[PATCH] libpng: whitelist CVE-2019-17371

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH] libpng: whitelist CVE-2019-17371
@ 2019-11-04 12:42 Ross Burton
  2019-11-04 14:01 ` Adrian Bunk
  0 siblings, 1 reply; 4+ messages in thread
From: Ross Burton @ 2019-11-04 12:42 UTC (permalink / raw)
  To: openembedded-core

This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
recipe.

Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
index 66af2f3d60e..07970e14360 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
@@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
 FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
 
 BBCLASSEXTEND = "native nativesdk"
+
+# CVE-2019-17371 is actually a memory leak in gif2png 2.x
+CVE_CHECK_WHITELIST = "CVE-2019-17371"
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] libpng: whitelist CVE-2019-17371
  2019-11-04 12:42 [PATCH] libpng: whitelist CVE-2019-17371 Ross Burton
@ 2019-11-04 14:01 ` Adrian Bunk
  2019-11-04 14:24   ` Ross Burton
  0 siblings, 1 reply; 4+ messages in thread
From: Adrian Bunk @ 2019-11-04 14:01 UTC (permalink / raw)
  To: Ross Burton; +Cc: openembedded-core

On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
> This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
> recipe.
> 
> Signed-off-by: Ross Burton <ross.burton@intel.com>
> ---
>  meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> index 66af2f3d60e..07970e14360 100644
> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
>  FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
>  
>  BBCLASSEXTEND = "native nativesdk"
> +
> +# CVE-2019-17371 is actually a memory leak in gif2png 2.x
> +CVE_CHECK_WHITELIST = "CVE-2019-17371"

These should use += to not overwrite whitelists defined by
the distribution or the user.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] libpng: whitelist CVE-2019-17371
  2019-11-04 14:01 ` Adrian Bunk
@ 2019-11-04 14:24   ` Ross Burton
  2019-11-04 15:40     ` Adrian Bunk
  0 siblings, 1 reply; 4+ messages in thread
From: Ross Burton @ 2019-11-04 14:24 UTC (permalink / raw)
  To: Adrian Bunk; +Cc: openembedded-core

On 04/11/2019 14:01, Adrian Bunk wrote:
> On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
>> This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
>> recipe.
>>
>> Signed-off-by: Ross Burton <ross.burton@intel.com>
>> ---
>>   meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
>> index 66af2f3d60e..07970e14360 100644
>> --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
>> +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
>> @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
>>   FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
>>   
>>   BBCLASSEXTEND = "native nativesdk"
>> +
>> +# CVE-2019-17371 is actually a memory leak in gif2png 2.x
>> +CVE_CHECK_WHITELIST = "CVE-2019-17371"
> 
> These should use += to not overwrite whitelists defined by
> the distribution or the user.

IMHO, the distribution or user should be using _append.   The whitelist 
should be explicitly per-recipe: there's a CVE which is tagged 
incorrectly as being in openssl *and* mod_ssl, we don't want to 
whitelist it globally but only in openssl.

V2 incoming, just to be safe, though.

Ross


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] libpng: whitelist CVE-2019-17371
  2019-11-04 14:24   ` Ross Burton
@ 2019-11-04 15:40     ` Adrian Bunk
  0 siblings, 0 replies; 4+ messages in thread
From: Adrian Bunk @ 2019-11-04 15:40 UTC (permalink / raw)
  To: Ross Burton; +Cc: openembedded-core

On Mon, Nov 04, 2019 at 02:24:08PM +0000, Ross Burton wrote:
> On 04/11/2019 14:01, Adrian Bunk wrote:
> > On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
> > > This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
> > > recipe.
> > > 
> > > Signed-off-by: Ross Burton <ross.burton@intel.com>
> > > ---
> > >   meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
> > >   1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> > > index 66af2f3d60e..07970e14360 100644
> > > --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> > > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> > > @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
> > >   FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
> > >   BBCLASSEXTEND = "native nativesdk"
> > > +
> > > +# CVE-2019-17371 is actually a memory leak in gif2png 2.x
> > > +CVE_CHECK_WHITELIST = "CVE-2019-17371"
> > 
> > These should use += to not overwrite whitelists defined by
> > the distribution or the user.
> 
> IMHO, the distribution or user should be using _append.   The whitelist
> should be explicitly per-recipe: there's a CVE which is tagged incorrectly
> as being in openssl *and* mod_ssl, we don't want to whitelist it globally
> but only in openssl.
>...

What I had in mind are a distribution-wide cve-whitelist.inc included 
from the distro conf or using CVE_CHECK_WHITELIST in conf/local.conf,
you don't want to start creating dozens of bbappend files in such 
usecases.

This CVE where a change in OpenSSL created a vulnerability in Apache
would go to the global whitelist for me when I am not using Apache.
In OE it should not be whitelisted in both OpenSSL and Apache, but
this is a different situation.

> Ross

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-11-04 15:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-11-04 12:42 [PATCH] libpng: whitelist CVE-2019-17371 Ross Burton
2019-11-04 14:01 ` Adrian Bunk
2019-11-04 14:24   ` Ross Burton
2019-11-04 15:40     ` Adrian Bunk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox