[libpng/f15] Fix CVE-2011-3026

Tom Lane tgl at fedoraproject.org
Thu Feb 16 20:01:29 UTC 2012 

commit 6541985cf717784c33e5dfca43fc844c14e55d83
Author: Tom Lane <tgl at redhat.com>
Date:   Thu Feb 16 14:20:49 2012 -0500

    Fix CVE-2011-3026

 libpng-cve-2011-3026.patch |   24 ++++++++++++++++++++++++
 libpng.spec                |    8 +++++++-
 2 files changed, 31 insertions(+), 1 deletions(-)
---
diff --git a/libpng-cve-2011-3026.patch b/libpng-cve-2011-3026.patch
new file mode 100644
index 0000000..56c9a8a
--- /dev/null
+++ b/libpng-cve-2011-3026.patch
@@ -0,0 +1,24 @@
+Original Chromium patch for CVE-2011-3026.
+
+
+diff -Naur libpng-1.2.46.orig/pngrutil.c libpng-1.2.46/pngrutil.c
+--- libpng-1.2.46.orig/pngrutil.c	2011-07-09 06:30:23.000000000 -0400
++++ libpng-1.2.46/pngrutil.c	2012-02-16 10:28:14.433079740 -0500
+@@ -363,8 +363,15 @@
+       {
+          /* Success (maybe) - really uncompress the chunk. */
+          png_size_t new_size = 0;
+-         png_charp text = png_malloc_warn(png_ptr,
+-                        prefix_size + expanded_size + 1);
++         png_charp text = NULL;
++         /* Need to check for both truncation (64-bit platforms) and integer
++          * overflow.
++          */
++         if (prefix_size + expanded_size > prefix_size &&
++             prefix_size + expanded_size < 0xffffffffU)
++         {
++            text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
++         }
+ 
+          if (text != NULL)
+          {
diff --git a/libpng.spec b/libpng.spec
index 5887609..c1e446d 100644
--- a/libpng.spec
+++ b/libpng.spec
@@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
 Name: libpng
 Epoch: 2
 Version: 1.2.46
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: zlib
 Group: System Environment/Libraries
 URL: http://www.libpng.org/pub/png/
@@ -13,6 +13,7 @@ Source: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2
 
 Patch0: libpng-multilib.patch
 Patch1: libpng-pngconf.patch
+Patch2: libpng-cve-2011-3026.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: zlib-devel, pkgconfig
@@ -56,6 +57,7 @@ necessary for some boot packages.
 
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %configure
@@ -94,6 +96,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/libpng12.la
 rm -rf $RPM_BUILD_ROOT
 
 %changelog
+* Thu Feb 16 2012 Tom Lane <tgl at redhat.com> 2:1.2.46-2
+- Fix CVE-2011-3026
+Resolves: #791183
+
 * Thu Jul 14 2011 Tom Lane <tgl at redhat.com> 2:1.2.46-1
 - Update to libpng 1.2.46, includes fixes for CVE-2011-2501, CVE-2011-2690,
   CVE-2011-2691, CVE-2011-2692

More information about the scm-commits mailing list