Hello community, here is the log from the commit of package libpng14 for openSUSE:11.4 checked in at Tue Aug 2 18:27:49 CEST 2011. -------- --- old-versions/11.4/all/libpng14/libpng14.changes 2010-09-30 11:55:28.000000000 +0200 +++ 11.4/libpng14/libpng14.changes 2011-07-26 17:34:08.000000000 +0200 @@ -1,0 +2,9 @@ +Tue Jul 26 15:32:28 UTC 2011 - pgajdos@novell.com + +- fixed + * CVE-2011-2501 [bnc#702578] + * CVE-2011-2690 [bnc#706387] + * CVE-2011-2691 [bnc#706388] + * CVE-2011-2692 [bnc#706389] + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/libpng14 Destination is old-versions/11.4/UPDATES/all/libpng14 calling whatdependson for 11.4-i586 New: ---- libpng14-1.4.4-CVE-2011-2501.patch libpng14-1.4.4-CVE-2011-2690.patch libpng14-1.4.4-CVE-2011-2691.patch libpng14-1.4.4-CVE-2011-2692.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libpng14.spec ++++++ --- /var/tmp/diff_new_pack.FJVKpM/_old 2011-08-02 18:27:36.000000000 +0200 +++ /var/tmp/diff_new_pack.FJVKpM/_new 2011-08-02 18:27:36.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libpng14 (Version 1.4.4) +# spec file for package libpng14 # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -28,11 +28,15 @@ Group: System/Libraries Url: http://www.libpng.org/pub/png/libpng.html Version: %{major}.%{minor}.%{micro} -Release: 1 +Release: 3.<RELEASE4> Summary: Library for the Portable Network Graphics Format (PNG) Source: libpng-%{version}.tar.bz2 Source2: baselibs.conf Patch0: %{name}-build.patch +Patch1: libpng14-1.4.4-CVE-2011-2501.patch +Patch2: libpng14-1.4.4-CVE-2011-2691.patch +Patch3: libpng14-1.4.4-CVE-2011-2692.patch +Patch4: libpng14-1.4.4-CVE-2011-2690.patch BuildRequires: pkg-config zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build %define debug_package_requires %{libname} = %{version}-%{release} @@ -97,6 +101,10 @@ %prep %setup -n libpng-%{version} %patch0 -p1 +%patch1 +%patch2 +%patch3 +%patch4 %build ./autogen.sh ++++++ libpng14-1.4.4-CVE-2011-2501.patch ++++++ http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdif... --- pngerror.c +++ pngerror.c @@ -186,8 +186,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp { buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT); - buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0'; + + iin = 0; + while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0') + buffer[iout++] = error_message[iin++]; + + /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */ + buffer[iout] = '\0'; } } ++++++ libpng14-1.4.4-CVE-2011-2690.patch ++++++ http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=blobdiff;... Index: pngrtran.c =================================================================== --- pngrtran.c.orig +++ pngrtran.c @@ -660,10 +660,14 @@ void PNGAPI png_set_rgb_to_gray(png_structp png_ptr, int error_action, double red, double green) { - int red_fixed = (int)((float)red*100000.0 + 0.5); - int green_fixed = (int)((float)green*100000.0 + 0.5); + int red_fixed, green_fixed; if (png_ptr == NULL) return; + if (red > 21474.83647 || red < -21474.83648 || + green > 21474.83647 || green < -21474.83648) + png_error(png_ptr, "ignoring out of range rgb_to_gray coefficients"); + red_fixed = (int)((float)red*100000.0 + 0.5); + green_fixed = (int)((float)green*100000.0 + 0.5); png_set_rgb_to_gray_fixed(png_ptr, error_action, red_fixed, green_fixed); } #endif ++++++ libpng14-1.4.4-CVE-2011-2691.patch ++++++ http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=... --- pngerror.c +++ pngerror.c @@ -87,12 +87,17 @@ png_error(png_structp png_ptr, png_const_charp error_message) void PNGAPI png_err(png_structp png_ptr) { + /* Prior to 1.4.8 the error_fn received a NULL pointer, expressed + * erroneously as '\0', instead of the empty string "". This was + * apparently an error, introduced in libpng-1.2.20, and png_default_error + * will crash in this case. + */ if (png_ptr != NULL && png_ptr->error_fn != NULL) - (*(png_ptr->error_fn))(png_ptr, '\0'); + (*(png_ptr->error_fn))(png_ptr, ""); /* If the custom handler doesn't exist, or if it returns, use the default handler, which will not return. */ - png_default_error(png_ptr, '\0'); + png_default_error(png_ptr, ""); } #endif /* PNG_ERROR_TEXT_SUPPORTED */ ++++++ libpng14-1.4.4-CVE-2011-2692.patch ++++++ http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commit;h=... Index: pngrutil.c =================================================================== --- pngrutil.c.orig +++ pngrutil.c @@ -1810,6 +1810,14 @@ png_handle_sCAL(png_structp png_ptr, png return; } + /* Need unit type, width, \0, height: minimum 4 bytes */ + else if (length < 4) + { + png_warning(png_ptr, "sCAL chunk too short"); + png_crc_finish(png_ptr, length); + return; + } + png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)", length + 1); png_ptr->chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org