diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2016-03-30 23:21:19 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2016-03-30 23:21:19 +0300 |
commit | b4a027550acf2c1051c34f997b8e7e845017af4b (patch) | |
tree | 9e38d3c17b42cb1e6765620a87e908973a93c821 /yocto-poky/meta/recipes-multimedia/libpng | |
parent | 2fe86d90044af218ced8f42fdded6b136f1046d2 (diff) | |
parent | f1e5d6968976c2341c6d554bfcc8895f1b33c26b (diff) | |
download | openbmc-b4a027550acf2c1051c34f997b8e7e845017af4b.tar.xz |
Merge commit 'f1e5d6968976c2341c6d554bfcc8895f1b33c26b' from yocto-2.0.1
Diffstat (limited to 'yocto-poky/meta/recipes-multimedia/libpng')
6 files changed, 390 insertions, 1 deletions
diff --git a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch new file mode 100644 index 000000000..25fe1364d --- /dev/null +++ b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_1.patch @@ -0,0 +1,91 @@ +From 81f44665cce4cb1373f049a76f3904e981b7a766 Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> +Date: Thu, 29 Oct 2015 09:26:41 -0500 +Subject: [PATCH] [libpng16] Reject attempt to write over-length PLTE chunk + +Upstream-Status: Backport +https://github.com/glennrp/libpng/commit/81f44665cce4cb1373f049a76f3904e981b7a766 + +CVE: CVE-2015-8126 patch #1 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + libpng-manual.txt | 5 +++++ + libpng.3 | 5 +++++ + pngwrite.c | 4 ++-- + pngwutil.c | 7 +++++-- + 4 files changed, 17 insertions(+), 4 deletions(-) + +Index: libpng-1.6.17/libpng-manual.txt +=================================================================== +--- libpng-1.6.17.orig/libpng-manual.txt ++++ libpng-1.6.17/libpng-manual.txt +@@ -5109,6 +5109,11 @@ length, which resulted in PNG files that + chunk. This error was fixed in libpng-1.6.3, and a tool (called + contrib/tools/png-fix-itxt) has been added to the libpng distribution. + ++Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk ++is an error. Previously this requirement of the PNG specification was not ++enforced. Libpng continues to accept over-length PLTE chunks when reading, ++but does not make any use of the extra entries. ++ + XIII. Detecting libpng + + The png_get_io_ptr() function has been present since libpng-0.88, has never +Index: libpng-1.6.17/libpng.3 +=================================================================== +--- libpng-1.6.17.orig/libpng.3 ++++ libpng-1.6.17/libpng.3 +@@ -5613,6 +5613,11 @@ length, which resulted in PNG files that + chunk. This error was fixed in libpng-1.6.3, and a tool (called + contrib/tools/png-fix-itxt) has been added to the libpng distribution. + ++Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk ++is an error. Previously this requirement of the PNG specification was not ++enforced. Libpng continues to accept over-length PLTE chunks when reading, ++but does not make any use of the extra entries. ++ + .SH XIII. Detecting libpng + + The png_get_io_ptr() function has been present since libpng-0.88, has never +Index: libpng-1.6.17/pngwrite.c +=================================================================== +--- libpng-1.6.17.orig/pngwrite.c ++++ libpng-1.6.17/pngwrite.c +@@ -205,7 +205,7 @@ png_write_info(png_structrp png_ptr, png + png_write_PLTE(png_ptr, info_ptr->palette, + (png_uint_32)info_ptr->num_palette); + +- else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0) ++ else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + png_error(png_ptr, "Valid palette required for paletted images"); + + #ifdef PNG_WRITE_tRNS_SUPPORTED +Index: libpng-1.6.17/pngwutil.c +=================================================================== +--- libpng-1.6.17.orig/pngwutil.c ++++ libpng-1.6.17/pngwutil.c +@@ -922,17 +922,20 @@ void /* PRIVATE */ + png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, + png_uint_32 num_pal) + { +- png_uint_32 i; ++ png_uint_32 max_num_pal, i; + png_const_colorp pal_ptr; + png_byte buf[3]; + + png_debug(1, "in png_write_PLTE"); + ++ max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? ++ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; ++ + if (( + #ifdef PNG_MNG_FEATURES_SUPPORTED + (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && + #endif +- num_pal == 0) || num_pal > 256) ++ num_pal == 0) || num_pal > max_num_pal) + { + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + { diff --git a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch new file mode 100644 index 000000000..4aa917084 --- /dev/null +++ b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_2.patch @@ -0,0 +1,134 @@ +From a901eb3ce6087e0afeef988247f1a1aa208cb54d Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> +Date: Fri, 30 Oct 2015 07:57:49 -0500 +Subject: [PATCH] [libpng16] Prevent reading over-length PLTE chunk (Cosmin + Truta). + +Upstream-Status: Backport +https://github.com/glennrp/libpng/commit/a901eb3ce6087e0afeef988247f1a1aa208cb54d + +Many changes involved date and version updates with don't apply in this case. + +CVE: CVE-2015-8126 patch #2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + ANNOUNCE | 6 +++--- + CHANGES | 4 ++-- + libpng-manual.txt | 11 +++++------ + libpng.3 | 19 +++++++++---------- + pngrutil.c | 3 +++ + pngset.c | 13 +++++++++---- + pngwutil.c | 6 +++--- + 7 files changed, 34 insertions(+), 28 deletions(-) + +Index: libpng-1.6.17/libpng-manual.txt +=================================================================== +--- libpng-1.6.17.orig/libpng-manual.txt ++++ libpng-1.6.17/libpng-manual.txt +@@ -5109,10 +5109,9 @@ length, which resulted in PNG files that + chunk. This error was fixed in libpng-1.6.3, and a tool (called + contrib/tools/png-fix-itxt) has been added to the libpng distribution. + +-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk ++Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk + is an error. Previously this requirement of the PNG specification was not +-enforced. Libpng continues to accept over-length PLTE chunks when reading, +-but does not make any use of the extra entries. ++enforced, and the palette was always limited to 256 entries. + + XIII. Detecting libpng + +Index: libpng-1.6.17/libpng.3 +=================================================================== +--- libpng-1.6.17.orig/libpng.3 ++++ libpng-1.6.17/libpng.3 +@@ -5613,10 +5613,9 @@ length, which resulted in PNG files that + chunk. This error was fixed in libpng-1.6.3, and a tool (called + contrib/tools/png-fix-itxt) has been added to the libpng distribution. + +-Starting with libpng-1.6.19, attempting to write an over-length PLTE chunk ++Starting with libpng-1.6.19, attempting to set an over-length PLTE chunk + is an error. Previously this requirement of the PNG specification was not +-enforced. Libpng continues to accept over-length PLTE chunks when reading, +-but does not make any use of the extra entries. ++enforced, and the palette was always limited to 256 entries. + + .SH XIII. Detecting libpng + +Index: libpng-1.6.17/pngrutil.c +=================================================================== +--- libpng-1.6.17.orig/pngrutil.c ++++ libpng-1.6.17/pngrutil.c +@@ -997,6 +997,9 @@ png_handle_PLTE(png_structrp png_ptr, pn + * confusing. + * + * Fix this by not sharing the palette in this way. ++ * ++ * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when ++ * it attempts to set a palette length that is too large for the bit depth. + */ + png_set_PLTE(png_ptr, info_ptr, palette, num); + +Index: libpng-1.6.17/pngset.c +=================================================================== +--- libpng-1.6.17.orig/pngset.c ++++ libpng-1.6.17/pngset.c +@@ -513,12 +513,17 @@ png_set_PLTE(png_structrp png_ptr, png_i + png_const_colorp palette, int num_palette) + { + ++ png_uint_32 max_palette_length; ++ + png_debug1(1, "in %s storage function", "PLTE"); + + if (png_ptr == NULL || info_ptr == NULL) + return; + +- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) ++ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? ++ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; ++ ++ if (num_palette < 0 || num_palette > max_palette_length) + { + if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + png_error(png_ptr, "Invalid palette length"); +@@ -551,8 +556,8 @@ png_set_PLTE(png_structrp png_ptr, png_i + png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); + + /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead +- * of num_palette entries, in case of an invalid PNG file that has +- * too-large sample values. ++ * of num_palette entries, in case of an invalid PNG file or incorrect ++ * call to png_set_PLTE() with too-large sample values. + */ + png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, + PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); +Index: libpng-1.6.17/pngwutil.c +=================================================================== +--- libpng-1.6.17.orig/pngwutil.c ++++ libpng-1.6.17/pngwutil.c +@@ -922,20 +922,20 @@ void /* PRIVATE */ + png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, + png_uint_32 num_pal) + { +- png_uint_32 max_num_pal, i; ++ png_uint_32 max_palette_length, i; + png_const_colorp pal_ptr; + png_byte buf[3]; + + png_debug(1, "in png_write_PLTE"); + +- max_num_pal = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? ++ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + + if (( + #ifdef PNG_MNG_FEATURES_SUPPORTED + (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && + #endif +- num_pal == 0) || num_pal > max_num_pal) ++ num_pal == 0) || num_pal > max_palette_length) + { + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + { diff --git a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch new file mode 100644 index 000000000..0e0ad2320 --- /dev/null +++ b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_3.patch @@ -0,0 +1,79 @@ +From 1bef8e97995c33123665582e57d3ed40b57d5978 Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> +Date: Fri, 30 Oct 2015 11:34:37 -0500 +Subject: [PATCH] [libpng16] Silently truncate over-length PLTE chunk while + reading. + +Upstream-Status: Backport +https://github.com/glennrp/libpng/commit/1bef8e97995c33123665582e57d3ed40b57d5978 + +Normal Issues is date and version conflicts not applied. + +CVE: CVE-2015-8i26 patch #3 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + + +--- + ANNOUNCE | 3 ++- + CHANGES | 3 ++- + pngrutil.c | 15 +++++++++++---- + pngset.c | 2 +- + 4 files changed, 16 insertions(+), 7 deletions(-) + +Index: libpng-1.6.17/pngrutil.c +=================================================================== +--- libpng-1.6.17.orig/pngrutil.c ++++ libpng-1.6.17/pngrutil.c +@@ -867,7 +867,7 @@ void /* PRIVATE */ + png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) + { + png_color palette[PNG_MAX_PALETTE_LENGTH]; +- int num, i; ++ int max_palette_length, num, i; + #ifdef PNG_POINTER_INDEXING_SUPPORTED + png_colorp pal_ptr; + #endif +@@ -925,9 +925,19 @@ png_handle_PLTE(png_structrp png_ptr, pn + return; + } + ++ max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? ++ (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; ++ + /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ + num = (int)length / 3; + ++ /* If the palette has 256 or fewer entries but is too large for the bit depth, ++ * we don't issue an error, to preserve the behavior of previous libpng versions. ++ * We silently truncate the unused extra palette entries here. ++ */ ++ if (num > max_palette_length) ++ num = max_palette_length; ++ + #ifdef PNG_POINTER_INDEXING_SUPPORTED + for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) + { +@@ -997,9 +1007,6 @@ png_handle_PLTE(png_structrp png_ptr, pn + * confusing. + * + * Fix this by not sharing the palette in this way. +- * +- * Starting with libpng-1.6.19, png_set_PLTE() also issues a png_error() when +- * it attempts to set a palette length that is too large for the bit depth. + */ + png_set_PLTE(png_ptr, info_ptr, palette, num); + +Index: libpng-1.6.17/pngset.c +=================================================================== +--- libpng-1.6.17.orig/pngset.c ++++ libpng-1.6.17/pngset.c +@@ -523,7 +523,7 @@ png_set_PLTE(png_structrp png_ptr, png_i + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + +- if (num_palette < 0 || num_palette > max_palette_length) ++ if (num_palette < 0 || num_palette > (int) max_palette_length) + { + if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + png_error(png_ptr, "Invalid palette