Re: [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: Adam Duskett <adam.duskett@amarulasolutions.com>,
	Bernd Kuhls <bernd@kuhls.net>,
	buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch
Date: Sun, 7 Jan 2024 13:10:30 +0100	[thread overview]
Message-ID: <ZZqUtsil3DTT20FN@landeda> (raw)
In-Reply-To: <87msth1ofj.fsf@48ers.dk>

Peter, All,

On 2024-01-07 10:29 +0100, Peter Korsgaard spake thusly:
> >>>>> "Adam" == Adam Duskett <adam.duskett@amarulasolutions.com> writes:
>  > Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
>  > ---
>  >  ...veral-defects-found-by-Coverity-scan.patch | 61 +++++++++++++++++++
>  >  1 file changed, 61 insertions(+)
>  >  create mode 100644 package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> 
>  > diff --git a/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
>  > new file mode 100644
>  > index 0000000000..1719769872
>  > --- /dev/null
>  > +++ b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
>  > @@ -0,0 +1,61 @@
>  > +From a1c48b91cd1cf1e9bf7077709b69f4bfd4c4abc7 Mon Sep 17 00:00:00 2001
>  > +From: Sandro Mani <manisandro@gmail.com>
>  > +Date: Tue, 5 Dec 2023 16:38:48 -0700
>  > +Subject: [PATCH] Fix several defects found by Coverity scan
>  > +
>  > +From: giflib-5.2.1-17.fc39.src.rpm
>  > +Upstream: Not submitted
> 
> No upstream and no CVE? Where does this fix then come from?

I was a bit sloppy when applying that one, indeed. As the commit log
mention, it's taken from the Fedora 39 source package, and I believed it
was enough reference.

Looking at that source package, it matches the patch named giflib_coverity.patch
and the Fedora dist-git for that patch date back to 2020-02-17:
    https://src.fedoraproject.org/rpms/giflib/c/df94d26a07ac8772b3380f4e5b4145daa7bf65e1?branch=rawhide

As far as I could find, it has not been submitted upstream, and upstream
looks like it has been pretty mothballed for a while now; last commit
was on 2019-08-17:
    https://sourceforge.net/p/giflib/mailman/giflib-devel/
    https://sourceforge.net/p/giflib/code/ci/master/tree/

I could not find any associated CVE:

    https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agiflib_project%3Agiflib%3A5.2.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*

Looking at the code, I doubt it is a security issue, in fact. It's
probably just a memory leak, as the free() is replaced by this function:

   79 void
   80 GifFreeMapObject(ColorMapObject *Object)
   81 {
   82     if (Object != NULL) {
   83         (void)free(Object->Colors);
   84         (void)free(Object);
   85     }
   86 }

So, Object->Colors leaked, but I don't think it was a "security" issue.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot