[Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Mon Aug 19 13:46:03 UTC 2019
On Sun, 18 Aug 2019 14:04:32 +0200
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> - Switch to generic-package (autotools has been dropped since version
> 5.1.5)
> - Remove hook and instead use dedicated makefile targets to build only
> shared or static library and not binaries or documentation (added by
> an upstreamble patch)
> - ac_cv_prog_have_xmlto=no can be removed as doc is not built anymore
> - Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
> GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
> 0.49.4, has a heap-based buffer overflow because a certain
> "Private->RunningCode - 2" array index is not checked. This will lead
> to a denial of service or possibly unspecified other impact.
> - Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
> triggers a divide-by-zero exception in the decoder function DGifSlurp
> in dgif_lib.c if the height field of the ImageSize data structure is
> equal to zero.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> ...dd-targets-to-manage-static-building.patch | 69 +++++++++++++++++++
> package/giflib/giflib.hash | 4 +-
> package/giflib/giflib.mk | 47 +++++++++----
> 3 files changed, 104 insertions(+), 16 deletions(-)
> create mode 100644 package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
I must say this is quite big of a change for master at this point, and
for a security bump in general. I'm not sure between applying this, or
just cherry-picking the two commits that fix the CVEs.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list