Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Seiderer via buildroot <buildroot@buildroot.org>
To: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Bernd Kuhls <bernd@kuhls.net>,
	Adam Duskett <adam.duskett@amarulasolutions.com>,
	buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch
Date: Sun, 7 Jan 2024 21:03:25 +0100	[thread overview]
Message-ID: <20240107210325.2712e100@gmx.net> (raw)
In-Reply-To: <ZZqUtsil3DTT20FN@landeda>

On Sun, 7 Jan 2024 13:10:30 +0100, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

> Peter, All,
>
> On 2024-01-07 10:29 +0100, Peter Korsgaard spake thusly:
> > >>>>> "Adam" == Adam Duskett <adam.duskett@amarulasolutions.com> writes:
> >  > Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
> >  > ---
> >  >  ...veral-defects-found-by-Coverity-scan.patch | 61 +++++++++++++++++++
> >  >  1 file changed, 61 insertions(+)
> >  >  create mode 100644 package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> >
> >  > diff --git a/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> >  > new file mode 100644
> >  > index 0000000000..1719769872
> >  > --- /dev/null
> >  > +++ b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> >  > @@ -0,0 +1,61 @@
> >  > +From a1c48b91cd1cf1e9bf7077709b69f4bfd4c4abc7 Mon Sep 17 00:00:00 2001
> >  > +From: Sandro Mani <manisandro@gmail.com>
> >  > +Date: Tue, 5 Dec 2023 16:38:48 -0700
> >  > +Subject: [PATCH] Fix several defects found by Coverity scan
> >  > +
> >  > +From: giflib-5.2.1-17.fc39.src.rpm
> >  > +Upstream: Not submitted
> >
> > No upstream and no CVE? Where does this fix then come from?
>
> I was a bit sloppy when applying that one, indeed. As the commit log
> mention, it's taken from the Fedora 39 source package, and I believed it
> was enough reference.
>
> Looking at that source package, it matches the patch named giflib_coverity.patch
> and the Fedora dist-git for that patch date back to 2020-02-17:
>     https://src.fedoraproject.org/rpms/giflib/c/df94d26a07ac8772b3380f4e5b4145daa7bf65e1?branch=rawhide
>
> As far as I could find, it has not been submitted upstream, and upstream
> looks like it has been pretty mothballed for a while now; last commit
> was on 2019-08-17:
>     https://sourceforge.net/p/giflib/mailman/giflib-devel/
>     https://sourceforge.net/p/giflib/code/ci/master/tree/
>
> I could not find any associated CVE:
>
>     https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agiflib_project%3Agiflib%3A5.2.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*
>
> Looking at the code, I doubt it is a security issue, in fact. It's
> probably just a memory leak, as the free() is replaced by this function:
>
>    79 void
>    80 GifFreeMapObject(ColorMapObject *Object)
>    81 {
>    82     if (Object != NULL) {
>    83         (void)free(Object->Colors);
>    84         (void)free(Object);
>    85     }
>    86 }
>
> So, Object->Colors leaked, but I don't think it was a "security" issue.

Matter of judgment if a (very theoretically) denial-of-service/out-of-memory is counted
as 'security' issue ;-)

Regards,
Peter

>
> Regards,
> Yann E. MORIN.
>

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

  parent reply	other threads:[~2024-01-07 20:03 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-05 23:59 [Buildroot] [PATCH 0/3] package/giflib security fixes Adam Duskett
2023-12-05 23:59 ` [Buildroot] [PATCH 1/3] package/giflib/0002-Fix-CVE-2022-28506.patch: New security patch Adam Duskett
2023-12-18 16:45   ` Yann E. MORIN
2024-01-07  9:29   ` Peter Korsgaard
2023-12-05 23:59 ` [Buildroot] [PATCH 2/3] package/giflib/0003-Fix-CVE-2023-39742.patch: " Adam Duskett
2023-12-18 16:45   ` Yann E. MORIN
2024-01-07  9:29   ` Peter Korsgaard
2023-12-05 23:59 ` [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: " Adam Duskett
2023-12-18 16:46   ` Yann E. MORIN
2024-01-07  9:29   ` Peter Korsgaard
2024-01-07 12:10     ` Yann E. MORIN
2024-01-07 16:17       ` Peter Korsgaard
2024-01-07 20:03       ` Peter Seiderer via buildroot [this message]
2024-01-07 21:13         ` Yann E. MORIN

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240107210325.2712e100@gmx.net \
    --to=buildroot@buildroot.org \
    --cc=adam.duskett@amarulasolutions.com \
    --cc=bernd@kuhls.net \
    --cc=ps.report@gmx.net \
    --cc=yann.morin.1998@free.fr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox