[Buildroot] [PATCH 0/3] package/giflib security fixes

[Buildroot] [PATCH 0/3] package/giflib security fixes

[Adam Duskett]

Here are three patches that fix several vulnerabilities in the giflib project.
Sadly it seems like the giflib project has been abandoned, as these
vulnerabilities are ignored on sourceforge.

Adam Duskett (3):
  package/giflib/0002-Fix-CVE-2022-28506.patch: New security patch
  package/giflib/0003-Fix-CVE-2023-39742.patch: New security patch
  package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch:
    New security patch

 package/giflib/0002-Fix-CVE-2022-28506.patch  | 34 +++++++++++
 package/giflib/0003-Fix-CVE-2023-39742.patch  | 36 +++++++++++
 ...veral-defects-found-by-Coverity-scan.patch | 61 +++++++++++++++++++
 3 files changed, 131 insertions(+)
 create mode 100644 package/giflib/0002-Fix-CVE-2022-28506.patch
 create mode 100644 package/giflib/0003-Fix-CVE-2023-39742.patch
 create mode 100644 package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch

-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 1/3] package/giflib/0002-Fix-CVE-2022-28506.patch: New security patch

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/giflib/0002-Fix-CVE-2022-28506.patch | 34 ++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 package/giflib/0002-Fix-CVE-2022-28506.patch

diff --git a/package/giflib/0002-Fix-CVE-2022-28506.patch b/package/giflib/0002-Fix-CVE-2022-28506.patch
new file mode 100644
index 0000000000..35d5f60a95
--- /dev/null
+++ b/package/giflib/0002-Fix-CVE-2022-28506.patch
@@ -0,0 +1,34 @@
+From c0cca041fc4fb6748d8dff3675fe7a839253d668 Mon Sep 17 00:00:00 2001
+From: Sandro Mani <manisandro@gmail.com>
+Date: Tue, 5 Dec 2023 16:24:32 -0700
+Subject: [PATCH] Fix CVE-2022-28506
+
+From: giflib-5.2.1-17.fc39.src.rpm
+Fixes https://nvd.nist.gov/vuln/detail/CVE-2022-28506
+Upstream: https://sourceforge.net/p/giflib/bugs/159/
+
+Signed-off-by: Sandro Mani <manisandro@gmail.com>
+Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
+---
+ gif2rgb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index 8d7c0ff..d9a469f 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
+             GifRow = ScreenBuffer[i];
+             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
+             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
++                /* Check if color is within color palete */
++                if (GifRow[j] >= ColorMap->ColorCount)
++                {
++                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
++                }
+                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
+                 *BufferP++ = ColorMapEntry->Red;
+                 *BufferP++ = ColorMapEntry->Green;
+-- 
+2.43.0
+
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/3] package/giflib/0003-Fix-CVE-2023-39742.patch: New security patch

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 package/giflib/0003-Fix-CVE-2023-39742.patch | 36 ++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 package/giflib/0003-Fix-CVE-2023-39742.patch

diff --git a/package/giflib/0003-Fix-CVE-2023-39742.patch b/package/giflib/0003-Fix-CVE-2023-39742.patch
new file mode 100644
index 0000000000..2ba01ac8a4
--- /dev/null
+++ b/package/giflib/0003-Fix-CVE-2023-39742.patch
@@ -0,0 +1,36 @@
+From 4288b993ee9df6550a367fe06ede3c003dc7bbc6 Mon Sep 17 00:00:00 2001
+From: Sandro Mani <manisandro@gmail.com>
+Date: Tue, 5 Dec 2023 16:35:40 -0700
+Subject: [PATCH] Fix CVE-2023-39742
+
+From: giflib-5.2.1-17.fc39.src.rpm
+Fix segmentation faults due to non correct checking for args
+Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-39742
+Upstream: https://sourceforge.net/p/giflib/bugs/166/
+
+Signed-off-by: Sandro Mani <manisandro@gmail.com>
+Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
+---
+ getarg.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/getarg.c b/getarg.c
+index d569f6c..51fbe0b 100644
+--- a/getarg.c
++++ b/getarg.c
+@@ -307,6 +307,12 @@ GAGetParmeters(void *Parameters[],
+     int i = 0, ScanRes;
+ 
+     while (!(ISSPACE(CtrlStrCopy[i]))) {
++
++        if ((*argv) == argv_end) {
++            GAErrorToken = Option;
++            return CMD_ERR_NumRead;
++        }
++
+         switch (CtrlStrCopy[i + 1]) {
+           case 'd':    /* Get signed integers. */
+               ScanRes = sscanf(*((*argv)++), "%d",
+-- 
+2.43.0
+
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch

