From 969c330dc34ca15e1a376517df7e18c200a7b6c4365d87619f7dea12b34cbead Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Lie?= Date: Fri, 21 Jul 2017 16:43:26 +0000 Subject: [PATCH] Accepting request 511252 from GNOME:Next New upstream release OBS-URL: https://build.opensuse.org/request/show/511252 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=132 --- gdk-pixbuf-2.36.6.tar.xz | 3 - gdk-pixbuf-2.36.7.tar.xz | 3 + gdk-pixbuf-cve-2017-2862-jpeg-channels.patch | 63 ------------------- ...xbuf-cve-2017-2870-tiff-mul-overflow.patch | 62 ------------------ gdk-pixbuf.changes | 14 +++++ gdk-pixbuf.spec | 8 +-- 6 files changed, 18 insertions(+), 135 deletions(-) delete mode 100644 gdk-pixbuf-2.36.6.tar.xz create mode 100644 gdk-pixbuf-2.36.7.tar.xz delete mode 100644 gdk-pixbuf-cve-2017-2862-jpeg-channels.patch delete mode 100644 gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch diff --git a/gdk-pixbuf-2.36.6.tar.xz b/gdk-pixbuf-2.36.6.tar.xz deleted file mode 100644 index f2d9f84..0000000 --- a/gdk-pixbuf-2.36.6.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:455eb90c09ed1b71f95f3ebfe1c904c206727e0eeb34fc94e5aaf944663a820c -size 5166980 diff --git a/gdk-pixbuf-2.36.7.tar.xz b/gdk-pixbuf-2.36.7.tar.xz new file mode 100644 index 0000000..f88c68c --- /dev/null +++ b/gdk-pixbuf-2.36.7.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1b6e5eef09d98f05f383014ecd3503e25dfb03d7e5b5f5904e5a65b049a6a4d8 +size 5170080 diff --git a/gdk-pixbuf-cve-2017-2862-jpeg-channels.patch b/gdk-pixbuf-cve-2017-2862-jpeg-channels.patch deleted file mode 100644 index e709dd2..0000000 --- a/gdk-pixbuf-cve-2017-2862-jpeg-channels.patch +++ /dev/null @@ -1,63 +0,0 @@ -commit c2a40a92fe3df4111ed9da51fe3368c079b86926 -Author: Tobias Mueller -Date: Wed Jul 12 20:36:11 2017 +0200 - - jpeg: Throw error when number of color components is unsupported - - Explicitly check "3" or "4" output color components. - - gdk-pixbuf assumed that the value of output_components to be either - 3 or 4, but not an invalid value (9) or an unsupported value (1). - - The way the buffer size was deduced was using a naive "== 4" check, - with a 1, 3 or 9 color component picture getting the same buffer size, - a size just sufficient for 3 color components, causing invalid writes - later when libjpeg-turbo was decoding the image. - - CVE-2017-2862 - - Sent by from Marcin 'Icewall' Noga of Cisco Talos - - https://bugzilla.gnome.org/show_bug.cgi?id=784866 - -diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c -index dd88a350a..1c0eba1a9 100644 ---- a/gdk-pixbuf/io-jpeg.c -+++ b/gdk-pixbuf/io-jpeg.c -@@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, - if (!context->got_header) { - int rc; - gchar* comment; -+ gboolean has_alpha; - - jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff); - jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff); -@@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, - } - } - jpeg_calc_output_dimensions (cinfo); -- -- context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, -- cinfo->output_components == 4 ? TRUE : FALSE, -- 8, -+ -+ if (cinfo->output_components == 3) { -+ has_alpha = FALSE; -+ } else if (cinfo->output_components == 4) { -+ has_alpha = TRUE; -+ } else { -+ g_set_error (error, -+ GDK_PIXBUF_ERROR, -+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, -+ _("Unsupported number of color components (%d)"), -+ cinfo->output_components); -+ retval = FALSE; -+ goto out; -+ } -+ -+ context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, -+ has_alpha, -+ 8, - cinfo->output_width, - cinfo->output_height); - diff --git a/gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch b/gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch deleted file mode 100644 index 98d16c1..0000000 --- a/gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch +++ /dev/null @@ -1,62 +0,0 @@ -commit 31a6cff3dfc6944aad4612a9668b8ad39122e48b -Author: Ludovico de Nittis -Date: Sun Mar 19 16:11:13 2017 +0100 - - tiff: Check for integer overflows in multiplication - - The checks currently in use are not sufficient, because they depend on - undefined behaviour: - - rowstride = width * 4; - if (rowstride / 4 != width) { /* overflow */ - - If the multiplication has already overflowed, the compiler may decide - to optimize the if out and thus we do not handle the erroneous case. - - Rearrange the checks to avoid the undefined behaviour. - - Note that gcc doesn't seem to be impacted, though a defined behaviour is - obviously preferred. - - CVE-2017-2870 - - https://bugzilla.gnome.org/show_bug.cgi?id=780269 - -diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c -index fb5d55095..7d055cfa8 100644 ---- a/gdk-pixbuf/io-tiff.c -+++ b/gdk-pixbuf/io-tiff.c -@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error) - _("Width or height of TIFF image is zero")); - return NULL; - } -- -- rowstride = width * 4; -- if (rowstride / 4 != width) { /* overflow */ -+ -+ if (width > G_MAXINT / 4) { /* overflow */ - g_set_error_literal (error, - GDK_PIXBUF_ERROR, - GDK_PIXBUF_ERROR_CORRUPT_IMAGE, - _("Dimensions of TIFF image too large")); - return NULL; - } -- -- bytes = height * rowstride; -- if (bytes / rowstride != height) { /* overflow */ -+ -+ rowstride = width * 4; -+ -+ if (height > G_MAXINT / rowstride) { /* overflow */ - g_set_error_literal (error, - GDK_PIXBUF_ERROR, - GDK_PIXBUF_ERROR_CORRUPT_IMAGE, -@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error) - return NULL; - } - -+ bytes = height * rowstride; -+ - if (context && context->size_func) { - gint w = width; - gint h = height; diff --git a/gdk-pixbuf.changes b/gdk-pixbuf.changes index 53e0d90..f4fb195 100644 --- a/gdk-pixbuf.changes +++ b/gdk-pixbuf.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Jul 18 17:10:16 UTC 2017 - zaitor@opensuse.org + +- Update to version 2.36.7: + + Add tests for recent bug fixes. + + ico, bmp, tiff: avoid integer overflows (bgo#776040, + bgo#776694, bgo#780269). + + jpeg: error out if wrong # of channels (bgo#784866). + + Misc.bugfixes (bgo#784583). + + Support mimetypes: image/wmf, image/emf. + + Updated translations. +- Drop gdk-pixbuf-cve-2017-2862-jpeg-channels.patch and + gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch: Fixed upstream. + ------------------------------------------------------------------- Sun Jul 16 20:57:27 CEST 2017 - hpj@suse.com diff --git a/gdk-pixbuf.spec b/gdk-pixbuf.spec index 1b7ab12..6d12143 100644 --- a/gdk-pixbuf.spec +++ b/gdk-pixbuf.spec @@ -20,7 +20,7 @@ %define gdk_pixbuf_binary_version 2.10.0 Name: gdk-pixbuf -Version: 2.36.6 +Version: 2.36.7 Release: 0 Summary: An image loading library License: LGPL-2.1+ @@ -32,10 +32,6 @@ Source2: README.SUSE Source99: baselibs.conf # PATCH-FIX-UPSTREAM u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch boo#929462 bsc#1010497 bgo#775896 mstaudt@suse.com -- Fix RGBA conversion for big endian X11 environments Patch0: u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch -# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2862-jpeg-channels.patch bsc#1048289 bgo#784866 CVE-2017-2862 hpj@suse.com -- fix heap overwrite when JPEG channels is not 3 or 4. -Patch1: gdk-pixbuf-cve-2017-2862-jpeg-channels.patch -# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch bgo#780269 CVE-2017-2870 hpj@suse.com -- fix reliance on undefined behavior to handle integer overflows. -Patch2: gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch BuildRequires: libjasper-devel BuildRequires: libjpeg-devel BuildRequires: libtiff-devel @@ -121,8 +117,6 @@ This package contains development files for gdk-pixbuf. translation-update-upstream %endif %patch0 -p1 -%patch1 -p1 -%patch2 -p1 %if "%_lib" == "lib64" cp -a %{S:2} . %endif