This patch has not yet been merged upstream and upstream has disputed the security impact of this CVE. So I am not sure if we should take this.
https://github.com/glennrp/libpng/issues/269 Has any distro taken this? Thanks, Anuj > -----Original Message----- > From: [email protected] <openembedded- > [email protected]> On Behalf Of Sakib Sajal > Sent: Tuesday, March 24, 2020 05:51 AM > To: [email protected] > Subject: [OE-core] [PATCH v3] libpng: Fix CVE-2019-6129 > > Fix memory leak in png_create_info_struct. > > Upstream-Status: Submitted [https://github.com/glennrp/libpng/pull/293] > CVE: CVE-2019-6129 > > Signed-off-by: Sakib Sajal <[email protected]> > --- > .../libpng/0001-Repair-of-CVE-2019-6129.patch | 28 +++++++++++++++++++ > .../libpng/libpng_1.6.37.bb | 5 +++- > 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 > meta/recipes- > multimedia/libpng/libpng/0001-Repair-of-CVE-2019-6129.patch > > diff --git a/meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019- > 6129.patch b/meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019- > 6129.patch > new file mode 100644 > index 0000000000..641e771c17 > --- /dev/null > +++ b/meta/recipes-multimedia/libpng/libpng/0001-Repair-of-CVE-2019-6129 > +++ .patch > @@ -0,0 +1,28 @@ > +From c8205147753e6684accb73d79f932d0c028fcc80 Mon Sep 17 00:00:00 2001 > +From: tangyaofang <[email protected]> > +Date: Mon, 10 Jun 2019 11:30:15 +0800 > +Subject: [PATCH] Repair of CVE-2019-6129 > + > +CVE: CVE-2019-6129 > +Upstream-Status: Submitted [https://github.com/glennrp/libpng/pull/293] > +Signed-off-by: Sakib Sajal <[email protected]> > +--- > + contrib/tools/pngcp.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/contrib/tools/pngcp.c b/contrib/tools/pngcp.c index > +16d4e7f4d..a02d5b7ff 100644 > +--- a/contrib/tools/pngcp.c > ++++ b/contrib/tools/pngcp.c > +@@ -506,7 +506,7 @@ static void > + display_clean_read(struct display *dp) { > + if (dp->read_pp != NULL) > +- png_destroy_read_struct(&dp->read_pp, NULL, NULL); > ++ png_destroy_read_struct(&dp->read_pp, (dp->ip!=NULL ? &dp->ip : > ++ NULL), NULL); > + > + if (dp->fp != NULL) > + { > +-- > +2.20.1 > + > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes- > multimedia/libpng/libpng_1.6.37.bb > index 8c53d11642..f33b942cd7 100644 > --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > @@ -7,7 +7,10 @@ DEPENDS = "zlib" > > LIBV = "16" > > -SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz" > +SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz > \ > + file://0001-Repair-of-CVE-2019-6129.patch \ > + " > + > SRC_URI[md5sum] = "015e8e15db1eecde5f2eb9eb5b6e59e9" > SRC_URI[sha256sum] = > "505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca" > > -- > 2.24.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#136712): https://lists.openembedded.org/g/openembedded-core/message/136712 Mute This Topic: https://lists.openembedded.org/mt/72504278/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