[Adam Duskett]

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 ...veral-defects-found-by-Coverity-scan.patch | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch

diff --git a/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
new file mode 100644
index 0000000000..1719769872
--- /dev/null
+++ b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
@@ -0,0 +1,61 @@
+From a1c48b91cd1cf1e9bf7077709b69f4bfd4c4abc7 Mon Sep 17 00:00:00 2001
+From: Sandro Mani <manisandro@gmail.com>
+Date: Tue, 5 Dec 2023 16:38:48 -0700
+Subject: [PATCH] Fix several defects found by Coverity scan
+
+From: giflib-5.2.1-17.fc39.src.rpm
+Upstream: Not submitted
+
+Signed-off-by: Sandro Mani <manisandro@gmail.com>
+Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
+---
+ gif2rgb.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index d9a469f..02cea41 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -170,6 +170,8 @@ static void SaveGif(GifByteType *OutputBuffer,
+     /* Open stdout for the output file: */
+     if ((GifFile = EGifOpenFileHandle(1, &Error)) == NULL) {
+ 	PrintGifError(Error);
++	free(OutputBuffer);
++	GifFreeMapObject(OutputColorMap);
+ 	exit(EXIT_FAILURE);
+     }
+ 
+@@ -179,6 +181,8 @@ static void SaveGif(GifByteType *OutputBuffer,
+ 	EGifPutImageDesc(GifFile,
+ 			 0, 0, Width, Height, false, NULL) == GIF_ERROR) {
+ 	PrintGifError(Error);
++	free(OutputBuffer);
++	GifFreeMapObject(OutputColorMap);
+ 	exit(EXIT_FAILURE);
+     }
+ 
+@@ -187,8 +191,11 @@ static void SaveGif(GifByteType *OutputBuffer,
+ 	       GifFile->Image.Width, GifFile->Image.Height);
+ 
+     for (i = 0; i < Height; i++) {
+-	if (EGifPutLine(GifFile, Ptr, Width) == GIF_ERROR)
++	if (EGifPutLine(GifFile, Ptr, Width) == GIF_ERROR) {
++	    free(OutputBuffer);
++	    GifFreeMapObject(OutputColorMap);
+ 	    exit(EXIT_FAILURE);
++        }
+ 	GifQprintf("\b\b\b\b%-4d", Height - i - 1);
+ 
+ 	Ptr += Width;
+@@ -196,6 +203,8 @@ static void SaveGif(GifByteType *OutputBuffer,
+ 
+     if (EGifCloseFile(GifFile, &Error) == GIF_ERROR) {
+ 	PrintGifError(Error);
++	free(OutputBuffer);
++	GifFreeMapObject(OutputColorMap);
+ 	exit(EXIT_FAILURE);
+     }
+ }
+-- 
+2.43.0
+
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] package/giflib/0002-Fix-CVE-2022-28506.patch: New security patch

[Yann E. MORIN]

Adam, All,

On 2023-12-05 16:59 -0700, Adam Duskett spake thusly:
> Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
> ---
>  package/giflib/0002-Fix-CVE-2022-28506.patch | 34 ++++++++++++++++++++
>  1 file changed, 34 insertions(+)
>  create mode 100644 package/giflib/0002-Fix-CVE-2022-28506.patch
> 
> diff --git a/package/giflib/0002-Fix-CVE-2022-28506.patch b/package/giflib/0002-Fix-CVE-2022-28506.patch
> new file mode 100644
> index 0000000000..35d5f60a95
> --- /dev/null
> +++ b/package/giflib/0002-Fix-CVE-2022-28506.patch
> @@ -0,0 +1,34 @@
> +From c0cca041fc4fb6748d8dff3675fe7a839253d668 Mon Sep 17 00:00:00 2001
> +From: Sandro Mani <manisandro@gmail.com>
> +Date: Tue, 5 Dec 2023 16:24:32 -0700
> +Subject: [PATCH] Fix CVE-2022-28506

You forgot tadd GIFLIB_IGNORE_CVES = CVE-2022-28506

Applied to master with the above fixed, thanks.

Regards,
Yann E. MORIN.

> +From: giflib-5.2.1-17.fc39.src.rpm
> +Fixes https://nvd.nist.gov/vuln/detail/CVE-2022-28506
> +Upstream: https://sourceforge.net/p/giflib/bugs/159/
> +
> +Signed-off-by: Sandro Mani <manisandro@gmail.com>
> +Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
> +---
> + gif2rgb.c | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/gif2rgb.c b/gif2rgb.c
> +index 8d7c0ff..d9a469f 100644
> +--- a/gif2rgb.c
> ++++ b/gif2rgb.c
> +@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileName, int OneFileFlag,
> +             GifRow = ScreenBuffer[i];
> +             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
> +             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
> ++                /* Check if color is within color palete */
> ++                if (GifRow[j] >= ColorMap->ColorCount)
> ++                {
> ++                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
> ++                }
> +                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
> +                 *BufferP++ = ColorMapEntry->Red;
> +                 *BufferP++ = ColorMapEntry->Green;
> +-- 
> +2.43.0
> +
> -- 
> 2.43.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/giflib/0003-Fix-CVE-2023-39742.patch: New security patch

[Yann E. MORIN]

Adam, All,

On 2023-12-05 16:59 -0700, Adam Duskett spake thusly:
> Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
> ---
>  package/giflib/0003-Fix-CVE-2023-39742.patch | 36 ++++++++++++++++++++
>  1 file changed, 36 insertions(+)
>  create mode 100644 package/giflib/0003-Fix-CVE-2023-39742.patch
> 
> diff --git a/package/giflib/0003-Fix-CVE-2023-39742.patch b/package/giflib/0003-Fix-CVE-2023-39742.patch
> new file mode 100644
> index 0000000000..2ba01ac8a4
> --- /dev/null
> +++ b/package/giflib/0003-Fix-CVE-2023-39742.patch
> @@ -0,0 +1,36 @@
> +From 4288b993ee9df6550a367fe06ede3c003dc7bbc6 Mon Sep 17 00:00:00 2001
> +From: Sandro Mani <manisandro@gmail.com>
> +Date: Tue, 5 Dec 2023 16:35:40 -0700
> +Subject: [PATCH] Fix CVE-2023-39742

You forgot to add GIFLIB_IGNORE_CVES += CVE-2023-39742

Applied to master with the above fixed, thanks.

Regards,
Yann E. MORIN.

> +From: giflib-5.2.1-17.fc39.src.rpm
> +Fix segmentation faults due to non correct checking for args
> +Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-39742
> +Upstream: https://sourceforge.net/p/giflib/bugs/166/
> +
> +Signed-off-by: Sandro Mani <manisandro@gmail.com>
> +Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
> +---
> + getarg.c | 6 ++++++
> + 1 file changed, 6 insertions(+)
> +
> +diff --git a/getarg.c b/getarg.c
> +index d569f6c..51fbe0b 100644
> +--- a/getarg.c
> ++++ b/getarg.c
> +@@ -307,6 +307,12 @@ GAGetParmeters(void *Parameters[],
> +     int i = 0, ScanRes;
> + 
> +     while (!(ISSPACE(CtrlStrCopy[i]))) {
> ++
> ++        if ((*argv) == argv_end) {
> ++            GAErrorToken = Option;
> ++            return CMD_ERR_NumRead;
> ++        }
> ++
> +         switch (CtrlStrCopy[i + 1]) {
> +           case 'd':    /* Get signed integers. */
> +               ScanRes = sscanf(*((*argv)++), "%d",
> +-- 
> +2.43.0
> +
> -- 
> 2.43.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch

[Yann E. MORIN]

