* [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
@ 2019-08-18 12:04 Fabrice Fontaine
2019-08-19 13:46 ` Thomas Petazzoni
0 siblings, 1 reply; 9+ messages in thread
From: Fabrice Fontaine @ 2019-08-18 12:04 UTC (permalink / raw)
To: buildroot
- Switch to generic-package (autotools has been dropped since version
5.1.5)
- Remove hook and instead use dedicated makefile targets to build only
shared or static library and not binaries or documentation (added by
an upstreamble patch)
- ac_cv_prog_have_xmlto=no can be removed as doc is not built anymore
- Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
0.49.4, has a heap-based buffer overflow because a certain
"Private->RunningCode - 2" array index is not checked. This will lead
to a denial of service or possibly unspecified other impact.
- Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
triggers a divide-by-zero exception in the decoder function DGifSlurp
in dgif_lib.c if the height field of the ImageSize data structure is
equal to zero.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...dd-targets-to-manage-static-building.patch | 69 +++++++++++++++++++
package/giflib/giflib.hash | 4 +-
package/giflib/giflib.mk | 47 +++++++++----
3 files changed, 104 insertions(+), 16 deletions(-)
create mode 100644 package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
diff --git a/package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch b/package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
new file mode 100644
index 0000000000..384457d0bd
--- /dev/null
+++ b/package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
@@ -0,0 +1,69 @@
+From 487407d722714f13e8a06d1a9d89f48a5738191e Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Fri, 12 Jul 2019 12:20:38 +0200
+Subject: [PATCH] Makefile: add targets to manage static building
+
+Add static-lib, shared-lib, install-static-lib and install-shared-lib
+targets to allow the user to build giflib when dynamic library support
+is not available or enable on the toolchain
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Upstream status:
+https://sourceforge.net/p/giflib/code/merge-requests/7]
+---
+ Makefile | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index b2bf6de..111f52f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -61,10 +61,17 @@ UTILS = $(INSTALLABLE) \
+
+ LDLIBS=libgif.a -lm
+
+-all: libgif.so libgif.a libutil.so libutil.a $(UTILS)
++SHARED_LIBS = libgif.so libutil.so
++STATIC_LIBS = libgif.a libutil.a
++
++all: shared-lib static-lib $(UTILS)
+ $(MAKE) -C doc
+
+-$(UTILS):: libgif.a libutil.a
++$(UTILS):: $(STATIC_LIBS)
++
++shared-lib: $(SHARED_LIBS)
++
++static-lib: $(STATIC_LIBS)
+
+ libgif.so: $(OBJECTS) $(HEADERS)
+ $(CC) $(CFLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,libgif.so.$(LIBMAJOR) -o libgif.so $(OBJECTS)
+@@ -79,7 +86,7 @@ libutil.a: $(UOBJECTS) $(UHEADERS)
+ $(AR) rcs libutil.a $(UOBJECTS)
+
+ clean:
+- rm -f $(UTILS) $(TARGET) libgetarg.a libgif.a libgif.so libutil.a libutil.so *.o
++ rm -f $(UTILS) $(TARGET) libgetarg.a $(SHARED_LIBS) $(STATIC_LIBS) *.o
+ rm -f libgif.so.$(LIBMAJOR).$(LIBMINOR).$(LIBPOINT)
+ rm -f libgif.so.$(LIBMAJOR)
+ rm -fr doc/*.1 *.html doc/staging
+@@ -96,12 +103,15 @@ install-bin: $(INSTALLABLE)
+ install-include:
+ $(INSTALL) -d "$(DESTDIR)$(INCDIR)"
+ $(INSTALL) -m 644 gif_lib.h "$(DESTDIR)$(INCDIR)"
+-install-lib:
++install-static-lib:
+ $(INSTALL) -d "$(DESTDIR)$(LIBDIR)"
+ $(INSTALL) -m 644 libgif.a "$(DESTDIR)$(LIBDIR)/libgif.a"
