diff --git a/SOURCES/libpng-CVE-2017-12652.patch b/SOURCES/libpng-CVE-2017-12652.patch new file mode 100644 index 0000000..b17fff5 --- /dev/null +++ b/SOURCES/libpng-CVE-2017-12652.patch @@ -0,0 +1,67 @@ +From d81575693e52c25b43bd6a557f34190c377b958b Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson +Date: Wed, 2 Aug 2017 19:21:19 -0500 +Subject: [PATCH] [libng16] Check length of all chunks except IDAT against user + limit. + +--- + pngpread.c | 15 +++++++++++++++ + pngrutil.c | 16 ++++++++++++++++ + 2 files changed, 31 insertions(+) + +diff --git a/pngpread.c b/pngpread.c +index 6b65ba8..690df22 100644 +--- a/pngpread.c ++++ b/pngpread.c +@@ -227,6 +227,21 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) + png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; + } + ++ else ++ { ++ png_alloc_size_t limit = PNG_SIZE_MAX; ++# ifdef PNG_SET_USER_LIMITS_SUPPORTED ++ if (png_ptr->user_chunk_malloc_max > 0 && ++ png_ptr->user_chunk_malloc_max < limit) ++ limit = png_ptr->user_chunk_malloc_max; ++# elif PNG_USER_CHUNK_MALLOC_MAX > 0 ++ if (PNG_USER_CHUNK_MALLOC_MAX < limit) ++ limit = PNG_USER_CHUNK_MALLOC_MAX; ++# endif ++ if (png_ptr->push_length > limit) ++ png_chunk_error(png_ptr, "chunk data is too large"); ++ } ++ + if (chunk_name == png_IHDR) + { + if (png_ptr->push_length != 13) +diff --git a/pngrutil.c b/pngrutil.c +index f6f0864..412ecbb 100644 +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -177,6 +177,22 @@ png_read_chunk_header(png_structp png_ptr) + /* Check to see if chunk name is valid. */ + png_check_chunk_name(png_ptr, png_ptr->chunk_name); + ++ /* Check for too-large chunk length */ ++ if (png_ptr->chunk_name != png_IDAT) ++ { ++ png_alloc_size_t limit = PNG_SIZE_MAX; ++# ifdef PNG_SET_USER_LIMITS_SUPPORTED ++ if (png_ptr->user_chunk_malloc_max > 0 && ++ png_ptr->user_chunk_malloc_max < limit) ++ limit = png_ptr->user_chunk_malloc_max; ++# elif PNG_USER_CHUNK_MALLOC_MAX > 0 ++ if (PNG_USER_CHUNK_MALLOC_MAX < limit) ++ limit = PNG_USER_CHUNK_MALLOC_MAX; ++# endif ++ if (length > limit) ++ png_chunk_error(png_ptr, "chunk data is too large"); ++ } ++ + #ifdef PNG_IO_STATE_SUPPORTED + png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA; + #endif +-- +2.21.0 + diff --git a/SPECS/libpng.spec b/SPECS/libpng.spec index cce2847..5632ece 100644 --- a/SPECS/libpng.spec +++ b/SPECS/libpng.spec @@ -2,7 +2,7 @@ Summary: A library of functions for manipulating PNG image format files Name: libpng Epoch: 2 Version: 1.5.13 -Release: 7%{?dist} +Release: 8%{?dist} License: zlib Group: System Environment/Libraries URL: http://www.libpng.org/pub/png/ @@ -16,6 +16,7 @@ Source1: pngusr.dfa Patch0: libpng-multilib.patch Patch1: libpng-CVE-2013-6954.patch Patch2: libpng-CVE-2015-8126.patch +Patch3: libpng-CVE-2017-12652.patch BuildRequires: zlib-devel, pkgconfig @@ -62,6 +63,7 @@ cp -p %{SOURCE1} . %patch0 -p1 %patch1 -p1 %patch2 -p1 +%patch3 -p1 %build %configure @@ -93,14 +95,18 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/*.la %{_libdir}/libpng*.a %changelog -* Sat Nov 28 2015 Petr Hracek - 2:1.5.13-7 +* Fri Nov 22 2019 Nikola Forró - 2:1.5.13-8 +- Fix CVE-2017-12652 +- Resolves: #1744870 + +* Fri Nov 20 2015 Petr Hracek - 2:1.5.13-7 - Security fix for CVE-2015-8126 -- Changing png_ptr to info_ptf based on upstream -- Related: #1283576 +- Changing png_ptr to info_ptr base on upstream +- Related: #1283575 * Fri Nov 20 2015 Petr Hracek - 2:1.5.13-6 - Security fix for CVE-2015-8126 -- Resolves: #1283576 +- Resolves: #1283575 * Wed Jan 29 2014 Petr Hracek - 2:1.5.13-5 - Adding patch CVE-2013-6954