From patchwork Tue Nov 5 21:38:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adrian Bunk X-Patchwork-Id: 178561 Delivered-To: patch@linaro.org Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp1331178ilf; Tue, 5 Nov 2019 13:39:00 -0800 (PST) X-Google-Smtp-Source: APXvYqzufetuO6fW0soAGWIVPMVDl6lFnBXWJzO4tsdMtEkCwVCBlA7tP1Ri51QqVLuBT7IuXh84 X-Received: by 2002:a63:544:: with SMTP id 65mr38824835pgf.80.1572989940487; Tue, 05 Nov 2019 13:39:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572989940; cv=none; d=google.com; s=arc-20160816; b=Fd4fQ/tN9wy1n36m1gW4MHgJNYcqnvzcd46Y3JrO9K6tbJUBfYD7H7Fi214Y69D0yz LVwuEPr9ITXUw3gm+0fTvC+kSz4NVGdoBaglSUh1gX3r165IY2RWHUgvXJ+8pccB9CIs xKsHQaG5+O5yfL5YkwSpg4KlbNT75VQ7NYjK9liOHFf1NtuzqUvFyzTO989d8Awkbe+4 ep2uZ9Wch78Gh7cEJhm8UKnfrSiloPTKh5PyuBZY9HO8P2uzbLzXoXWbWpnv1jgDkVyR ZjXLyMHEJzaLOjULxZpnAyAnUucQVtY5XBQL1ohKra70OGFIi+N+UC8LeOxqbpjbo0Xh Zk2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to; bh=T0c1PDMX3H9mc2i0EEky50DaSzH/F9b74xfmONQI14g=; b=YFQShM8vsGe8yO6vYvzU8ELMybWVI1ihuft5ef/tjHYt0Cw5y+ZpLYlQUQr0J/LkQ1 wiQIdsPMbkv1r1uZND8wZLflepIxW8O7fG2MJ0q8xpK0U1IKVpemzsJbDUsDyRktXwnq uM5hm2brJfjunADMygLwnCvjsDL1lEvrbMlxUmrRP7hjy/FT1X3XUkW/GRu1hC05ta/z jJeWioua8M/AwaEdFDb01JfCNXudMcURuNDHHqMp5EECWaz1EQBTCzKkTnEsVtlKy4KS alcTNiGdfR6vIFpa2TcVAgMF3MYlZ0KInpfK5ZTNwFqObIEePr9qJMIzP7nrlL3Psizk 5Jfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@stusta.de header.s=default header.b="H/2B0RT7"; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=stusta.de Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id m10si679496pjk.28.2019.11.05.13.39.00; Tue, 05 Nov 2019 13:39:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@stusta.de header.s=default header.b="H/2B0RT7"; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=stusta.de Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 61A127F8AD; Tue, 5 Nov 2019 21:38:57 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail.stusta.mhn.de (mail.stusta.mhn.de [141.84.69.5]) by mail.openembedded.org (Postfix) with ESMTP id 59A146D147 for ; Tue, 5 Nov 2019 21:38:15 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.stusta.mhn.de (Postfix) with ESMTPSA id 47731g5gjgzJD for ; Tue, 5 Nov 2019 22:38:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stusta.de; s=default; t=1572989896; bh=2c5pMEE4TUcU7ksRSxRwFojM25kLVQVU84xFz5IGBNI=; h=From:To:Subject:Date:From; b=H/2B0RT72iYZ9Nl1+0vhWVWlMNA2kMtkH4FTxfzppJd4694B2v6UfgtHHMwwlTUe2 T4AFBWDXMh4Rq6MTy5y2euooiWhncmrfYI9DfjR3+9MGPWCV/la+ZMSVtTZ0NB+6oQ lw+gon+r92QaaU3DQdYJzqk/8lP+1fGDEHcGKJqDMBY0aqYbJw6gtOXXiKTfqidF+q uKwf5terwrpyNoYop8gJ2mK2akzAtS+KDytrJASIzWs7WzFGsJlSSLEAhb0PlpHumX b+zqs34ByeNlwUEFftW5xlLdn2RG2N4Z5C4t7yO1kjInFv0Iu6H4qMQQH8RyjDJaKk Rkj1kX/wJgkf6HkAbSI8pBsFHFEU7gyxrXL5lNOs6BnjmfJ4SRD5LC20FAWfWq1q8j gVPzEkpRONNdERrbUXNupkxQlLAZ4L49hF7TRkskAaQHR8EwgNFbwYjuyUAtxqBVP6 v4kTkuvp0TP9XsN1i4ddhGf1n9/i4XlJWAj4HVjr2zBweazENWCa7regZ7Kh7QRrEN XznKic+yRx1lmWtmpYSAmDDxCbqmsrJftiPNf8ECeRaguh6UY1KSLMgEg7gUtIupw1 byF44ltwbES5jz5pEjCKbwKurzbvwzNsyb7T9Uz42/fCgTr0h7DVQ7W0NDRwnz7sBO iJZ0QbpUjtDjGNJ5kXRbnPYU= From: Adrian Bunk To: openembedded-core@lists.openembedded.org Date: Tue, 5 Nov 2019 23:38:12 +0200 Message-Id: <20191105213813.27546-4-bunk@stusta.de> X-Mailer: git-send-email 2.17.1 Subject: [OE-core] [zeus][PATCH] libpng: whitelist CVE-2019-17371 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng recipe. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Adrian Bunk --- meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ 1 file changed, 3 insertions(+) -- 2.17.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb index 66af2f3d60..2ed87a8437 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" BBCLASSEXTEND = "native nativesdk" + +# CVE-2019-17371 is actually a memory leak in gif2png 2.x +CVE_CHECK_WHITELIST += "CVE-2019-17371"