From 7d230a8bba81866e23050a5ab1e874e9a8d7c8ee4e79d950df56d08dc51db69b Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Mon, 8 Jan 2018 12:31:19 +0000 Subject: [PATCH] Accepting request 562058 from home:mgorse:branches:GNOME:Factory - Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential integer overflow (boo#1027026 CVE-2017-6312). - Add gdk-pixbuf-gif-negative-array-indexes.patch and gdk-pixbuf-gif-uninitialized-variable.patch: protect against access to negative array indexes (BGO#778584). - Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size computation (bgo#779020). - Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against short block length when reading icns (boo#1027024 CVE-2017-6313). OBS-URL: https://build.opensuse.org/request/show/562058 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144 --- gdk-pixbuf-bgo779012-ico-overflow.patch | 46 +++++++++++++++++++++ gdk-pixbuf-gif-negative-array-indexes.patch | 37 +++++++++++++++++ gdk-pixbuf-gif-uninitialized-variable.patch | 46 +++++++++++++++++++++ gdk-pixbuf-icns-handle-short-blocklen.patch | 30 ++++++++++++++ gdk-pixbuf-tiff-overflow.patch | 38 +++++++++++++++++ gdk-pixbuf.changes | 14 +++++++ gdk-pixbuf.spec | 17 +++++++- 7 files changed, 227 insertions(+), 1 deletion(-) create mode 100644 gdk-pixbuf-bgo779012-ico-overflow.patch create mode 100644 gdk-pixbuf-gif-negative-array-indexes.patch create mode 100644 gdk-pixbuf-gif-uninitialized-variable.patch create mode 100644 gdk-pixbuf-icns-handle-short-blocklen.patch create mode 100644 gdk-pixbuf-tiff-overflow.patch diff --git a/gdk-pixbuf-bgo779012-ico-overflow.patch b/gdk-pixbuf-bgo779012-ico-overflow.patch new file mode 100644 index 0000000..cf49f5a --- /dev/null +++ b/gdk-pixbuf-bgo779012-ico-overflow.patch @@ -0,0 +1,46 @@ +From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001 +From: Dhiru Kholia +Date: Thu, 30 Nov 2017 02:36:26 +0100 +Subject: [PATCH] ico: Fix potential integer overflow + +Which relies on undefined behaviour. Instead of checking for an +overflowed integer after the fact, check whether the addition would +be possible at all. + +Fixes: CVE-2017-6312 + +https://bugzilla.gnome.org/show_bug.cgi?id=779012 +--- + gdk-pixbuf/io-ico.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c +index 8729a0fb9..a86725751 100644 +--- a/gdk-pixbuf/io-ico.c ++++ b/gdk-pixbuf/io-ico.c +@@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes, + for (l = State->entries; l != NULL; l = g_list_next (l)) { + entry = l->data; + +- /* We know how many bytes are in the "header" part. */ +- State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; +- +- if (State->HeaderSize < 0) { ++ /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */ ++ if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) { + g_set_error (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, +@@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes, + return; + } + ++ /* We know how many bytes are in the "header" part. */ ++ State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; ++ + if (State->HeaderSize>State->BytesInHeaderBuf) { + guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize); + if (!tmp) { +-- +2.15.1 + diff --git a/gdk-pixbuf-gif-negative-array-indexes.patch b/gdk-pixbuf-gif-negative-array-indexes.patch new file mode 100644 index 0000000..f282c3d --- /dev/null +++ b/gdk-pixbuf-gif-negative-array-indexes.patch @@ -0,0 +1,37 @@ +From 23e2a7c4b7794220ecd77389b3976c0767fc839d Mon Sep 17 00:00:00 2001 +From: Tobias Mueller +Date: Wed, 14 Dec 2016 08:03:16 +0100 +Subject: [PATCH] gif: Prevent access to negative array indexes + +It seems that a pathological gif file can cause a negative array index +to be read. UBSAN reported this: +io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]' +io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]' + +https://bugzilla.gnome.org/show_bug.cgi?id=778584 +--- + gdk-pixbuf/io-gif.