From 9b17ee9c5fdced23212d18312b16ef3e2919cd5b Mon Sep 17 00:00:00 2001 From: Nicolas Thill Date: Thu, 9 Jul 2009 14:43:21 +0000 Subject: [PATCH] libpng: fix 1-bit interlaced images information disclosure vulnerability, bump release number - CVE-2009-2042 SVN-Revision: 16752 --- libs/libpng/Makefile | 4 ++-- libs/libpng/patches/901-cve-2009-2042.patch | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 libs/libpng/patches/901-cve-2009-2042.patch diff --git a/libs/libpng/Makefile b/libs/libpng/Makefile index 6ce0daf5a..77b98095b 100644 --- a/libs/libpng/Makefile +++ b/libs/libpng/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006 OpenWrt.org +# Copyright (C) 2006-2009 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libpng PKG_VERSION:=1.2.29 -PKG_RELEASE:=1 +PKG_RELEASE:=1.1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/libpng diff --git a/libs/libpng/patches/901-cve-2009-2042.patch b/libs/libpng/patches/901-cve-2009-2042.patch new file mode 100644 index 000000000..7ddc48eee --- /dev/null +++ b/libs/libpng/patches/901-cve-2009-2042.patch @@ -0,0 +1,13 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042 + +--- a/pngrutil.c ++++ b/pngrutil.c +@@ -3150,6 +3150,8 @@ defined(PNG_USER_TRANSFORM_PTR_SUPPORTED + { + png_free(png_ptr,png_ptr->big_row_buf); + png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes+64); ++ if (png_ptr->interlaced) ++ png_memset(png_ptr->big_row_buf, 0, png_ptr->rowbytes + 64); + png_ptr->row_buf = png_ptr->big_row_buf+32; + png_ptr->old_big_row_buf_size = row_bytes+64; + } -- 2.30.2