Accepting request 670262 from KDE:Frameworks5

- Add ghostscript requirement to the -eps subpackage - Add patch to fix buffer overflows (boo#1123281): * 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch - Split out the eps plugin into an independant subpackage (bsc#1117336) - Remove unnecessary ldconfig calls OBS-URL: https://build.opensuse.org/request/show/670262 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/kimageformats?expand=0&rev=63
2019-02-04 20:10:43 +00:00
parent 878cd132fb 2dad735ad1
commit 51cec93dac
3 changed files with 208 additions and 6 deletions
--- a/0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
+++ b/0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
@@ -0,0 +1,145 @@
+From 51d710adda146bc19427c9ea3443c9e0919e6647 Mon Sep 17 00:00:00 2001
+From: Fabian Vogt <fabian@ritter-vogt.de>
+Date: Sun, 20 Jan 2019 12:51:02 +0100
+Subject: [PATCH] Fix various OOB reads and writes in kimg_tga and kimg_xcf
+
+Summary:
+I had a look at some image loading code in kimageformats and found memory
+corruption bugs (there might be more):
+
+- oobwrite4b.xcf: OOB write in kimg_xcf:
+
+By overflowing the "size = 3 * ncolors + 4;" calculation, it's possible to make
+size == 3 or size == 0, which then allows 1 or 4 bytes to be overwritten:
+https://cgit.kde.org/kimageformats.git/tree/src/imageformats/xcf.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n484
+The values aren't arbitrary, so AFAICT DoS only.
+Fix is to move the sanity check for size below the assignment.
+
+- oobread.tga: OOB read in kimg_tga:
+
+By overflowing the "size = tga.width * tga.height * pixel_size" calculation,
+it's possible to cause OOB reads later on as the image data array is too small:
+https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n192
+Fix is to use a 64bit integer instead.
+
+- oobwrite4b.tga/oobwrite507.tga: OOB write in kimg_tga
+
+If RLE is enabled, any size checks are skipped, so it's possible to write
+either 128 repetitions of an arbitrary four byte value (oobwrite4b.tga)
+or or 507 arbitrary bytes (oobwrite507.tga) out of bounds.
+https://cgit.kde.org/kimageformats.git/tree/src/imageformats/tga.cpp?id=3f2552f21b1cdef063c2a93cc95d42a8cf907fcf#n209
+Fix is to check for "num" being negative before reading into the buffer.
+
+Also, bail out early if there is no more data available (reading a 65kx65k px image from 14B data takes ages otherwise)
+
+Test Plan:
+Stopped crashing and valgrind don't complain anymore.
+
+TGA preview still works for valid files.
+
+Reviewers: aacid
+
+Reviewed By: aacid
+
+Subscribers: lbeltrame, kde-frameworks-devel
+
+Tags: #frameworks
+
+Differential Revision: https://phabricator.kde.org/D18574
+---
+ src/imageformats/tga.cpp | 27 +++++++++++++++++++++++----
+ src/imageformats/xcf.cpp |  3 ++-
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/src/imageformats/tga.cpp b/src/imageformats/tga.cpp
+index 3a22b45..9217bed 100644
+--- a/src/imageformats/tga.cpp
+++ b/src/imageformats/tga.cpp
+@@ -189,7 +189,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
+     }
+ 
+     uint pixel_size = (tga.pixel_size / 8);
+-    uint size = tga.width * tga.height * pixel_size;
+    qint64 size = qint64(tga.width) * qint64(tga.height) * pixel_size;
+ 
+     if (size < 1) {
+ //          qDebug() << "This TGA file is broken with size " << size;
+@@ -204,20 +204,34 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
+     }
+ 
+     // Allocate image.
+-    uchar *const image = new uchar[size];
+    uchar *const image = reinterpret_cast<uchar*>(malloc(size));
+    if (!image) {
+        return false;
+    }
+
+    bool valid = true;
+ 
+     if (info.rle) {
+         // Decode image.
+         char *dst = (char *)image;
+-        int num = size;
+        qint64 num = size;
+ 
+         while (num > 0) {
+            if (s.atEnd()) {
+                valid = false;
+                break;
+            }
+
+             // Get packet header.
+             uchar c;
+             s >> c;
+ 
+             uint count = (c & 0x7f) + 1;
+             num -= count * pixel_size;
+            if (num < 0) {
+                valid = false;
+                break;
+            }
+ 
+             if (c & 0x80) {
+                 // RLE pixels.
+@@ -240,6 +254,11 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
+         s.readRawData((char *)image, size);
+     }
+ 
+    if (!valid) {
+        free(image);
+        return false;
+    }
+
+     // Convert image to internal format.
+     int y_start, y_step, y_end;
+     if (tga.flags & TGA_ORIGIN_UPPER) {
+@@ -294,7 +313,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
+     }
+ 
+     // Free image.
+-    delete [] image;
+    free(image);
+ 
+     return true;
+ }
+diff --git a/src/imageformats/xcf.cpp b/src/imageformats/xcf.cpp
+index f837112..3afb599 100644
+--- a/src/imageformats/xcf.cpp
+++ b/src/imageformats/xcf.cpp
+@@ -495,11 +495,12 @@ bool XCFImageFormat::loadProperty(QDataStream &xcf_io, PropType &type, QByteArra
+         quint32 ncolors;
+         xcf_io >> ncolors;
+ 
+        size = 3 * ncolors + 4;
+
+         if (size > 65535 || size < 4) {
+             return false;
+         }
+ 
+-        size = 3 * ncolors + 4;
+         data = new char[size];
+ 
+         // since we already read "ncolors" from the stream, we put that data back
+-- 
+2.20.1
+
--- a/kimageformats.changes
+++ b/kimageformats.changes
@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Thu Jan 31 07:48:50 UTC 2019 - Fabian Vogt <fabian@ritter-vogt.de>
+
+- Add ghostscript requirement to the -eps subpackage
+
+-------------------------------------------------------------------
+Mon Jan 28 13:30:26 UTC 2019 - Fabian Vogt <fabian@ritter-vogt.de>
+
+- Add patch to fix buffer overflows (boo#1123281):
+  * 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
+
+-------------------------------------------------------------------
+Wed Jan 23 17:47:54 UTC 2019 - Fabian Vogt <fabian@ritter-vogt.de>
+
+- Split out the eps plugin into an independant subpackage (bsc#1117336)
+- Remove unnecessary ldconfig calls
+
 -------------------------------------------------------------------
 Mon Jan 14 06:08:47 UTC 2019 - lbeltrame@kde.org

