diff mbox series

libpng: whitelist CVE-2019-17371

Message ID 20191104124251.21923-1-ross.burton@intel.com
State Superseded
Headers show
Series libpng: whitelist CVE-2019-17371 | expand

Commit Message

Ross Burton Nov. 4, 2019, 12:42 p.m. UTC
This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
recipe.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
 1 file changed, 3 insertions(+)

-- 
2.20.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Adrian Bunk Nov. 4, 2019, 2:01 p.m. UTC | #1
On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
> This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng

> recipe.

> 

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++

>  1 file changed, 3 insertions(+)

> 

> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb

> index 66af2f3d60e..07970e14360 100644

> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb

> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb

> @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"

>  FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"

>  

>  BBCLASSEXTEND = "native nativesdk"

> +

> +# CVE-2019-17371 is actually a memory leak in gif2png 2.x

> +CVE_CHECK_WHITELIST = "CVE-2019-17371"


These should use += to not overwrite whitelists defined by
the distribution or the user.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Ross Burton Nov. 4, 2019, 2:24 p.m. UTC | #2
On 04/11/2019 14:01, Adrian Bunk wrote:
> On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:

>> This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng

>> recipe.

>>

>> Signed-off-by: Ross Burton <ross.burton@intel.com>

>> ---

>>   meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++

>>   1 file changed, 3 insertions(+)

>>

>> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb

>> index 66af2f3d60e..07970e14360 100644

>> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb

>> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb

>> @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"

>>   FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"

>>   

>>   BBCLASSEXTEND = "native nativesdk"

>> +

>> +# CVE-2019-17371 is actually a memory leak in gif2png 2.x

>> +CVE_CHECK_WHITELIST = "CVE-2019-17371"

> 

> These should use += to not overwrite whitelists defined by

> the distribution or the user.


IMHO, the distribution or user should be using _append.   The whitelist 
should be explicitly per-recipe: there's a CVE which is tagged 
incorrectly as being in openssl *and* mod_ssl, we don't want to 
whitelist it globally but only in openssl.

V2 incoming, just to be safe, though.

Ross
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Adrian Bunk Nov. 4, 2019, 3:40 p.m. UTC | #3
On Mon, Nov 04, 2019 at 02:24:08PM +0000, Ross Burton wrote:
> On 04/11/2019 14:01, Adrian Bunk wrote:

> > On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:

> > > This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng

> > > recipe.

> > > 

> > > Signed-off-by: Ross Burton <ross.burton@intel.com>

> > > ---

> > >   meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++

> > >   1 file changed, 3 insertions(+)

> > > 

> > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb

> > > index 66af2f3d60e..07970e14360 100644

> > > --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb

> > > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb

> > > @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"

> > >   FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"

> > >   BBCLASSEXTEND = "native nativesdk"

> > > +

> > > +# CVE-2019-17371 is actually a memory leak in gif2png 2.x

> > > +CVE_CHECK_WHITELIST = "CVE-2019-17371"

> > 

> > These should use += to not overwrite whitelists defined by

> > the distribution or the user.

> 

> IMHO, the distribution or user should be using _append.   The whitelist

> should be explicitly per-recipe: there's a CVE which is tagged incorrectly

> as being in openssl *and* mod_ssl, we don't want to whitelist it globally

> but only in openssl.

>...


What I had in mind are a distribution-wide cve-whitelist.inc included 
from the distro conf or using CVE_CHECK_WHITELIST in conf/local.conf,
you don't want to start creating dozens of bbappend files in such 
usecases.

This CVE where a change in OpenSSL created a vulnerability in Apache
would go to the global whitelist for me when I am not using Apache.
In OE it should not be whitelisted in both OpenSSL and Apache, but
this is a different situation.

> Ross


cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
diff mbox series

Patch

diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
index 66af2f3d60e..07970e14360 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
@@ -29,3 +29,6 @@  PACKAGES =+ "${PN}-tools"
 FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
 
 BBCLASSEXTEND = "native nativesdk"
+
+# CVE-2019-17371 is actually a memory leak in gif2png 2.x
+CVE_CHECK_WHITELIST = "CVE-2019-17371"