Hello community, here is the log from the commit of package libpng12 for openSUSE:Factory checked in at 2014-05-06 13:39:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libpng12 (Old) and /work/SRC/openSUSE:Factory/.libpng12.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libpng12" Changes: -------- --- /work/SRC/openSUSE:Factory/libpng12/libpng12.changes 2014-02-09 13:17:49.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libpng12.new/libpng12.changes 2014-05-06 13:39:41.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Apr 22 14:12:09 UTC 2014 - pgajdos@suse.com + +- security update: + * CVE-2013-7353.patch [bnc#873124] + * CVE-2013-7354.patch [bnc#873123] + +------------------------------------------------------------------- New: ---- libpng-1.2.51-CVE-2013-7353.patch libpng-1.2.51-CVE-2013-7354.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libpng12.spec ++++++ --- /var/tmp/diff_new_pack.nTeWWh/_old 2014-05-06 13:39:42.000000000 +0200 +++ /var/tmp/diff_new_pack.nTeWWh/_new 2014-05-06 13:39:42.000000000 +0200 @@ -32,6 +32,8 @@ Group: System/Libraries Source: http://downloads.sourceforge.net/project/libpng/%{name}/%{version}/libpng-%{version}.tar.xz Source2: baselibs.conf +Patch0: libpng-1.2.51-CVE-2013-7353.patch +Patch1: libpng-1.2.51-CVE-2013-7354.patch BuildRequires: libtool BuildRequires: pkg-config BuildRequires: zlib-devel @@ -96,6 +98,8 @@ %prep %setup -n libpng-%{version} +%patch0 +%patch1 %build # We'll never use the old pgcc-2.95.1 with the buggy -O3, so having ++++++ libpng-1.2.51-CVE-2013-7353.patch ++++++ http://sourceforge.net/p/libpng/code/ci/1a3d6e3cf3082a0da998dbf402d384a58948... http://sourceforge.net/p/libpng/code/ci/77a817bfc298a221e3e623acf73c2a1e726c... http://sourceforge.net/p/libpng/code/ci/bec9ca9b8aa0cf16d2cde1757379afbe9adb... Index: pngset.c =================================================================== --- pngset.c.orig 2014-04-22 16:08:23.458978035 +0200 +++ pngset.c 2014-04-22 16:09:15.921977136 +0200 @@ -986,9 +986,17 @@ if (png_ptr == NULL || info_ptr == NULL || num_unknowns == 0) return; - np = (png_unknown_chunkp)png_malloc_warn(png_ptr, - (png_uint_32)((info_ptr->unknown_chunks_num + num_unknowns) * - png_sizeof(png_unknown_chunk))); + if (num_unknowns < 0 || + num_unknowns > INT_MAX-info_ptr->unknown_chunks_num || + (unsigned int)/*SAFE*/(num_unknowns +/*SAFE*/ + info_ptr->unknown_chunks_num) >= + PNG_SIZE_MAX/png_sizeof(png_unknown_chunk)) + np=NULL; + + else + np = (png_unknown_chunkp)png_malloc_warn(png_ptr, + (png_size_t)(info_ptr->unknown_chunks_num + num_unknowns) * + png_sizeof(png_unknown_chunk)); if (np == NULL) { png_warning(png_ptr, ++++++ libpng-1.2.51-CVE-2013-7354.patch ++++++ http://sourceforge.net/p/libpng/code/ci/798d3de5f66b6df6d6605f968da641c24725... http://sourceforge.net/p/libpng/code/ci/77a0a2ea113e699c7021caf1a530d2e2dd90... Index: pngset.c =================================================================== --- pngset.c.orig 2014-04-24 14:13:43.144134631 +0200 +++ pngset.c 2014-04-24 14:23:31.461124549 +0200 @@ -664,6 +664,17 @@ /* Make sure we have enough space in the "text" array in info_struct * to hold all of the incoming text_ptr objects. */ + + if (num_text < 0 || + num_text > INT_MAX - info_ptr->num_text - 8 || + (unsigned int)/*SAFE*/(num_text +/*SAFE*/ + info_ptr->num_text + 8) >= + PNG_SIZE_MAX/png_sizeof(png_text)) + { + png_warning(png_ptr, "too many text chunks"); + return(0); + } + if (info_ptr->num_text + num_text > info_ptr->max_text) { int old_max_text = info_ptr->max_text; @@ -921,9 +932,19 @@ if (png_ptr == NULL || info_ptr == NULL) return; - np = (png_sPLT_tp)png_malloc_warn(png_ptr, - (info_ptr->splt_palettes_num + nentries) * - (png_uint_32)png_sizeof(png_sPLT_t)); + if (nentries < 0 || + nentries > INT_MAX-info_ptr->splt_palettes_num || + (unsigned int)/*SAFE*/(nentries +/*SAFE*/ + info_ptr->splt_palettes_num) >= + PNG_SIZE_MAX/png_sizeof(png_sPLT_t)) + np=NULL; + + else + + np = (png_sPLT_tp)png_malloc_warn(png_ptr, + (info_ptr->splt_palettes_num + nentries) * + (png_size_t)png_sizeof(png_sPLT_t)); + if (np == NULL) { png_warning(png_ptr, "No memory for sPLT palettes."); -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org