++install-shared-lib:
++ $(INSTALL) -d "$(DESTDIR)$(LIBDIR)"
+ $(INSTALL) -m 755 libgif.so "$(DESTDIR)$(LIBDIR)/libgif.so.$(LIBVER)"
+ ln -sf libgif.so.$(LIBVER) "$(DESTDIR)$(LIBDIR)/libgif.so.$(LIBMAJOR)"
+ ln -sf libgif.so.$(LIBMAJOR) "$(DESTDIR)$(LIBDIR)/libgif.so"
++install-lib: install-static-lib install-shared-lib
+ install-man:
+ $(INSTALL) -d "$(DESTDIR)$(MANDIR)/man1"
+ $(INSTALL) -m 644 doc/*.1 "$(DESTDIR)$(MANDIR)/man1"
+--
+2.20.1
+
diff --git a/package/giflib/giflib.hash b/package/giflib/giflib.hash
index 189dca9f19..f7db1626df 100644
--- a/package/giflib/giflib.hash
+++ b/package/giflib/giflib.hash
@@ -1,5 +1,5 @@
# From http://sourceforge.net/projects/giflib/files
-md5 2c171ced93c0e83bb09e6ccad8e3ba2b giflib-5.1.4.tar.bz2
-sha1 5f1157cfc377916280849e247b8e34fa0446513f giflib-5.1.4.tar.bz2
+md5 6f03aee4ebe54ac2cc1ab3e4b0a049e5 giflib-5.2.1.tar.gz
+sha1 c3f774dcbdf26afded7788979c8081d33c6426dc giflib-5.2.1.tar.gz
# Locally computed
sha256 0c9b7990ecdca88b676db232c226548ac408b279f550d424d996f0d83591dd8e COPYING
diff --git a/package/giflib/giflib.mk b/package/giflib/giflib.mk
index 29666eebea..67523abac2 100644
--- a/package/giflib/giflib.mk
+++ b/package/giflib/giflib.mk
@@ -4,27 +4,46 @@
#
################################################################################
-GIFLIB_VERSION = 5.1.4
-GIFLIB_SOURCE = giflib-$(GIFLIB_VERSION).tar.bz2
+GIFLIB_VERSION = 5.2.1
+GIFLIB_SOURCE = giflib-$(GIFLIB_VERSION).tar.gz
GIFLIB_SITE = http://downloads.sourceforge.net/project/giflib
GIFLIB_INSTALL_STAGING = YES
GIFLIB_LICENSE = MIT
GIFLIB_LICENSE_FILES = COPYING
-GIFLIB_BINS = \
- gif2epsn gif2ps gif2rgb gif2x11 gifasm gifbg gifbuild gifburst gifclip \
- gifclrmp gifcolor gifcomb gifcompose gifecho giffiltr giffix gifflip \
- gifhisto gifinfo gifinter gifinto gifovly gifpos gifrotat \
- gifrsize gifspnge giftext giftool gifwedge icon2gif raw2gif rgb2gif \
- text2gif
+ifeq ($(BR2_STATIC_LIBS),y)
+GIFLIB_BUILD_LIBS = static-lib
+GIFLIB_INSTALL_LIBS = install-static-lib
+else ifeq ($(BR2_SHARED_LIBS),y)
+GIFLIB_BUILD_LIBS = shared-lib
+GIFLIB_INSTALL_LIBS = install-shared-lib
+else
+GIFLIB_BUILD_LIBS = static-lib shared-lib
+GIFLIB_INSTALL_LIBS = install-lib
+endif
-GIFLIB_CONF_ENV = ac_cv_prog_have_xmlto=no
+define GIFLIB_BUILD_CMDS
+ $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) $(GIFLIB_BUILD_LIBS)
+endef
+
+define HOST_GIFLIB_BUILD_CMDS
+ $(HOST_CONFIGURE_OPTS) $(MAKE) -C $(@D)
+endef
-define GIFLIB_BINS_CLEANUP
- rm -f $(addprefix $(TARGET_DIR)/usr/bin/,$(GIFLIB_BINS))
+define GIFLIB_INSTALL_STAGING_CMDS
+ $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) \
+ PREFIX=/usr install-include $(GIFLIB_INSTALL_LIBS)
endef
-GIFLIB_POST_INSTALL_TARGET_HOOKS += GIFLIB_BINS_CLEANUP
+define GIFLIB_INSTALL_TARGET_CMDS
+ $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) \
+ PREFIX=/usr install-include $(GIFLIB_INSTALL_LIBS)
+endef
+
+define HOST_GIFLIB_INSTALL_CMDS
+ $(HOST_CONFIGURE_OPTS) $(MAKE) -C $(@D) DESTDIR=$(HOST_DIR) \
+ PREFIX=/usr install
+endef
-$(eval $(autotools-package))
-$(eval $(host-autotools-package))
+$(eval $(generic-package))
+$(eval $(host-generic-package))
--
2.20.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
2019-08-18 12:04 [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1 Fabrice Fontaine
@ 2019-08-19 13:46 ` Thomas Petazzoni
2019-08-19 13:57 ` Fabrice Fontaine
2019-08-19 17:07 ` Peter Korsgaard
0 siblings, 2 replies; 9+ messages in thread
From: Thomas Petazzoni @ 2019-08-19 13:46 UTC (permalink / raw)