Adam, All,

On 2023-12-05 16:59 -0700, Adam Duskett spake thusly:
> Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...veral-defects-found-by-Coverity-scan.patch | 61 +++++++++++++++++++
>  1 file changed, 61 insertions(+)
>  create mode 100644 package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> 
> diff --git a/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> new file mode 100644
> index 0000000000..1719769872
> --- /dev/null
> +++ b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> @@ -0,0 +1,61 @@
> +From a1c48b91cd1cf1e9bf7077709b69f4bfd4c4abc7 Mon Sep 17 00:00:00 2001
> +From: Sandro Mani <manisandro@gmail.com>
> +Date: Tue, 5 Dec 2023 16:38:48 -0700
> +Subject: [PATCH] Fix several defects found by Coverity scan
> +
> +From: giflib-5.2.1-17.fc39.src.rpm
> +Upstream: Not submitted
> +
> +Signed-off-by: Sandro Mani <manisandro@gmail.com>
> +Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
> +---
> + gif2rgb.c | 11 ++++++++++-
> + 1 file changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/gif2rgb.c b/gif2rgb.c
> +index d9a469f..02cea41 100644
> +--- a/gif2rgb.c
> ++++ b/gif2rgb.c
> +@@ -170,6 +170,8 @@ static void SaveGif(GifByteType *OutputBuffer,
> +     /* Open stdout for the output file: */
> +     if ((GifFile = EGifOpenFileHandle(1, &Error)) == NULL) {
> + 	PrintGifError(Error);
> ++	free(OutputBuffer);
> ++	GifFreeMapObject(OutputColorMap);
> + 	exit(EXIT_FAILURE);
> +     }
> + 
> +@@ -179,6 +181,8 @@ static void SaveGif(GifByteType *OutputBuffer,
> + 	EGifPutImageDesc(GifFile,
> + 			 0, 0, Width, Height, false, NULL) == GIF_ERROR) {
> + 	PrintGifError(Error);
> ++	free(OutputBuffer);
> ++	GifFreeMapObject(OutputColorMap);
> + 	exit(EXIT_FAILURE);
> +     }
> + 
> +@@ -187,8 +191,11 @@ static void SaveGif(GifByteType *OutputBuffer,
> + 	       GifFile->Image.Width, GifFile->Image.Height);
> + 
> +     for (i = 0; i < Height; i++) {
> +-	if (EGifPutLine(GifFile, Ptr, Width) == GIF_ERROR)
> ++	if (EGifPutLine(GifFile, Ptr, Width) == GIF_ERROR) {
> ++	    free(OutputBuffer);
> ++	    GifFreeMapObject(OutputColorMap);
> + 	    exit(EXIT_FAILURE);
> ++        }
> + 	GifQprintf("\b\b\b\b%-4d", Height - i - 1);
> + 
> + 	Ptr += Width;
> +@@ -196,6 +203,8 @@ static void SaveGif(GifByteType *OutputBuffer,
> + 
> +     if (EGifCloseFile(GifFile, &Error) == GIF_ERROR) {
> + 	PrintGifError(Error);
> ++	free(OutputBuffer);
> ++	GifFreeMapObject(OutputColorMap);
> + 	exit(EXIT_FAILURE);
> +     }
> + }
> +-- 
> +2.43.0
> +
> -- 
> 2.43.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] package/giflib/0002-Fix-CVE-2022-28506.patch: New security patch

[Peter Korsgaard]

>>>>> "Adam" == Adam Duskett <adam.duskett@amarulasolutions.com> writes:

 > Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>

Committed to 2023.02.x and 2023.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/giflib/0003-Fix-CVE-2023-39742.patch: New security patch

[Peter Korsgaard]

>>>>> "Adam" == Adam Duskett <adam.duskett@amarulasolutions.com> writes:

 > Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>

Committed to 2023.02.x and 2023.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch

[Peter Korsgaard]

>>>>> "Adam" == Adam Duskett <adam.duskett@amarulasolutions.com> writes:

 > Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
 > ---
 >  ...veral-defects-found-by-Coverity-scan.patch | 61 +++++++++++++++++++
 >  1 file changed, 61 insertions(+)
 >  create mode 100644 package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch

 > diff --git a/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
 > new file mode 100644
 > index 0000000000..1719769872
 > --- /dev/null
 > +++ b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
 > @@ -0,0 +1,61 @@
 > +From a1c48b91cd1cf1e9bf7077709b69f4bfd4c4abc7 Mon Sep 17 00:00:00 2001
 > +From: Sandro Mani <manisandro@gmail.com>
 > +Date: Tue, 5 Dec 2023 16:38:48 -0700
 > +Subject: [PATCH] Fix several defects found by Coverity scan
 > +
 > +From: giflib-5.2.1-17.fc39.src.rpm
 > +Upstream: Not submitted

No upstream and no CVE? Where does this fix then come from?

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch

[Yann E. MORIN]

Peter, All,

On 2024-01-07 10:29 +0100, Peter Korsgaard spake thusly:
> >>>>> "Adam" == Adam Duskett <adam.duskett@amarulasolutions.com> writes:
>  > Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
>  > ---
>  >  ...veral-defects-found-by-Coverity-scan.patch | 61 +++++++++++++++++++
>  >  1 file changed, 61 insertions(+)
>  >  create mode 100644 package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> 
>  > diff --git a/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
>  > new file mode 100644
>  > index 0000000000..1719769872
>  > --- /dev/null
>  > +++ b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
>  > @@ -0,0 +1,61 @@
>  > +From a1c48b91cd1cf1e9bf7077709b69f4bfd4c4abc7 Mon Sep 17 00:00:00 2001
>  > +From: Sandro Mani <manisandro@gmail.com>
>  > +Date: Tue, 5 Dec 2023 16:38:48 -0700
>  > +Subject: [PATCH] Fix several defects found by Coverity scan
>  > +
>  > +From: giflib-5.2.1-17.fc39.src.rpm
>  > +Upstream: Not submitted
> 
> No upstream and no CVE? Where does this fix then come from?

