rpms/libpng/FC-5 libpng-splt-bug.patch, NONE, 1.1 libpng-trns-bug.patch, NONE, 1.1 libpng.spec, 1.27, 1.28

Wed May 23 21:47:11 UTC 2007

Author: tgl

Update of /cvs/dist/rpms/libpng/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv15653

Modified Files:
	libpng.spec 
Added Files:
	libpng-splt-bug.patch libpng-trns-bug.patch 
Log Message:
Add patches for CVE-2006-5793, CVE-2007-2445

libpng-splt-bug.patch:
 pngset.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE libpng-splt-bug.patch ---
Fix for CVE-2006-5793 --- potential SIGSEGV due to copying past the end of
memory.  (This is already applied in libpng 1.2.16 and up.)


diff -Naur libpng-1.2.10.orig/pngset.c libpng-1.2.10/pngset.c
--- libpng-1.2.10.orig/pngset.c	2006-04-23 14:45:34.000000000 -0400
+++ libpng-1.2.10/pngset.c	2007-05-13 10:04:38.000000000 -0400
@@ -976,10 +976,10 @@
         /* TODO: use png_malloc_warn */
         png_strcpy(to->name, from->name);
         to->entries = (png_sPLT_entryp)png_malloc(png_ptr,
-            from->nentries * png_sizeof(png_sPLT_t));
+            from->nentries * png_sizeof(png_sPLT_entry));
         /* TODO: use png_malloc_warn */
         png_memcpy(to->entries, from->entries,
-            from->nentries * png_sizeof(png_sPLT_t));
+            from->nentries * png_sizeof(png_sPLT_entry));
         to->nentries = from->nentries;
         to->depth = from->depth;
     }

libpng-trns-bug.patch:
 pngrutil.c |    3 +++
 1 files changed, 3 insertions(+)

--- NEW FILE libpng-trns-bug.patch ---
Fix for CVE-2007-2445 --- libpng crashes if CRC error is detected in
a grayscale tRNS chunk, because png_handle_tRNS leaves inconsistent state
which eventually leads to attempting to free() unallocated memory.


diff -Naur libpng-1.2.16.orig/pngrutil.c libpng-1.2.16/pngrutil.c
--- libpng-1.2.16.orig/pngrutil.c	2007-01-31 08:22:35.000000000 -0500
+++ libpng-1.2.16/pngrutil.c	2007-05-12 17:07:41.000000000 -0400
@@ -1314,7 +1314,10 @@
    }
 
    if (png_crc_finish(png_ptr, 0))
+   {
+      png_ptr->num_trans = 0;
       return;
+   }
 
    png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
       &(png_ptr->trans_values));


Index: libpng.spec
===================================================================
RCS file: /cvs/dist/rpms/libpng/FC-5/libpng.spec,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- libpng.spec	11 Feb 2006 04:11:17 -0000	1.27
+++ libpng.spec	23 May 2007 21:47:09 -0000	1.28
@@ -1,12 +1,15 @@
 Summary: A library of functions for manipulating PNG image format files.
 Name: libpng
 Version: 1.2.8
-Release: 2.2.1
+Release: 3%{?dist}
 License: OSI certified
 Group: System Environment/Libraries
 Source: ftp://swrinde.nde.swri.edu/pub/png/src/libpng-%{version}.tar.bz2
 Patch0: libpng-rhconf.patch
-Buildroot: %{_tmppath}/%{name}-%{version}-root
+Patch2: libpng-trns-bug.patch
+Patch3: libpng-splt-bug.patch
+
+Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildPrereq: zlib-devel
 Provides: libpng.so.3
 URL: http://www.libpng.org/pub/png/
@@ -27,7 +30,7 @@
 %package devel
 Summary: Development tools for programs to manipulate PNG image format files.
 Group: Development/Libraries
-Requires: libpng = %{epoch}:%{version}, zlib-devel
+Requires: libpng = %{epoch}:%{version}-%{release}, zlib-devel, pkgconfig
 
 %description devel
 The libpng-devel package contains the header files and static
@@ -43,6 +46,8 @@
 
 ln -s scripts/makefile.linux Makefile
 %patch0 -p1 -b .rhconf
+%patch2 -p1
+%patch3 -p1
 
 %build
 make ZLIBLIB=%{_libdir} RPM_OPT_FLAGS="$RPM_OPT_FLAGS" LIBPATH=%{_libdir}
@@ -75,6 +80,14 @@
 rm -rf $RPM_BUILD_ROOT
 
 %changelog
+* Wed May 23 2007 Tom Lane <tgl at redhat.com> 2:1.2.8-3
+- Add patch to fix CVE-2006-5793
+Related: #215405
+- Add patch to fix CVE-2007-2445
+Related: #239542
+- Require pkgconfig in the -devel subpackage
+Resolves: #217903
+
 * Fri Feb 10 2006 Jesse Keating <jkeating at redhat.com> - 2:1.2.8-2.2.1
 - bump again for double-long bug on ppc(64)
 


