[Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
Fabrice Fontaine
fontaine.fabrice at gmail.com
Mon Aug 19 13:57:33 UTC 2019
Le lun. 19 août 2019 à 15:46, Thomas Petazzoni
<thomas.petazzoni at bootlin.com> a écrit :
>
> On Sun, 18 Aug 2019 14:04:32 +0200
> Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
>
> > - Switch to generic-package (autotools has been dropped since version
> > 5.1.5)
> > - Remove hook and instead use dedicated makefile targets to build only
> > shared or static library and not binaries or documentation (added by
> > an upstreamble patch)
> > - ac_cv_prog_have_xmlto=no can be removed as doc is not built anymore
> > - Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
> > GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
> > 0.49.4, has a heap-based buffer overflow because a certain
> > "Private->RunningCode - 2" array index is not checked. This will lead
> > to a denial of service or possibly unspecified other impact.
> > - Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
> > triggers a divide-by-zero exception in the decoder function DGifSlurp
> > in dgif_lib.c if the height field of the ImageSize data structure is
> > equal to zero.
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> > ---
> > ...dd-targets-to-manage-static-building.patch | 69 +++++++++++++++++++
> > package/giflib/giflib.hash | 4 +-
> > package/giflib/giflib.mk | 47 +++++++++----
> > 3 files changed, 104 insertions(+), 16 deletions(-)
> > create mode 100644 package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
>
> I must say this is quite big of a change for master at this point, and
> for a security bump in general. I'm not sure between applying this, or
> just cherry-picking the two commits that fix the CVEs.
Cherry-picking the two commits for master is probably better.
The CVE-2019-15133 can be retrieved here:
https://sourceforge.net/p/giflib/code/ci/799eb6a3af8a3dd81e2429bf11a72a57e541f908
The CVE-2018-11490 can be retrieved here:
https://sourceforge.net/p/giflib/code/ci/08438a5098f3bb1de23a29334af55eba663f75bd
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Best Regards,
Fabrice
More information about the buildroot
mailing list