length"); diff --git a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch new file mode 100644 index 000000000..2622630d1 --- /dev/null +++ b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8126_4.patch @@ -0,0 +1,48 @@ +From 83f4c735c88e7f451541c1528d8043c31ba3b466 Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> +Date: Thu, 5 Nov 2015 11:18:44 -0600 +Subject: [PATCH] [libpng16] Clean up coding style in png_handle_PLTE() + +Upstream-Status: Backport +https://github.com/glennrp/libpng/commit/83f4c735c88e7f451541c1528d8043c31ba3b466 + +CVE: CVE-2015-8126 patch #4 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + pngrutil.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +Index: libpng-1.6.17/pngrutil.c +=================================================================== +--- libpng-1.6.17.orig/pngrutil.c ++++ libpng-1.6.17/pngrutil.c +@@ -925,18 +925,21 @@ png_handle_PLTE(png_structrp png_ptr, pn + return; + } + +- max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? +- (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; +- + /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ + num = (int)length / 3; + +- /* If the palette has 256 or fewer entries but is too large for the bit depth, +- * we don't issue an error, to preserve the behavior of previous libpng versions. +- * We silently truncate the unused extra palette entries here. ++ /* If the palette has 256 or fewer entries but is too large for the bit ++ * depth, we don't issue an error, to preserve the behavior of previous ++ * libpng versions. We silently truncate the unused extra palette entries ++ * here. + */ ++ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ++ max_palette_length = (1 << png_ptr->bit_depth); ++ else ++ max_palette_length = PNG_MAX_PALETTE_LENGTH; ++ + if (num > max_palette_length) +- num = max_palette_length; ++ num = max_palette_length; + + #ifdef PNG_POINTER_INDEXING_SUPPORTED + for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) diff --git a/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8472.patch b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8472.patch new file mode 100644 index 000000000..404f012b0 --- /dev/null +++ b/yocto-poky/meta/recipes-multimedia/libpng/libpng-1.6.17/CVE-2015-8472.patch @@ -0,0 +1,29 @@ +From 9f2ad4928e47036cf1ac9b8fe45a491f15be2324 Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> +Date: Wed, 4 Nov 2015 23:47:42 -0600 +Subject: [PATCH] [libpng16] Fixed new bug with CRC error after reading an + over-length palette. + +Upstream-Status: Backport +CVE: CVE-2015-8472 + +https://github.com/glennrp/libpng/commit/9f2ad4928e47036cf1ac9b8fe45a491f15be2324 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + pngrutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: libpng-1.6.17/pngrutil.c +=================================================================== +--- libpng-1.6.17.orig/pngrutil.c ++++ libpng-1.6.17/pngrutil.c +@@ -973,7 +973,7 @@ png_handle_PLTE(png_structrp png_ptr, pn + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + #endif + { +- png_crc_finish(png_ptr, 0); ++ png_crc_finish(png_ptr, (int) length - num * 3); + } + + #ifndef PNG_READ_OPT_PLTE_SUPPORTED diff --git a/yocto-poky/meta/recipes-multimedia/libpng/libpng_1.6.17.bb b/yocto-poky/meta/recipes-multimedia/libpng/libpng_1.6.17.bb index 00e5808b9..cc288c7f9 100644 --- a/yocto-poky/meta/recipes-multimedia/libpng/libpng_1.6.17.bb +++ b/yocto-poky/meta/recipes-multimedia/libpng/libpng_1.6.17.bb @@ -8,8 +8,16 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b9b75399b72e4a8656cf3a6ddfc86d9a \ DEPENDS = "zlib" LIBV = "16" -SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/${PV}/libpng-${PV}.tar.xz \ +SRC_URI = "${SOURCEFORGE_MIRROR}/project/libpng/libpng${LIBV}/older-releases/${PV}/libpng-${PV}.tar.xz \ " +SRC_URI += "\ + file://CVE-2015-8126_1.patch \ + file://CVE-2015-8126_2.patch \ + file://CVE-2015-8126_3.patch \ + file://CVE-2015-8126_4.patch \ + file://CVE-2015-8472.patch \ + " + SRC_URI[md5sum] = "430a9b76b78533235cd4b9b26ce75c7e" SRC_URI[sha256sum] = "98507b55fbe5cd43c51981f2924e4671fd81fe35d52dc53357e20f2c77fa5dfd" |