To: buildroot
On Sun, 18 Aug 2019 14:04:32 +0200
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> - Switch to generic-package (autotools has been dropped since version
> 5.1.5)
> - Remove hook and instead use dedicated makefile targets to build only
> shared or static library and not binaries or documentation (added by
> an upstreamble patch)
> - ac_cv_prog_have_xmlto=no can be removed as doc is not built anymore
> - Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
> GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
> 0.49.4, has a heap-based buffer overflow because a certain
> "Private->RunningCode - 2" array index is not checked. This will lead
> to a denial of service or possibly unspecified other impact.
> - Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
> triggers a divide-by-zero exception in the decoder function DGifSlurp
> in dgif_lib.c if the height field of the ImageSize data structure is
> equal to zero.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> ...dd-targets-to-manage-static-building.patch | 69 +++++++++++++++++++
> package/giflib/giflib.hash | 4 +-
> package/giflib/giflib.mk | 47 +++++++++----
> 3 files changed, 104 insertions(+), 16 deletions(-)
> create mode 100644 package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
I must say this is quite big of a change for master at this point, and
for a security bump in general. I'm not sure between applying this, or
just cherry-picking the two commits that fix the CVEs.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
2019-08-19 13:46 ` Thomas Petazzoni
@ 2019-08-19 13:57 ` Fabrice Fontaine
2019-08-19 20:57 ` Peter Korsgaard
2019-08-19 17:07 ` Peter Korsgaard
1 sibling, 1 reply; 9+ messages in thread
From: Fabrice Fontaine @ 2019-08-19 13:57 UTC (permalink / raw)
To: buildroot
Le lun. 19 ao?t 2019 ? 15:46, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> a ?crit :
>
> On Sun, 18 Aug 2019 14:04:32 +0200
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > - Switch to generic-package (autotools has been dropped since version
> > 5.1.5)
> > - Remove hook and instead use dedicated makefile targets to build only
> > shared or static library and not binaries or documentation (added by
> > an upstreamble patch)
> > - ac_cv_prog_have_xmlto=no can be removed as doc is not built anymore
> > - Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
> > GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
> > 0.49.4, has a heap-based buffer overflow because a certain
> > "Private->RunningCode - 2" array index is not checked. This will lead
> > to a denial of service or possibly unspecified other impact.
> > - Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
> > triggers a divide-by-zero exception in the decoder function DGifSlurp
> > in dgif_lib.c if the height field of the ImageSize data structure is
> > equal to zero.
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > ---
> > ...dd-targets-to-manage-static-building.patch | 69 +++++++++++++++++++
> > package/giflib/giflib.hash | 4 +-
> > package/giflib/giflib.mk | 47 +++++++++----
> > 3 files changed, 104 insertions(+), 16 deletions(-)
> > create mode 100644 package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
>
> I must say this is quite big of a change for master at this point, and
> for a security bump in general. I'm not sure between applying this, or
> just cherry-picking the two commits that fix the CVEs.
Cherry-picking the two commits for master is probably better.
The CVE-2019-15133 can be retrieved here:
https://sourceforge.net/p/giflib/code/ci/799eb6a3af8a3dd81e2429bf11a72a57e541f908
The CVE-2018-11490 can be retrieved here:
https://sourceforge.net/p/giflib/code/ci/08438a5098f3bb1de23a29334af55eba663f75bd
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Best Regards,
Fabrice
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
2019-08-19 13:46 ` Thomas Petazzoni
2019-08-19 13:57 ` Fabrice Fontaine
@ 2019-08-19 17:07 ` Peter Korsgaard
2019-08-19 19:40 ` Thomas Petazzoni
1 sibling, 1 reply; 9+ messages in thread
From: Peter Korsgaard @ 2019-08-19 17:07 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
> On Sun, 18 Aug 2019 14:04:32 +0200
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>> - Switch to generic-package (autotools has been dropped since version
>> 5.1.5)
>> - Remove hook and instead use dedicated makefile targets to build only
>> shared or static library and not binaries or documentation (added by
>> an upstreamble patch)
>> - ac_cv_prog_have_xmlto=no can be removed as doc is not built anymore
>> - Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
>> GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
>> 0.49.4, has a heap-based buffer overflow because a certain
>> "Private->RunningCode - 2" array index is not checked. This will lead
>> to a denial of service or possibly unspecified other impact.
>> - Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
>> triggers a divide-by-zero exception in the decoder function DGifSlurp
>> in dgif_lib.c if the height field of the ImageSize data structure is
>> equal to zero.
>>
>> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>> ---
>> ...dd-targets-to-manage-static-building.patch | 69 +++++++++++++++++++
>> package/giflib/giflib.hash | 4 +-
>> package/giflib/giflib.mk | 47 +++++++++----
>> 3 files changed, 104 insertions(+), 16 deletions(-)
>> create mode 100644 package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
> I must say this is quite big of a change for master at this point, and
> for a security bump in general. I'm not sure between applying this, or
> just cherry-picking the two commits that fix the CVEs.
Yes, I believe that is also what we agreed when Bernd posted a similar
patch last month:
https://patchwork.ozlabs.org/patch/1124785/
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
2019-08-19 17:07 ` Peter Korsgaard
@ 2019-08-19 19:40 ` Thomas Petazzoni
2019-08-19 20:26 ` Fabrice Fontaine
2019-08-19 20:44 ` Peter Korsgaard
0 siblings, 2 replies; 9+ messages in thread
From: Thomas Petazzoni @ 2019-08-19 19:40 UTC (permalink / raw)
To: buildroot
On Mon, 19 Aug 2019 19:07:24 +0200
Peter Korsgaard <peter@korsgaard.com> wrote:
> > I must say this is quite big of a change for master at this point, and
> > for a security bump in general. I'm not sure between applying this, or
> > just cherry-picking the two commits that fix the CVEs.
>
> Yes, I believe that is also what we agreed when Bernd posted a similar
> patch last month:
>
> https://patchwork.ozlabs.org/patch/1124785/
So in here you also say that the security issue is only in a tool we
don't install, so we're not affected. In this case, I could just apply
Fabrice's patch to next, and we do nothing for master ?
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
2019-08-19 19:40 ` Thomas Petazzoni
@ 2019-08-19 20:26 ` Fabrice Fontaine
2019-08-19 20:58 ` Peter Korsgaard
2019-08-19 20:44 ` Peter Korsgaard
1 sibling, 1 reply; 9+ messages in thread
From: Fabrice Fontaine @ 2019-08-19 20:26 UTC (permalink / raw)
To: buildroot
Le lun. 19 ao?t 2019 ? 21:40, Thomas Petazzoni
<thomas.petazzoni@bootlin.com> a ?crit :
>
> On Mon, 19 Aug 2019 19:07:24 +0200
> Peter Korsgaard <peter@korsgaard.com> wrote:
>
> > > I must say this is quite big of a change for master at this point, and
> > > for a security bump in general. I'm not sure between applying this, or
> > > just cherry-picking the two commits that fix the CVEs.
> >
> > Yes, I believe that is also what we agreed when Bernd posted a similar
> > patch last month:
> >
> > https://patchwork.ozlabs.org/patch/1124785/
>
> So in here you also say that the security issue is only in a tool we
> don't install, so we're not affected. In this case, I could just apply
> Fabrice's patch to next, and we do nothing for master ?
Why these CVEs only affects tools? As you can see in both links that I
provided, those CVEs are located in dgif_lib.c which is a part of
libgif and libgif is installed in staging. So I think that some of our
users could be concerned by these CVEs. Moreover, we are also
providing host-giflib which build and install host tools.