--- a/kimageformats.spec
+++ b/kimageformats.spec
@@ -30,6 +30,8 @@ Group:          System/GUI/KDE
 URL:            https://www.kde.org
 Source:         http://download.kde.org/stable/frameworks/%{_tar_path}/%{name}-%{version}.tar.xz
 Source1:        baselibs.conf
+# PATCH-FIX-UPSTREAM
+Patch001:       0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
 BuildRequires:  cmake >= 3.0
 BuildRequires:  extra-cmake-modules >= %{_kf5_bugfix_version}
 BuildRequires:  fdupes
@@ -43,6 +45,7 @@ BuildRequires:  cmake(Qt5Test) >= 5.6.0
 %requires_ge    libQt5Gui5
 %requires_ge    libQt5PrintSupport5
 Recommends:     libqt5-qtimageformats >= 5.6.0
+Suggests:       %{name}-eps

 %description
 This framework provides additional image format plugins for QtGui.  As
@@ -50,8 +53,19 @@ such it is not required for the compilation of any other software, but
 may be a runtime requirement for Qt-based software to support certain
 image formats.

+%package eps
+Summary:        EPS image format plugin for Qt
+Group:          System/GUI/KDE
+Conflicts:      %{name} < %{version}-%{release}
+Requires:       ghostscript
+
+%description eps
+This plugin provides support for the EPS document format for QtGui. As
+it invokes ghostscript for conversion, it should only be used in trusted
+environments.
+
 %prep
-%setup -q
+%autosetup -p1

 %build
  %cmake_kf5 -d build
@@ -61,12 +75,38 @@ image formats.
  %kf5_makeinstall -C build
  %fdupes %{buildroot}

-%post -n kimageformats -p /sbin/ldconfig
-%postun -n kimageformats -p /sbin/ldconfig
-
 %files
 %license COPYING*
-%{_kf5_plugindir}/
-%{_kf5_servicesdir}/
+%dir %{_kf5_plugindir}/imageformats
+%{_kf5_plugindir}/imageformats/kimg_exr.so
+%{_kf5_plugindir}/imageformats/kimg_kra.so
+%{_kf5_plugindir}/imageformats/kimg_ora.so
+%{_kf5_plugindir}/imageformats/kimg_pcx.so
+%{_kf5_plugindir}/imageformats/kimg_pic.so
+%{_kf5_plugindir}/imageformats/kimg_psd.so
+%{_kf5_plugindir}/imageformats/kimg_ras.so
+%{_kf5_plugindir}/imageformats/kimg_rgb.so
+%{_kf5_plugindir}/imageformats/kimg_tga.so
+%{_kf5_plugindir}/imageformats/kimg_xcf.so
+%dir %{_kf5_servicesdir}/qimageioplugins
+%{_kf5_servicesdir}/qimageioplugins/dds.desktop
+%{_kf5_servicesdir}/qimageioplugins/exr.desktop
+%{_kf5_servicesdir}/qimageioplugins/jp2.desktop
+%{_kf5_servicesdir}/qimageioplugins/kra.desktop
+%{_kf5_servicesdir}/qimageioplugins/ora.desktop
+%{_kf5_servicesdir}/qimageioplugins/pcx.desktop
+%{_kf5_servicesdir}/qimageioplugins/pic.desktop
+%{_kf5_servicesdir}/qimageioplugins/psd.desktop
+%{_kf5_servicesdir}/qimageioplugins/ras.desktop
+%{_kf5_servicesdir}/qimageioplugins/rgb.desktop
+%{_kf5_servicesdir}/qimageioplugins/tga.desktop
+%{_kf5_servicesdir}/qimageioplugins/xcf.desktop
+
+%files eps
+%license COPYING*
+%dir %{_kf5_plugindir}/imageformats
+%dir %{_kf5_servicesdir}/qimageioplugins
+%{_kf5_plugindir}/imageformats/kimg_eps.so
+%{_kf5_servicesdir}/qimageioplugins/eps.desktop

 %changelog