[libpng/f17] Fix CVE-2011-3026
Tom Lane
tgl at fedoraproject.org
Thu Feb 16 19:49:47 UTC 2012
commit ea0ff9e6adb453c2c9cf17a4e7414e274963da14
Author: Tom Lane <tgl at redhat.com>
Date: Thu Feb 16 14:17:27 2012 -0500
Fix CVE-2011-3026
libpng-cve-2011-3026-15.patch | 27 +++++++++++++++++++++++++++
libpng-cve-2011-3026.patch | 24 ++++++++++++++++++++++++
libpng.spec | 12 +++++++++++-
3 files changed, 62 insertions(+), 1 deletions(-)
---
diff --git a/libpng-cve-2011-3026-15.patch b/libpng-cve-2011-3026-15.patch
new file mode 100644
index 0000000..9280f42
--- /dev/null
+++ b/libpng-cve-2011-3026-15.patch
@@ -0,0 +1,27 @@
+Patch for CVE-2011-3026 in libpng 1.4 and up, from John Bowler.
+
+
+diff -Naur libpng-1.5.8.orig/pngrutil.c libpng-1.5.8/pngrutil.c
+--- libpng-1.5.8.orig/pngrutil.c 2012-02-01 00:00:34.000000000 -0500
++++ libpng-1.5.8/pngrutil.c 2012-02-16 13:26:51.627339765 -0500
+@@ -432,15 +432,18 @@
+ /* Now check the limits on this chunk - if the limit fails the
+ * compressed data will be removed, the prefix will remain.
+ */
++ if (prefix_size >= (~(png_size_t)0) - 1 ||
++ expanded_size >= (~(png_size_t)0) - 1 - prefix_size
+ #ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
+- if (png_ptr->user_chunk_malloc_max &&
++ || (png_ptr->user_chunk_malloc_max &&
+ (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
+ #else
+ # ifdef PNG_USER_CHUNK_MALLOC_MAX
+- if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
++ || ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
+ prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
+ # endif
+ #endif
++ )
+ png_warning(png_ptr, "Exceeded size limit while expanding chunk");
+
+ /* If the size is zero either there was an error and a message
diff --git a/libpng-cve-2011-3026.patch b/libpng-cve-2011-3026.patch
new file mode 100644
index 0000000..56c9a8a
--- /dev/null
+++ b/libpng-cve-2011-3026.patch
@@ -0,0 +1,24 @@
+Original Chromium patch for CVE-2011-3026.
+
+
+diff -Naur libpng-1.2.46.orig/pngrutil.c libpng-1.2.46/pngrutil.c
+--- libpng-1.2.46.orig/pngrutil.c 2011-07-09 06:30:23.000000000 -0400
++++ libpng-1.2.46/pngrutil.c 2012-02-16 10:28:14.433079740 -0500
+@@ -363,8 +363,15 @@
+ {
+ /* Success (maybe) - really uncompress the chunk. */
+ png_size_t new_size = 0;
+- png_charp text = png_malloc_warn(png_ptr,
+- prefix_size + expanded_size + 1);
++ png_charp text = NULL;
++ /* Need to check for both truncation (64-bit platforms) and integer
++ * overflow.
++ */
++ if (prefix_size + expanded_size > prefix_size &&
++ prefix_size + expanded_size < 0xffffffffU)
++ {
++ text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
++ }
+
+ if (text != NULL)
+ {
diff --git a/libpng.spec b/libpng.spec
index ae36556..fc4274a 100644
--- a/libpng.spec
+++ b/libpng.spec
@@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
Name: libpng
Epoch: 2
Version: 1.5.8
-Release: 1%{?dist}
+Release: 2%{?dist}
License: zlib
Group: System Environment/Libraries
URL: http://www.libpng.org/pub/png/
@@ -21,6 +21,8 @@ Source0: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2
Source1: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{prevversion}.tar.bz2
Patch0: libpng-multilib.patch
+Patch1: libpng-cve-2011-3026-15.patch
+Patch2: libpng-cve-2011-3026.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel, pkgconfig
@@ -73,9 +75,13 @@ This package contains shared libraries (only) for libpng 1.2.x.
%setup -q
%patch0 -p1
+%patch1 -p1
tar xfj %{SOURCE1}
+# patch the compat package: -p0 is intentional here
+%patch2 -p0
+
%build
%configure
make %{?_smp_mflags}
@@ -140,6 +146,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la
rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu Feb 16 2012 Tom Lane <tgl at redhat.com> 2:1.5.8-2
+- Fix CVE-2011-3026
+Resolves: #791183
+
* Fri Feb 3 2012 Tom Lane <tgl at redhat.com> 2:1.5.8-1
- Update to libpng 1.5.8, for minor security issue (CVE-2011-3464)
More information about the scm-commits
mailing list