[libpng/f15] Fix CVE-2011-3026
Tom Lane
tgl at fedoraproject.org
Thu Feb 16 20:01:29 UTC 2012
commit 6541985cf717784c33e5dfca43fc844c14e55d83
Author: Tom Lane <tgl at redhat.com>
Date: Thu Feb 16 14:20:49 2012 -0500
Fix CVE-2011-3026
libpng-cve-2011-3026.patch | 24 ++++++++++++++++++++++++
libpng.spec | 8 +++++++-
2 files changed, 31 insertions(+), 1 deletions(-)
---
diff --git a/libpng-cve-2011-3026.patch b/libpng-cve-2011-3026.patch
new file mode 100644
index 0000000..56c9a8a
--- /dev/null
+++ b/libpng-cve-2011-3026.patch
@@ -0,0 +1,24 @@
+Original Chromium patch for CVE-2011-3026.
+
+
+diff -Naur libpng-1.2.46.orig/pngrutil.c libpng-1.2.46/pngrutil.c
+--- libpng-1.2.46.orig/pngrutil.c 2011-07-09 06:30:23.000000000 -0400
++++ libpng-1.2.46/pngrutil.c 2012-02-16 10:28:14.433079740 -0500
+@@ -363,8 +363,15 @@
+ {
+ /* Success (maybe) - really uncompress the chunk. */
+ png_size_t new_size = 0;
+- png_charp text = png_malloc_warn(png_ptr,
+- prefix_size + expanded_size + 1);
++ png_charp text = NULL;
++ /* Need to check for both truncation (64-bit platforms) and integer
++ * overflow.
++ */
++ if (prefix_size + expanded_size > prefix_size &&
++ prefix_size + expanded_size < 0xffffffffU)
++ {
++ text = png_malloc_warn(png_ptr, prefix_size + expanded_size + 1);
++ }
+
+ if (text != NULL)
+ {
diff --git a/libpng.spec b/libpng.spec
index 5887609..c1e446d 100644
--- a/libpng.spec
+++ b/libpng.spec
@@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files
Name: libpng
Epoch: 2
Version: 1.2.46
-Release: 1%{?dist}
+Release: 2%{?dist}
License: zlib
Group: System Environment/Libraries
URL: http://www.libpng.org/pub/png/
@@ -13,6 +13,7 @@ Source: ftp://ftp.simplesystems.org/pub/png/src/libpng-%{version}.tar.bz2
Patch0: libpng-multilib.patch
Patch1: libpng-pngconf.patch
+Patch2: libpng-cve-2011-3026.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: zlib-devel, pkgconfig
@@ -56,6 +57,7 @@ necessary for some boot packages.
%patch0 -p1
%patch1 -p1
+%patch2 -p1
%build
%configure
@@ -94,6 +96,10 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/libpng12.la
rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu Feb 16 2012 Tom Lane <tgl at redhat.com> 2:1.2.46-2
+- Fix CVE-2011-3026
+Resolves: #791183
+
* Thu Jul 14 2011 Tom Lane <tgl at redhat.com> 2:1.2.46-1
- Update to libpng 1.2.46, includes fixes for CVE-2011-2501, CVE-2011-2690,
CVE-2011-2691, CVE-2011-2692
More information about the scm-commits
mailing list