I was a bit sloppy when applying that one, indeed. As the commit log
mention, it's taken from the Fedora 39 source package, and I believed it
was enough reference.

Looking at that source package, it matches the patch named giflib_coverity.patch
and the Fedora dist-git for that patch date back to 2020-02-17:
    https://src.fedoraproject.org/rpms/giflib/c/df94d26a07ac8772b3380f4e5b4145daa7bf65e1?branch=rawhide

As far as I could find, it has not been submitted upstream, and upstream
looks like it has been pretty mothballed for a while now; last commit
was on 2019-08-17:
    https://sourceforge.net/p/giflib/mailman/giflib-devel/
    https://sourceforge.net/p/giflib/code/ci/master/tree/

I could not find any associated CVE:

    https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agiflib_project%3Agiflib%3A5.2.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*

Looking at the code, I doubt it is a security issue, in fact. It's
probably just a memory leak, as the free() is replaced by this function:

   79 void
   80 GifFreeMapObject(ColorMapObject *Object)
   81 {
   82     if (Object != NULL) {
   83         (void)free(Object->Colors);
   84         (void)free(Object);
   85     }
   86 }

So, Object->Colors leaked, but I don't think it was a "security" issue.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch

[Peter Korsgaard]

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

 > Peter, All,
 > On 2024-01-07 10:29 +0100, Peter Korsgaard spake thusly:
 >> >>>>> "Adam" == Adam Duskett <adam.duskett@amarulasolutions.com> writes:
 >> > Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
 >> > ---
 >> >  ...veral-defects-found-by-Coverity-scan.patch | 61 +++++++++++++++++++
 >> >  1 file changed, 61 insertions(+)
 >> >  create mode 100644 package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
 >> 
 >> > diff --git
 >> > a/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
 >> > b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
 >> > new file mode 100644
 >> > index 0000000000..1719769872
 >> > --- /dev/null
 >> > +++ b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
 >> > @@ -0,0 +1,61 @@
 >> > +From a1c48b91cd1cf1e9bf7077709b69f4bfd4c4abc7 Mon Sep 17 00:00:00 2001
 >> > +From: Sandro Mani <manisandro@gmail.com>
 >> > +Date: Tue, 5 Dec 2023 16:38:48 -0700
 >> > +Subject: [PATCH] Fix several defects found by Coverity scan
 >> > +
 >> > +From: giflib-5.2.1-17.fc39.src.rpm
 >> > +Upstream: Not submitted
 >> 
 >> No upstream and no CVE? Where does this fix then come from?

 > I was a bit sloppy when applying that one, indeed. As the commit log
 > mention, it's taken from the Fedora 39 source package, and I believed it
 > was enough reference.

 > Looking at that source package, it matches the patch named giflib_coverity.patch
 > and the Fedora dist-git for that patch date back to 2020-02-17:
 >     https://src.fedoraproject.org/rpms/giflib/c/df94d26a07ac8772b3380f4e5b4145daa7bf65e1?branch=rawhide

 > As far as I could find, it has not been submitted upstream, and upstream
 > looks like it has been pretty mothballed for a while now; last commit
 > was on 2019-08-17:
 >     https://sourceforge.net/p/giflib/mailman/giflib-devel/
 >     https://sourceforge.net/p/giflib/code/ci/master/tree/

 > I could not find any associated CVE:

 >     https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agiflib_project%3Agiflib%3A5.2.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*

 > Looking at the code, I doubt it is a security issue, in fact. It's
 > probably just a memory leak, as the free() is replaced by this function:

 >    79 void
 >    80 GifFreeMapObject(ColorMapObject *Object)
 >    81 {
 >    82     if (Object != NULL) {
 >    83         (void)free(Object->Colors);
 >    84         (void)free(Object);
 >    85     }
 >    86 }

 > So, Object->Colors leaked, but I don't think it was a "security" issue.

