Accepting request 511252 from GNOME:Next

New upstream release OBS-URL: https://build.opensuse.org/request/show/511252 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=132
2017-07-21 16:43:26 +00:00 · 2017-07-21 16:43:26 +00:00 · 969c330dc3
commit 969c330dc3
parent 88750fa0a2
6 changed files with 18 additions and 135 deletions
--- a/gdk-pixbuf-2.36.6.tar.xz
+++ b/gdk-pixbuf-2.36.6.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:455eb90c09ed1b71f95f3ebfe1c904c206727e0eeb34fc94e5aaf944663a820c
-size 5166980
--- a/gdk-pixbuf-2.36.7.tar.xz
+++ b/gdk-pixbuf-2.36.7.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1b6e5eef09d98f05f383014ecd3503e25dfb03d7e5b5f5904e5a65b049a6a4d8
+size 5170080
--- a/gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
+++ b/gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
@ -1,63 +0,0 @@
-commit c2a40a92fe3df4111ed9da51fe3368c079b86926
-Author: Tobias Mueller <muelli@cryptobitch.de>
-Date:   Wed Jul 12 20:36:11 2017 +0200
-
-    jpeg: Throw error when number of color components is unsupported
-    
-    Explicitly check "3" or "4" output color components.
-    
-    gdk-pixbuf assumed that the value of output_components to be either
-    3 or 4, but not an invalid value (9) or an unsupported value (1).
-    
-    The way the buffer size was deduced was using a naive "== 4" check,
-    with a 1, 3 or 9 color component picture getting the same buffer size,
-    a size just sufficient for 3 color components, causing invalid writes
-    later when libjpeg-turbo was decoding the image.
-    
-    CVE-2017-2862
-    
-    Sent by from Marcin 'Icewall' Noga of Cisco Talos
-    
-    https://bugzilla.gnome.org/show_bug.cgi?id=784866
-
-diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
-index dd88a350a..1c0eba1a9 100644
--- a/gdk-pixbuf/io-jpeg.c
-+++ b/gdk-pixbuf/io-jpeg.c
-@@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
- 		if (!context->got_header) {
- 			int rc;
- 			gchar* comment;
-+			gboolean has_alpha;
- 		
- 			jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff);
- 			jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff);
-@@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
- 				}
- 			}
- 			jpeg_calc_output_dimensions (cinfo);
-			
-			context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, 
-							  cinfo->output_components == 4 ? TRUE : FALSE,
-							  8, 
-+
-+			if (cinfo->output_components == 3) {
-+				has_alpha = FALSE;
-+			} else if (cinfo->output_components == 4) {
-+				has_alpha = TRUE;
-+			} else {
-+				g_set_error (error,
-+					     GDK_PIXBUF_ERROR,
-+					     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
-+					     _("Unsupported number of color components (%d)"),
-+					     cinfo->output_components);
-+				retval = FALSE;
-+				goto out;
-+			}
-+
-+			context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
-+							  has_alpha,
-+							  8,
- 							  cinfo->output_width,
- 							  cinfo->output_height);
- 
--- a/gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
+++ b/gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
@ -1,62 +0,0 @@
-commit 31a6cff3dfc6944aad4612a9668b8ad39122e48b
-Author: Ludovico de Nittis <aasonykk@gmail.com>
-Date:   Sun Mar 19 16:11:13 2017 +0100
-
-    tiff: Check for integer overflows in multiplication
-    
-    The checks currently in use are not sufficient, because they depend on
-    undefined behaviour:
-    
-        rowstride = width * 4;
-        if (rowstride / 4 != width) { /* overflow */
-    
-    If the multiplication has already overflowed, the compiler may decide
-    to optimize the if out and thus we do not handle the erroneous case.
-    
-    Rearrange the checks to avoid the undefined behaviour.
-    
-    Note that gcc doesn't seem to be impacted, though a defined behaviour is
-    obviously preferred.
-    
-    CVE-2017-2870
-    
-    https://bugzilla.gnome.org/show_bug.cgi?id=780269
-
-diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
-index fb5d55095..7d055cfa8 100644
--- a/gdk-pixbuf/io-tiff.c
-+++ b/gdk-pixbuf/io-tiff.c
-@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
-                                      _("Width or height of TIFF image is zero"));
-                 return NULL;                
-         }
-        
-        rowstride = width * 4;
-        if (rowstride / 4 != width) { /* overflow */
-+
-+        if (width > G_MAXINT / 4) { /* overflow */
-                 g_set_error_literal (error,
-                                      GDK_PIXBUF_ERROR,
-                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
-                                      _("Dimensions of TIFF image too large"));
-                 return NULL;                
-         }
-        
-        bytes = height * rowstride;
-        if (bytes / rowstride != height) { /* overflow */
-+
-+        rowstride = width * 4;
-+
-+        if (height > G_MAXINT / rowstride) { /* overflow */
-                 g_set_error_literal (error,
-                                      GDK_PIXBUF_ERROR,
-                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
-@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
-                 return NULL;                
-         }
- 
-+        bytes = height * rowstride;
-+
- 	if (context && context->size_func) {
-                 gint w = width;
-                 gint h = height;
--- a/gdk-pixbuf.changes
+++ b/gdk-pixbuf.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Jul 18 17:10:16 UTC 2017 - zaitor@opensuse.org
+
+- Update to version 2.36.7:
+  + Add tests for recent bug fixes.
+  + ico, bmp, tiff: avoid integer overflows (bgo#776040,
+    bgo#776694, bgo#780269).
+  + jpeg: error out if wrong # of channels (bgo#784866).
+  + Misc.bugfixes (bgo#784583).
+  + Support mimetypes: image/wmf, image/emf.
+  + Updated translations.
+- Drop gdk-pixbuf-cve-2017-2862-jpeg-channels.patch and
+  gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch: Fixed upstream.
+
 -------------------------------------------------------------------
 Sun Jul 16 20:57:27 CEST 2017 - hpj@suse.com

--- a/gdk-pixbuf.spec
+++ b/gdk-pixbuf.spec
@ -20,7 +20,7 @@
 %define gdk_pixbuf_binary_version 2.10.0

 Name:           gdk-pixbuf
-Version:        2.36.6
+Version:        2.36.7
 Release:        0
 Summary:        An image loading library
 License:        LGPL-2.1+
@ -32,10 +32,6 @@ Source2:        README.SUSE
 Source99:       baselibs.conf
 # PATCH-FIX-UPSTREAM u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch boo#929462 bsc#1010497 bgo#775896 mstaudt@suse.com -- Fix RGBA conversion for big endian X11 environments
 Patch0:         u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch
-# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2862-jpeg-channels.patch bsc#1048289 bgo#784866 CVE-2017-2862 hpj@suse.com -- fix heap overwrite when JPEG channels is not 3 or 4.
-Patch1:         gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
-# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch bgo#780269 CVE-2017-2870 hpj@suse.com -- fix reliance on undefined behavior to handle integer overflows.
-Patch2:         gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
 BuildRequires:  libjasper-devel
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtiff-devel
@ -121,8 +117,6 @@ This package contains development files for gdk-pixbuf.
 translation-update-upstream
 %endif
 %patch0 -p1
-%patch1 -p1
-%patch2 -p1
 %if "%_lib" == "lib64"
 cp -a %{S:2} .
 %endif