[arch-commits] Commit in libpng/trunk (CVE-2011-3026.patch PKGBUILD)

Ionut Biru ibiru at archlinux.org
Fri Feb 17 08:21:33 EST 2012


    Date: Friday, February 17, 2012 @ 08:21:33
  Author: ibiru
Revision: 150422

fix CVE-2011-3026

Added:
  libpng/trunk/CVE-2011-3026.patch
Modified:
  libpng/trunk/PKGBUILD

---------------------+
 CVE-2011-3026.patch |   26 ++++++++++++++++++++++++++
 PKGBUILD            |   13 +++++++++----
 2 files changed, 35 insertions(+), 4 deletions(-)

Added: CVE-2011-3026.patch
===================================================================
--- CVE-2011-3026.patch	                        (rev 0)
+++ CVE-2011-3026.patch	2012-02-17 13:21:33 UTC (rev 150422)
@@ -0,0 +1,26 @@
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660026
+http://src.chromium.org/viewvc/chrome/branches/963/src/third_party/libpng/pngrutil.c?r1=121492&r2=121491&pathrev=121492
+
+Check for both truncation (64-bit platforms) and integer overflow.
+
+--- a/pngrutil.c	2012-02-01 16:00:34.000000000 +1100
++++ b/pngrutil.c	2012-02-16 09:05:45.000000000 +1100
+@@ -457,8 +457,16 @@ png_decompress_chunk(png_structp png_ptr
+       {
+          /* Success (maybe) - really uncompress the chunk. */
+          png_size_t new_size = 0;
+-         png_charp text = (png_charp)png_malloc_warn(png_ptr,
+-             prefix_size + expanded_size + 1);
++         png_charp text = NULL;
++         /* Need to check for both truncation (64-bit platforms) and integer
++          * overflow.
++          */
++         if (prefix_size + expanded_size > prefix_size &&
++             prefix_size + expanded_size < 0xffffffffU)
++         {
++            png_charp text = (png_charp)png_malloc_warn(png_ptr,
++                prefix_size + expanded_size + 1);
++         }
+ 
+          if (text != NULL)
+          {

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2012-02-17 13:03:41 UTC (rev 150421)
+++ PKGBUILD	2012-02-17 13:21:33 UTC (rev 150422)
@@ -6,8 +6,8 @@
 
 pkgname=libpng
 pkgver=1.5.8
-_apngver=1.5.7
-pkgrel=1
+_apngver=1.5.8
+pkgrel=2
 pkgdesc="A collection of routines used to create PNG format graphics files"
 arch=('i686' 'x86_64')
 url="http://www.libpng.org/pub/png/libpng.html"
@@ -15,9 +15,11 @@
 depends=('zlib' 'sh')
 options=('!libtool')
 source=("http://downloads.sourceforge.net/sourceforge/$pkgname/$pkgname-$pkgver.tar.xz"
-        "http://downloads.sourceforge.net/sourceforge/libpng-apng/libpng-$_apngver-apng.patch.gz")
+        "http://downloads.sourceforge.net/sourceforge/libpng-apng/libpng-$_apngver-apng.patch.gz"
+        CVE-2011-3026.patch)
 md5sums=('0f7ae352beadaff78073733905613041'
-         '6c6a674048cec94db1bc35decf0d142c')
+         '158772fecdc6d8591bcd382c04da334c'
+         'e3f19c889e57135eed66d0a3a22e2912')
 
 build() {
   cd "$srcdir/$pkgname-$pkgver"
@@ -26,6 +28,9 @@
   # see http://sourceforge.net/projects/libpng-apng/
   patch -p1 -i "$srcdir/libpng-$_apngver-apng.patch"
 
+  #CVE-2011-3026
+  patch -Np1 -i "$srcdir/CVE-2011-3026.patch"
+
   ./configure --prefix=/usr
   make
 }



More information about the arch-commits mailing list