From f8caae304a2fa94cf2770b72a313ee843b2f177b Mon Sep 17 00:00:00 2001 From: Brad Bishop Date: Mon, 25 Mar 2019 13:13:56 -0400 Subject: poky: refresh thud: 506ec088e5..e4c0a8a7cb MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update poky to thud HEAD. Alexander Kanavin (1): ca-certificates: upgrade 20180409 -> 20190110 André Draszik (1): systemd: RDEPENDS on util-linux-umount Changqing Li (1): libsndfile1: Security fix CVE-2018-19432 Chen Qi (1): target-sdk-provides-dummy: add more perl modules to avoid populate_sdk failure Douglas Royds (1): libpam: libpamc is licensed under its own BSD-style licence George McCollister (1): systemd: fix CVE-2019-6454 Jonathan Rajotte-Julien (3): lttng-ust: update to 2.10.3 lttng-modules: update to 2.10.9 lttng-tools: update to 2.9.11 Mark Hatle (10): bitbake: gitsm.py: Fix when a submodule is defined, but not initialized bitbake: gitsm.py: Add support for alternative URL formats from submodule files bitbake: tests/fetch.py: Add alternative gitsm test case bitbake: gitsm.py: Optimize code and attempt to resolve locking issue bitbake: gitsm.py: revise unpack bitbake: gitsm.py: Rework the shallow fetcher and test case bitbake: gitsm.py: Refactor the functions and simplify the class bitbake: gitsm.py: Fix relative URLs bitbake: gitsmy.py: Fix unpack of submodules of submodules bitbake: gitsm: The fetcher did not process some recursive submodules properly. Ming Liu (1): rm_work: sort the value of do_build dependencies Oleksandr Kravchuk (1): target-sdk-provides-dummy: add perl-module-overload Richard Purdie (3): target-sdk-provides-dummy: Extend to -dev and -src packages systemd: Update recent CVE patches kernel: Ensure an initramfs is added if configured Robert Yang (1): send-error-report: Add --no-ssl to use http protocol Ross Burton (1): libpng: fix CVE-2019-7317 Change-Id: I3e03c837688d49703b4989a561f3728d616abbec Signed-off-by: Brad Bishop --- .../libpng/libpng/CVE-2019-7317.patch | 20 ++++++++++++++++++++ poky/meta/recipes-multimedia/libpng/libpng_1.6.36.bb | 3 ++- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 poky/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch (limited to 'poky/meta/recipes-multimedia/libpng') diff --git a/poky/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch b/poky/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch new file mode 100644 index 000000000..6ee1f8da3 --- /dev/null +++ b/poky/meta/recipes-multimedia/libpng/libpng/CVE-2019-7317.patch @@ -0,0 +1,20 @@ +Use-after-free detected with static analysis. + +CVE: CVE-2019-7317 +Upstream-Status: Submitted [https://github.com/glennrp/libpng/issues/275] +Signed-off-by: Ross Burton + +diff --git a/png.c b/png.c +index 9d9926f638..efd1aecfbd 100644 +--- a/png.c ++++ b/png.c +@@ -4588,8 +4588,7 @@ png_image_free(png_imagep image) + if (image != NULL && image->opaque != NULL && + image->opaque->error_buf == NULL) + { +- /* Ignore errors here: */ +- (void)png_safe_execute(image, png_image_free_function, image); ++ png_image_free_function(image); + image->opaque = NULL; + } + } diff --git a/poky/meta/recipes-multimedia/libpng/libpng_1.6.36.bb b/poky/meta/recipes-multimedia/libpng/libpng_1.6.36.bb index 3cf4f7249..a58623788 100644 --- a/poky/meta/recipes-multimedia/libpng/libpng_1.6.36.bb +++ b/poky/meta/recipes-multimedia/libpng/libpng_1.6.36.bb @@ -9,7 +9,8 @@ DEPENDS = "zlib" LIBV = "16" -SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz" +SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz \ + file://CVE-2019-7317.patch" SRC_URI[md5sum] = "df2be2d29c40937fe1f5349b16bc2826" SRC_URI[sha256sum] = "eceb924c1fa6b79172fdfd008d335f0e59172a86a66481e09d4089df872aa319" -- cgit v1.2.3