| Message ID | 20191104124251.21923-1-ross.burton@intel.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | libpng: whitelist CVE-2019-17371 | expand |
On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote: > This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng > recipe. > > Signed-off-by: Ross Burton <ross.burton@intel.com> > --- > meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > index 66af2f3d60e..07970e14360 100644 > --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" > FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" > > BBCLASSEXTEND = "native nativesdk" > + > +# CVE-2019-17371 is actually a memory leak in gif2png 2.x > +CVE_CHECK_WHITELIST = "CVE-2019-17371" These should use += to not overwrite whitelists defined by the distribution or the user. cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
On 04/11/2019 14:01, Adrian Bunk wrote: > On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote: >> This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng >> recipe. >> >> Signed-off-by: Ross Burton <ross.burton@intel.com> >> --- >> meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb >> index 66af2f3d60e..07970e14360 100644 >> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb >> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb >> @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" >> FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" >> >> BBCLASSEXTEND = "native nativesdk" >> + >> +# CVE-2019-17371 is actually a memory leak in gif2png 2.x >> +CVE_CHECK_WHITELIST = "CVE-2019-17371" > > These should use += to not overwrite whitelists defined by > the distribution or the user. IMHO, the distribution or user should be using _append. The whitelist should be explicitly per-recipe: there's a CVE which is tagged incorrectly as being in openssl *and* mod_ssl, we don't want to whitelist it globally but only in openssl. V2 incoming, just to be safe, though. Ross -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
On Mon, Nov 04, 2019 at 02:24:08PM +0000, Ross Burton wrote: > On 04/11/2019 14:01, Adrian Bunk wrote: > > On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote: > > > This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng > > > recipe. > > > > > > Signed-off-by: Ross Burton <ross.burton@intel.com> > > > --- > > > meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > > > index 66af2f3d60e..07970e14360 100644 > > > --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > > > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb > > > @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" > > > FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" > > > BBCLASSEXTEND = "native nativesdk" > > > + > > > +# CVE-2019-17371 is actually a memory leak in gif2png 2.x > > > +CVE_CHECK_WHITELIST = "CVE-2019-17371" > > > > These should use += to not overwrite whitelists defined by > > the distribution or the user. > > IMHO, the distribution or user should be using _append. The whitelist > should be explicitly per-recipe: there's a CVE which is tagged incorrectly > as being in openssl *and* mod_ssl, we don't want to whitelist it globally > but only in openssl. >... What I had in mind are a distribution-wide cve-whitelist.inc included from the distro conf or using CVE_CHECK_WHITELIST in conf/local.conf, you don't want to start creating dozens of bbappend files in such usecases. This CVE where a change in OpenSSL created a vulnerability in Apache would go to the global whitelist for me when I am not using Apache. In OE it should not be whitelisted in both OpenSSL and Apache, but this is a different situation. > Ross cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb index 66af2f3d60e..07970e14360 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" BBCLASSEXTEND = "native nativesdk" + +# CVE-2019-17371 is actually a memory leak in gif2png 2.x +CVE_CHECK_WHITELIST = "CVE-2019-17371"
This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng recipe. Signed-off-by: Ross Burton <ross.burton@intel.com> --- meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ 1 file changed, 3 insertions(+) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core