From: Adrian Bunk <bunk@stusta.de>
To: Ross Burton <ross.burton@intel.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] libpng: whitelist CVE-2019-17371
Date: Mon, 4 Nov 2019 16:01:15 +0200 [thread overview]
Message-ID: <20191104140115.GA5390@localhost> (raw)
In-Reply-To: <20191104124251.21923-1-ross.burton@intel.com>
On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
> This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
> recipe.
>
> Signed-off-by: Ross Burton <ross.burton@intel.com>
> ---
> meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> index 66af2f3d60e..07970e14360 100644
> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
> FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
>
> BBCLASSEXTEND = "native nativesdk"
> +
> +# CVE-2019-17371 is actually a memory leak in gif2png 2.x
> +CVE_CHECK_WHITELIST = "CVE-2019-17371"
These should use += to not overwrite whitelists defined by
the distribution or the user.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
next prev parent reply other threads:[~2019-11-04 14:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 12:42 [PATCH] libpng: whitelist CVE-2019-17371 Ross Burton
2019-11-04 14:01 ` Adrian Bunk [this message]
2019-11-04 14:24 ` Ross Burton
2019-11-04 15:40 ` Adrian Bunk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191104140115.GA5390@localhost \
--to=bunk@stusta.de \
--cc=openembedded-core@lists.openembedded.org \
--cc=ross.burton@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.