>
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Best Regards,
Fabrice
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
2019-08-19 19:40 ` Thomas Petazzoni
2019-08-19 20:26 ` Fabrice Fontaine
@ 2019-08-19 20:44 ` Peter Korsgaard
1 sibling, 0 replies; 9+ messages in thread
From: Peter Korsgaard @ 2019-08-19 20:44 UTC (permalink / raw)
To: buildroot
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:
> On Mon, 19 Aug 2019 19:07:24 +0200
> Peter Korsgaard <peter@korsgaard.com> wrote:
>> > I must say this is quite big of a change for master at this point, and
>> > for a security bump in general. I'm not sure between applying this, or
>> > just cherry-picking the two commits that fix the CVEs.
>>
>> Yes, I believe that is also what we agreed when Bernd posted a similar
>> patch last month:
>>
>> https://patchwork.ozlabs.org/patch/1124785/
> So in here you also say that the security issue is only in a tool we
> don't install, so we're not affected. In this case, I could just apply
> Fabrice's patch to next, and we do nothing for master ?
Sorry, looking back at the issue I think I mixed things up - It doesn't
help that the issues referenced in the commit messages have been deleted
(or hidden?) from their bugtracker. Bug #114 affected gifclrmp, bug #113
does indeed affect the library itself (CVE-2018-11490) and #119
(CVE-2019-15133) as well.
So a small patch adding the fixes to our current version would be the
nicest. Notice that the source files have been moved (and
deleted/restored) in upstream git, so the paths need a bit of tweaking.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
2019-08-19 13:57 ` Fabrice Fontaine
@ 2019-08-19 20:57 ` Peter Korsgaard
0 siblings, 0 replies; 9+ messages in thread
From: Peter Korsgaard @ 2019-08-19 20:57 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
Hi,
>> I must say this is quite big of a change for master at this point, and
>> for a security bump in general. I'm not sure between applying this, or
>> just cherry-picking the two commits that fix the CVEs.
> Cherry-picking the two commits for master is probably better.
> The CVE-2019-15133 can be retrieved here:
> https://sourceforge.net/p/giflib/code/ci/799eb6a3af8a3dd81e2429bf11a72a57e541f908
> The CVE-2018-11490 can be retrieved here:
> https://sourceforge.net/p/giflib/code/ci/08438a5098f3bb1de23a29334af55eba663f75bd
Agreed, care to send such a patch?
Thanks!
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
2019-08-19 20:26 ` Fabrice Fontaine
@ 2019-08-19 20:58 ` Peter Korsgaard
0 siblings, 0 replies; 9+ messages in thread
From: Peter Korsgaard @ 2019-08-19 20:58 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Le lun. 19 ao?t 2019 ? 21:40, Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> a ?crit :
>>
>> On Mon, 19 Aug 2019 19:07:24 +0200
>> Peter Korsgaard <peter@korsgaard.com> wrote:
>>
>> > > I must say this is quite big of a change for master at this point, and
>> > > for a security bump in general. I'm not sure between applying this, or
>> > > just cherry-picking the two commits that fix the CVEs.
>> >
>> > Yes, I believe that is also what we agreed when Bernd posted a similar
>> > patch last month:
>> >
>> > https://patchwork.ozlabs.org/patch/1124785/
>>
>> So in here you also say that the security issue is only in a tool we
>> don't install, so we're not affected. In this case, I could just apply
>> Fabrice's patch to next, and we do nothing for master ?
> Why these CVEs only affects tools? As you can see in both links that I
> provided, those CVEs are located in dgif_lib.c which is a part of
> libgif and libgif is installed in staging. So I think that some of our
> users could be concerned by these CVEs. Moreover, we are also
> providing host-giflib which build and install host tools.
Yes, sorry - I got #113 and #114 mixed up (and CVE-2019-15133 was not
announced back then).
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-08-19 20:58 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-18 12:04 [Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1 Fabrice Fontaine
2019-08-19 13:46 ` Thomas Petazzoni
2019-08-19 13:57 ` Fabrice Fontaine
2019-08-19 20:57 ` Peter Korsgaard
2019-08-19 17:07 ` Peter Korsgaard
2019-08-19 19:40 ` Thomas Petazzoni
2019-08-19 20:26 ` Fabrice Fontaine
2019-08-19 20:58 ` Peter Korsgaard
2019-08-19 20:44 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.