diff --git a/gdk-pixbuf-cve-2017-2862-jpeg-channels.patch b/gdk-pixbuf-cve-2017-2862-jpeg-channels.patch new file mode 100644 index 0000000..e709dd2 --- /dev/null +++ b/gdk-pixbuf-cve-2017-2862-jpeg-channels.patch @@ -0,0 +1,63 @@ +commit c2a40a92fe3df4111ed9da51fe3368c079b86926 +Author: Tobias Mueller +Date: Wed Jul 12 20:36:11 2017 +0200 + + jpeg: Throw error when number of color components is unsupported + + Explicitly check "3" or "4" output color components. + + gdk-pixbuf assumed that the value of output_components to be either + 3 or 4, but not an invalid value (9) or an unsupported value (1). + + The way the buffer size was deduced was using a naive "== 4" check, + with a 1, 3 or 9 color component picture getting the same buffer size, + a size just sufficient for 3 color components, causing invalid writes + later when libjpeg-turbo was decoding the image. + + CVE-2017-2862 + + Sent by from Marcin 'Icewall' Noga of Cisco Talos + + https://bugzilla.gnome.org/show_bug.cgi?id=784866 + +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c +index dd88a350a..1c0eba1a9 100644 +--- a/gdk-pixbuf/io-jpeg.c ++++ b/gdk-pixbuf/io-jpeg.c +@@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, + if (!context->got_header) { + int rc; + gchar* comment; ++ gboolean has_alpha; + + jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff); + jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff); +@@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, + } + } + jpeg_calc_output_dimensions (cinfo); +- +- context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, +- cinfo->output_components == 4 ? TRUE : FALSE, +- 8, ++ ++ if (cinfo->output_components == 3) { ++ has_alpha = FALSE; ++ } else if (cinfo->output_components == 4) { ++ has_alpha = TRUE; ++ } else { ++ g_set_error (error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Unsupported number of color components (%d)"), ++ cinfo->output_components); ++ retval = FALSE; ++ goto out; ++ } ++ ++ context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, ++ has_alpha, ++ 8, + cinfo->output_width, + cinfo->output_height); + diff --git a/gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch b/gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch new file mode 100644 index 0000000..98d16c1 --- /dev/null +++ b/gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch @@ -0,0 +1,62 @@ +commit 31a6cff3dfc6944aad4612a9668b8ad39122e48b +Author: Ludovico de Nittis +Date: Sun Mar 19 16:11:13 2017 +0100 + + tiff: Check for integer overflows in multiplication + + The checks currently in use are not sufficient, because they depend on + undefined behaviour: + + rowstride = width * 4; + if (rowstride / 4 != width) { /* overflow */ + + If the multiplication has already overflowed, the compiler may decide + to optimize the if out and thus we do not handle the erroneous case. + + Rearrange the checks to avoid the undefined behaviour. + + Note that gcc doesn't seem to be impacted, though a defined behaviour is + obviously preferred. + + CVE-2017-2870 + + https://bugzilla.gnome.org/show_bug.cgi?id=780269 + +diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c +index fb5d55095..7d055cfa8 100644 +--- a/gdk-pixbuf/io-tiff.c ++++ b/gdk-pixbuf/io-tiff.c +@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error) + _("Width or height of TIFF image is zero")); + return NULL; + } +- +- rowstride = width * 4; +- if (rowstride / 4 != width) { /* overflow */ ++ ++ if (width > G_MAXINT / 4) { /* overflow */ + g_set_error_literal (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("Dimensions of TIFF image too large")); + return NULL; + } +- +- bytes = height * rowstride; +- if (bytes / rowstride != height) { /* overflow */ ++ ++ rowstride = width * 4; ++ ++ if (height > G_MAXINT / rowstride) { /* overflow */ + g_set_error_literal (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, +@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error) + return NULL; + } + ++ bytes = height * rowstride; ++ + if (context && context->size_func) { + gint w = width; + gint h = height; diff --git a/gdk-pixbuf.changes b/gdk-pixbuf.changes index 77363ac..53e0d90 100644 --- a/gdk-pixbuf.changes +++ b/gdk-pixbuf.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Sun Jul 16 20:57:27 CEST 2017 - hpj@suse.com + +- Add fixes for crashes, taken from upstream git (CVE-2017-2862, + CVE-2017-2870, bgo#784866, bgo#780269): + gdk-pixbuf-cve-2017-2862-jpeg-channels.patch + gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch + ------------------------------------------------------------------- Wed May 10 09:10:45 UTC 2017 - dimstar@opensuse.org diff --git a/gdk-pixbuf.spec b/gdk-pixbuf.spec index fa8370b..1b7ab12 100644 --- a/gdk-pixbuf.spec +++ b/gdk-pixbuf.spec @@ -32,6 +32,10 @@ Source2: README.SUSE Source99: baselibs.conf # PATCH-FIX-UPSTREAM u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch boo#929462 bsc#1010497 bgo#775896 mstaudt@suse.com -- Fix RGBA conversion for big endian X11 environments Patch0: u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2862-jpeg-channels.patch bsc#1048289 bgo#784866 CVE-2017-2862 hpj@suse.com -- fix heap overwrite when JPEG channels is not 3 or 4. +Patch1: gdk-pixbuf-cve-2017-2862-jpeg-channels.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch bgo#780269 CVE-2017-2870 hpj@suse.com -- fix reliance on undefined behavior to handle integer overflows. +Patch2: gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch BuildRequires: libjasper-devel BuildRequires: libjpeg-devel BuildRequires: libtiff-devel @@ -117,6 +121,8 @@ This package contains development files for gdk-pixbuf. translation-update-upstream %endif %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %if "%_lib" == "lib64" cp -a %{S:2} . %endif