Ok, thanks for the details. I'll add it anyway to the backports for
consistency.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch

[Peter Seiderer via buildroot]

On Sun, 7 Jan 2024 13:10:30 +0100, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

> Peter, All,
>
> On 2024-01-07 10:29 +0100, Peter Korsgaard spake thusly:
> > >>>>> "Adam" == Adam Duskett <adam.duskett@amarulasolutions.com> writes:
> >  > Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
> >  > ---
> >  >  ...veral-defects-found-by-Coverity-scan.patch | 61 +++++++++++++++++++
> >  >  1 file changed, 61 insertions(+)
> >  >  create mode 100644 package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> >
> >  > diff --git a/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> >  > new file mode 100644
> >  > index 0000000000..1719769872
> >  > --- /dev/null
> >  > +++ b/package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch
> >  > @@ -0,0 +1,61 @@
> >  > +From a1c48b91cd1cf1e9bf7077709b69f4bfd4c4abc7 Mon Sep 17 00:00:00 2001
> >  > +From: Sandro Mani <manisandro@gmail.com>
> >  > +Date: Tue, 5 Dec 2023 16:38:48 -0700
> >  > +Subject: [PATCH] Fix several defects found by Coverity scan
> >  > +
> >  > +From: giflib-5.2.1-17.fc39.src.rpm
> >  > +Upstream: Not submitted
> >
> > No upstream and no CVE? Where does this fix then come from?
>
> I was a bit sloppy when applying that one, indeed. As the commit log
> mention, it's taken from the Fedora 39 source package, and I believed it
> was enough reference.
>
> Looking at that source package, it matches the patch named giflib_coverity.patch
> and the Fedora dist-git for that patch date back to 2020-02-17:
>     https://src.fedoraproject.org/rpms/giflib/c/df94d26a07ac8772b3380f4e5b4145daa7bf65e1?branch=rawhide
>
> As far as I could find, it has not been submitted upstream, and upstream
> looks like it has been pretty mothballed for a while now; last commit
> was on 2019-08-17:
>     https://sourceforge.net/p/giflib/mailman/giflib-devel/
>     https://sourceforge.net/p/giflib/code/ci/master/tree/
>
> I could not find any associated CVE:
>
>     https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe%3A2.3%3Aa%3Agiflib_project%3Agiflib%3A5.2.1%3A*%3A*%3A*%3A*%3A*%3A*%3A*
>
> Looking at the code, I doubt it is a security issue, in fact. It's
> probably just a memory leak, as the free() is replaced by this function:
>
>    79 void
>    80 GifFreeMapObject(ColorMapObject *Object)
>    81 {
>    82     if (Object != NULL) {
>    83         (void)free(Object->Colors);
>    84         (void)free(Object);
>    85     }
>    86 }
>
> So, Object->Colors leaked, but I don't think it was a "security" issue.

Matter of judgment if a (very theoretically) denial-of-service/out-of-memory is counted
as 'security' issue ;-)

Regards,
Peter

>
> Regards,
> Yann E. MORIN.
>

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/giflib/0004-Fix-several-defects-found-by-Coverity-scan.patch: New security patch

[Yann E. MORIN]

Peter, All,

On 2024-01-07 21:03 +0100, Peter Seiderer spake thusly:
> On Sun, 7 Jan 2024 13:10:30 +0100, "Yann E. MORIN" <yann.morin.1998@free.fr> wrote:
[--SNIP--]
> > Looking at the code, I doubt it is a security issue, in fact. It's
> > probably just a memory leak, as the free() is replaced by this function:
[--SNIP--]
> > So, Object->Colors leaked, but I don't think it was a "security" issue.
> Matter of judgment if a (very theoretically) denial-of-service/out-of-memory is counted
> as 'security' issue ;-)

Sure, but the affected code is in the gif2rgb program, not in the
library, so the effects of the memory leak are limited to the time the
program runs. gif2rgb only handles a single intput file, so it is
short-lived, and the leaked memory is reclaimed once the program is
reaped.

Also note that the program does an exit() right after freeing that
memory; it does not ensure that any other allocated memory is freed
before exiting, so there might anyway be more memory that leaks.

So yes, it's better do free memory with the semantically corresponding
funtion (GifMapObject() -> GifFreeMapObject()), but it would have real
difficulties getting classified as a security issue *in this specific
case*.

The only way this leaked memory could cause an issue, is if the program
is not reaped. But then, if someone is able to attack the system by
leaving zombies around, whether those zombies leaked memory or not is of
no concern. So I think, but of course, security is so difficult that I
may easily be wrong.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot