projects / buildroot.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a534030) | patch
libcroco: add upstream security fixes
authorPeter Korsgaard <peter@korsgaard.com>
Tue, 25 Apr 2017 14:16:59 +0000 (16:16 +0200)
committerPeter Korsgaard <peter@korsgaard.com>
Wed, 26 Apr 2017 07:20:16 +0000 (09:20 +0200)
commit52bfb4b1ce25d870f9bab72d285f326ec7d0ad77
tree66032baacfd85e11569bb0839cabfb103b90fc9ftree
parenta534030c6e67ff0319f8af2b55fe977a06f17dfdcommit | diff
libcroco: add upstream security fixes

These have been added to upstream git after 0.6.12 was released.

CVE-2017-7960 - The cr_input_new_from_uri function in cr-input.c in libcroco
0.6.11 and 0.6.12 allows remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted CSS file.

CVE-2017-7961 - The cr_tknzr_parse_rgb function in cr-tknzr.c in libcroco
0.6.11 and 0.6.12 has an "outside the range of representable values of type
long" undefined behavior issue, which might allow remote attackers to cause
a denial of service (application crash) or possibly have unspecified other
impact via a crafted CSS file.

For more details, see:
https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/libcroco/0001-input-check-end-of-input-before-reading-a-byte.patch [new file with mode: 0644] blob
package/libcroco/0002-tknzr-support-only-max-long-rgb-values.patch [new file with mode: 0644] blob