[v3] libpng: Fix CVE-2019-6129

Submitted by Sakib Sajal on March 23, 2020, 9:50 p.m. | Patch ID: 171242

Details

Message ID 20200323215034.144217-1-sakib.sajal@windriver.com
State Master Next
Commit 38c6b26d5543d75304aec58adb3e2a54253afc25
Headers show

Commit Message

Sakib Sajal March 23, 2020, 9:50 p.m.
Fix memory leak in png_create_info_struct.

Upstream-Status: Submitted [https://github.com/glennrp/libpng/pull/293]
CVE: CVE-2019-6129

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
 .../libpng/0001-Repair-of-CVE-2019-6129.patch | 28 +++++++++++++++++++
 .../libpng/libpng_1.6.37.bb                   |  5 +++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019-6129.patch

Patch hide | download patch | download mbox

diff --git a/meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019-6129.patch b/meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019-6129.patch
new file mode 100644
index 0000000000..641e771c17
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019-6129.patch
@@ -0,0 +1,28 @@ 
+From c8205147753e6684accb73d79f932d0c028fcc80 Mon Sep 17 00:00:00 2001
+From: tangyaofang <tangyaofang6666@163.com>
+Date: Mon, 10 Jun 2019 11:30:15 +0800
+Subject: [PATCH] Repair of CVE-2019-6129
+
+CVE: CVE-2019-6129
+Upstream-Status: Submitted [https://github.com/glennrp/libpng/pull/293]
+Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
+---
+ contrib/tools/pngcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/contrib/tools/pngcp.c b/contrib/tools/pngcp.c
+index 16d4e7f4d..a02d5b7ff 100644
+--- a/contrib/tools/pngcp.c
++++ b/contrib/tools/pngcp.c
+@@ -506,7 +506,7 @@ static void
+ display_clean_read(struct display *dp)
+ {
+    if (dp->read_pp != NULL)
+-      png_destroy_read_struct(&dp->read_pp, NULL, NULL);
++      png_destroy_read_struct(&dp->read_pp, (dp->ip!=NULL ? &dp->ip : NULL), NULL);
+ 
+    if (dp->fp != NULL)
+    {
+-- 
+2.20.1
+
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
index 8c53d11642..f33b942cd7 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
@@ -7,7 +7,10 @@  DEPENDS = "zlib"
 
 LIBV = "16"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
+           file://0001-Repair-of-CVE-2019-6129.patch \
+          "
+
 SRC_URI[md5sum] = "015e8e15db1eecde5f2eb9eb5b6e59e9"
 SRC_URI[sha256sum] = "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca"
 

Comments

Anuj Mittal March 26, 2020, 2:36 a.m.
This patch has not yet been merged upstream and upstream has disputed the security impact of this CVE. So I am not sure if we should take this.

https://github.com/glennrp/libpng/issues/269

Has any distro taken this?

Thanks,

Anuj

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Sakib Sajal
> Sent: Tuesday, March 24, 2020 05:51 AM
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH v3] libpng: Fix CVE-2019-6129
> 
> Fix memory leak in png_create_info_struct.
> 
> Upstream-Status: Submitted [https://github.com/glennrp/libpng/pull/293]
> CVE: CVE-2019-6129
> 
> Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> ---
>  .../libpng/0001-Repair-of-CVE-2019-6129.patch | 28 +++++++++++++++++++
>  .../libpng/libpng_1.6.37.bb                   |  5 +++-
>  2 files changed, 32 insertions(+), 1 deletion(-)  create mode 100644 meta/recipes-
> multimedia/libpng/libpng/0001-Repair-of-CVE-2019-6129.patch
> 
> diff --git a/meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019-
> 6129.patch b/meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019-
> 6129.patch
> new file mode 100644
> index 0000000000..641e771c17
> --- /dev/null
> +++ b/meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019-6129
> +++ .patch
> @@ -0,0 +1,28 @@
> +From c8205147753e6684accb73d79f932d0c028fcc80 Mon Sep 17 00:00:00 2001
> +From: tangyaofang <tangyaofang6666@163.com>
> +Date: Mon, 10 Jun 2019 11:30:15 +0800
> +Subject: [PATCH] Repair of CVE-2019-6129
> +
> +CVE: CVE-2019-6129
> +Upstream-Status: Submitted [https://github.com/glennrp/libpng/pull/293]
> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
> +---
> + contrib/tools/pngcp.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/contrib/tools/pngcp.c b/contrib/tools/pngcp.c index
> +16d4e7f4d..a02d5b7ff 100644
> +--- a/contrib/tools/pngcp.c
> ++++ b/contrib/tools/pngcp.c
> +@@ -506,7 +506,7 @@ static void
> + display_clean_read(struct display *dp)  {
> +    if (dp->read_pp != NULL)
> +-      png_destroy_read_struct(&dp->read_pp, NULL, NULL);
> ++      png_destroy_read_struct(&dp->read_pp, (dp->ip!=NULL ? &dp->ip :
> ++ NULL), NULL);
> +
> +    if (dp->fp != NULL)
> +    {
> +--
> +2.20.1
> +
> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-
> multimedia/libpng/libpng_1.6.37.bb
> index 8c53d11642..f33b942cd7 100644
> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> @@ -7,7 +7,10 @@ DEPENDS = "zlib"
> 
>  LIBV = "16"
> 
> -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz"
> +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz
> \
> +           file://0001-Repair-of-CVE-2019-6129.patch \
> +          "
> +
>  SRC_URI[md5sum] = "015e8e15db1eecde5f2eb9eb5b6e59e9"
>  SRC_URI[sha256sum] =
> "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca"
> 
> --
> 2.24.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#136712): https://lists.openembedded.org/g/openembedded-core/message/136712
Mute This Topic: https://lists.openembedded.org/mt/72504278/3617530
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub  [oe-patchwork@oe-patch.openembedded.org]
-=-=-=-=-=-=-=-=-=-=-=-
Richard Purdie March 26, 2020, 12:46 p.m.
On Thu, 2020-03-26 at 02:36 +0000, Anuj Mittal wrote:
> This patch has not yet been merged upstream and upstream has disputed
> the security impact of this CVE. So I am not sure if we should take
> this.
> 
> https://github.com/glennrp/libpng/issues/269
> 
> Has any distro taken this?

I did also read into the CVE and yes, it is quite questionable. I'm
leaning towards not taking it if upstream aren't interested.

Cheers,

Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#136748): https://lists.openembedded.org/g/openembedded-core/message/136748
Mute This Topic: https://lists.openembedded.org/mt/72504278/3617530
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub  [oe-patchwork@oe-patch.openembedded.org]
-=-=-=-=-=-=-=-=-=-=-=-