patch3 -p1
+
+
%build
%{_mingw32_configure}
make
@@ -76,6 +87,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Wed Jun 29 2011 Richard W.M. Jones <rjones(a)redhat.com> - 1.2.37-2
+- Include fix for CVE-2011-2501 (RHBZ#717510, RHBZ#717511).
+
* Tue Jun 9 2009 Richard W.M. Jones <rjones(a)redhat.com> - 1.2.37-1
- New upstream version 1.2.37 to fix SECURITY bug RHBZ#504782.