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c +index ef1001779..acbd1f3be 100644 +--- a/gdk-pixbuf/io-gif.c ++++ b/gdk-pixbuf/io-gif.c +@@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context) + return -2; + } + ++ if (context->code_last_byte < 2) { ++ g_set_error_literal (context->error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Bad code encountered")); ++ return -2; ++ } ++ + context->block_buf[0] = context->block_buf[context->code_last_byte - 2]; + context->block_buf[1] = context->block_buf[context->code_last_byte - 1]; + +-- +2.15.1 + diff --git a/gdk-pixbuf-gif-uninitialized-variable.patch b/gdk-pixbuf-gif-uninitialized-variable.patch new file mode 100644 index 0000000..9e8b5e4 --- /dev/null +++ b/gdk-pixbuf-gif-uninitialized-variable.patch @@ -0,0 +1,46 @@ +From c1fd9f5d6592c0183c54efc806b3ca6871e1f496 Mon Sep 17 00:00:00 2001 +From: Tobias Mueller +Date: Fri, 10 Nov 2017 18:51:21 +0100 +Subject: [PATCH] gif: Initialise code_last_byte to not cause undefined + behaviour + +Currently, code_last_byte is set only after it has been used, i.e. + + context->block_buf[0] = context->block_buf[context->code_last_byte - 2]; + +comes before anything has touched context->code_last_byte yet. +Except for the initialisation. +context->code_last_byte is set a few lines later, though. +And nowhere else, except for the initialisation which sets it +to 0. That will inevitably lead to context->block_buf[-2] which is +undefined behaviour. + +We hence set the code_last_byte to 2 in order to not make that +array index invalid. + +https://bugzilla.gnome.org/show_bug.cgi?id=778584 +--- + gdk-pixbuf/io-gif.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c +index acbd1f3be..61821bdf9 100644 +--- a/gdk-pixbuf/io-gif.c ++++ b/gdk-pixbuf/io-gif.c +@@ -1165,7 +1165,12 @@ gif_prepare_lzw (GifContext *context) + context->lzw_fresh = TRUE; + context->code_curbit = 0; + context->code_lastbit = 0; +- context->code_last_byte = 0; ++ /* During initialistion (in gif_lzw_fill_buffer) we substract 2 from ++ * this value to peek into a buffer. ++ * In order to not get a negative array index later, we set the value ++ * to that magic 2 now. ++ */ ++ context->code_last_byte = 2; + context->code_done = FALSE; + + g_assert (context->lzw_clear_code <= +-- +2.15.1 + diff --git a/gdk-pixbuf-icns-handle-short-blocklen.patch b/gdk-pixbuf-icns-handle-short-blocklen.patch new file mode 100644 index 0000000..9e5880e --- /dev/null +++ b/gdk-pixbuf-icns-handle-short-blocklen.patch @@ -0,0 +1,30 @@ +From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Tue, 5 Dec 2017 11:51:02 +0100 +Subject: [PATCH] icns: Protect against too short blocklen (CVE-2017-6313) + +The blocklen needs to be at least header sized to be valid, otherwise we +can underflow picture data or mask data lengths. + +https://bugzilla.gnome.org/show_bug.cgi?id=779016 +--- + gdk-pixbuf/io-icns.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c +index a432e463f..41732b153 100644 +--- a/gdk-pixbuf/io-icns.c ++++ b/gdk-pixbuf/io-icns.c +@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen, + blocklen = GUINT32_FROM_BE (header->size); + + /* Check that blocklen isn't garbage */ +- if (blocklen > icnslen - (current - bytes)) ++ if (blocklen > icnslen - (current - bytes) || ++ blocklen < sizeof (IcnsBlockHeader)) + return FALSE; + + switch (size) +-- +2.15.1 + diff --git a/gdk-pixbuf-tiff-overflow.patch b/gdk-pixbuf-tiff-overflow.patch new file mode 100644 index 0000000..660daef --- /dev/null +++ b/gdk-pixbuf-tiff-overflow.patch @@ -0,0 +1,38 @@ +From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001 +From: Bastien Nocera +Date: Tue, 5 Dec 2017 10:26:49 +0100 +Subject: [PATCH] tiff: Avoid overflowing buffer size computation + +Use g_uint_checked_mul() to avoid overflowing the guint used for buffer +size calculation. + +https://bugzilla.gnome.org/show_bug.cgi?id=779020 +--- + gdk-pixbuf/io-tiff.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c +index 7ca0a565a..49fe60eee 100644 +--- a/gdk-pixbuf/io-tiff.c ++++ b/gdk-pixbuf/io-tiff.c +@@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint needed) + need_alloc = context->used + needed; + if (need_alloc > context->allocated) { + guint new_size = 1; +- while (new_size < need_alloc) +- new_size *= 2; ++ while (new_size < need_alloc) { ++ if (!g_uint_checked_mul (&new_size, new_size, 2)) { ++ new_size = 0; ++ break; ++ } ++ } ++ ++ if (new_size == 0) ++ return FALSE; + + new_buffer = g_try_realloc (context->buffer, new_size); + if (new_buffer) { +-- +2.15.1 + diff --git a/gdk-pixbuf.changes b/gdk-pixbuf.changes index a223b7c..2e0bcd3 100644 --- a/gdk-pixbuf.changes +++ b/gdk-pixbuf.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Fri Jan 5 17:38:55 UTC 2018 - mgorse@suse.com + +- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential + integer overflow (boo#1027026 CVE-2017-6312). +- Add gdk-pixbuf-gif-negative-array-indexes.patch and + gdk-pixbuf-gif-uninitialized-variable.patch: protect against + access to negative array indexes (BGO#778584). +- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size + computation (bgo#779020). +- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against + short block length when reading icns (boo#1027024 + CVE-2017-6313). + ------------------------------------------------------------------- Tue Oct 3 21:36:15 UTC 2017 - luc14n0@linuxmail.org diff --git a/gdk-pixbuf.spec b/gdk-pixbuf.spec index 39d8471..454c374 100644 --- a/gdk-pixbuf.spec +++ b/gdk-pixbuf.spec @@ -1,7 +1,7 @@ # # spec file for package gdk-pixbuf # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,6 +30,16 @@ Source1: macros.gdk-pixbuf Source2: README.SUSE Source3: gdk-pixbuf-rpmlintrc Source99: baselibs.conf +# PATCH-FIX-UPSTREAM gdk-pixbuf-bgo779012-ico-overflow.patch boo#1027026 mgorse@suse.com -- fix potential integer overflow (CVE-2017-6312). +Patch0: gdk-pixbuf-bgo779012-ico-overflow.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-negative-array-indexes.patch bgo#778584 mgorse@suse.com -- gif: prevent access to negative array indexes. +Patch1: gdk-pixbuf-gif-negative-array-indexes.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-uninitialized-variable.patch bgo#778584 mgorse@suse.com -- fix uninitialized variable. +Patch2: gdk-pixbuf-gif-uninitialized-variable.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-tiff-overflow.patch bgo#779020 mgorse@suse.com -- avoid overflow during size computation. +Patch3: gdk-pixbuf-tiff-overflow.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-icns-handle-short-blocklen.patch boo#1027024 bgo#779016 mgorse@suse.com -- icns: protect against too short blocklen (CVE-2017-6313). +Patch4: gdk-pixbuf-icns-handle-short-blocklen.patch BuildRequires: docbook-xsl-stylesheets BuildRequires: gtk-doc BuildRequires: libjpeg-devel @@ -119,6 +129,11 @@ This package contains the development files for gdk-pixbuf. %if !0%{?is_opensuse} translation-update-upstream %endif +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %if "%_lib" == "lib64" cp -a %{SOURCE2} . %endif