summaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2016-11-28 19:25:21 +0200
committerEfraim Flashner <efraim@flashner.co.il>2016-11-29 09:45:48 +0200
commitc51d926c740f98883ce3332852e826f57fdf4566 (patch)
tree288bd18a68556ea3a4b8bf876876fbf01b5f2b99 /gnu
parenteb55f018219e5912fc5606c4e1881a64f8fa5710 (diff)
gnu: cairo: Fix CVE-2016-9082.
* gnu/packages/gtk.scm (cairo)[replacement]: New field. (cairo/fixed): New variable. (cairo-xcb)[source]: Use patch. [replacement]: New field, set false. * gnu/packages/pdf.scm (poppler)[inputs]: Custom cairo should be replaced by a new custom patched cairo. * gnu/packages/patches/cairo-CVE-2016-9082.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/gtk.scm12
-rw-r--r--gnu/packages/patches/cairo-CVE-2016-9082.patch122
-rw-r--r--gnu/packages/pdf.scm11
4 files changed, 146 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 49609cd68f..9d0e4c5094 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -489,6 +489,7 @@ dist_patch_DATA = \
%D%/packages/patches/binutils-loongson-workaround.patch \
%D%/packages/patches/binutils-mips-bash-bug.patch \
%D%/packages/patches/byobu-writable-status.patch \
+ %D%/packages/patches/cairo-CVE-2016-9082.patch \
%D%/packages/patches/calibre-drop-unrar.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/cdparanoia-fpic.patch \
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 17bd9c9b00..8a258b54cc 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -100,6 +100,7 @@ tools have full access to view and control running applications.")
(define-public cairo
(package
(name "cairo")
+ (replacement cairo/fixed)
(version "1.14.6")
(source (origin
(method url-fetch)
@@ -153,6 +154,10 @@ affine transformation (scale, rotation, shear, etc.).")
(package
(inherit cairo)
(name "cairo-xcb")
+ (source (origin
+ (inherit (package-source cairo))
+ (patches (search-patches "cairo-CVE-2016-9082.patch"))))
+ (replacement #f)
(inputs
`(("mesa" ,mesa)
,@(package-inputs cairo)))
@@ -162,6 +167,13 @@ affine transformation (scale, rotation, shear, etc.).")
'("--enable-xlib-xcb" "--enable-gl" "--enable-egl")))
(synopsis "2D graphics library (with X11 support)")))
+(define cairo/fixed
+ (package
+ (inherit cairo)
+ (source (origin
+ (inherit (package-source cairo))
+ (patches (search-patches "cairo-CVE-2016-9082.patch"))))))
+
(define-public harfbuzz
(package
(name "harfbuzz")
diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/patches/cairo-CVE-2016-9082.patch
new file mode 100644
index 0000000000..ad83404194
--- /dev/null
+++ b/gnu/packages/patches/cairo-CVE-2016-9082.patch
@@ -0,0 +1,122 @@
+From: Adrian Johnson <ajohnson@redneon.com>
+Date: Thu, 20 Oct 2016 21:12:30 +1030
+Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
+
+Image data is often accessed using:
+
+ image->data + y * image->stride
+
+On 64-bit achitectures if the image data is > 4GB, this computation
+will overflow since both y and stride are 32-bit types.
+
+bug report: https://bugs.freedesktop.org/show_bug.cgi?id=98165
+patch: https://bugs.freedesktop.org/attachment.cgi?id=127421
+---
+ boilerplate/cairo-boilerplate.c | 4 +++-
+ src/cairo-image-compositor.c | 4 ++--
+ src/cairo-image-surface-private.h | 2 +-
+ src/cairo-mesh-pattern-rasterizer.c | 2 +-
+ src/cairo-png.c | 2 +-
+ src/cairo-script-surface.c | 3 ++-
+ 6 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c
+index 7fdbf79..4804dea 100644
+--- a/boilerplate/cairo-boilerplate.c
++++ b/boilerplate/cairo-boilerplate.c
+@@ -42,6 +42,7 @@
+ #undef CAIRO_VERSION_H
+ #include "../cairo-version.h"
+
++#include <stddef.h>
+ #include <stdlib.h>
+ #include <ctype.h>
+ #include <assert.h>
+@@ -976,7 +977,8 @@ cairo_surface_t *
+ cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
+ {
+ char format;
+- int width, height, stride;
++ int width, height;
++ ptrdiff_t stride;
+ int x, y;
+ unsigned char *data;
+ cairo_surface_t *image = NULL;
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 48072f8..3ca0006 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer {
+ pixman_image_t *src, *mask;
+ union {
+ struct fill {
+- int stride;
++ ptrdiff_t stride;
+ uint8_t *data;
+ uint32_t pixel;
+ } fill;
+@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer {
+ struct finish {
+ cairo_rectangle_int_t extents;
+ int src_x, src_y;
+- int stride;
++ ptrdiff_t stride;
+ uint8_t *data;
+ } mask;
+ } u;
+diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h
+index 8ca694c..7e78d61 100644
+--- a/src/cairo-image-surface-private.h
++++ b/src/cairo-image-surface-private.h
+@@ -71,7 +71,7 @@ struct _cairo_image_surface {
+
+ int width;
+ int height;
+- int stride;
++ ptrdiff_t stride;
+ int depth;
+
+ unsigned owns_data : 1;
+diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c
+index 1b63ca8..e7f0db6 100644
+--- a/src/cairo-mesh-pattern-rasterizer.c
++++ b/src/cairo-mesh-pattern-rasterizer.c
+@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride,
+ tg += tg >> 16;
+ tb += tb >> 16;
+
+- *((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) |
+ ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
+ }
+ }
+diff --git a/src/cairo-png.c b/src/cairo-png.c
+index 562b743..aa8c227 100644
+--- a/src/cairo-png.c
++++ b/src/cairo-png.c
+@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure)
+ }
+
+ for (i = 0; i < png_height; i++)
+- row_pointers[i] = &data[i * stride];
++ row_pointers[i] = &data[i * (ptrdiff_t)stride];
+
+ png_read_image (png, row_pointers);
+ png_read_end (png, info);
+diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
+index ea0117d..91e4baa 100644
+--- a/src/cairo-script-surface.c
++++ b/src/cairo-script-surface.c
+@@ -1202,7 +1202,8 @@ static cairo_status_t
+ _write_image_surface (cairo_output_stream_t *output,
+ const cairo_image_surface_t *image)
+ {
+- int stride, row, width;
++ int row, width;
++ ptrdiff_t stride;
+ uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
+ uint8_t *rowdata;
+ uint8_t *data;
+--
+2.1.4
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 39f4d021de..6442f08af9 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -95,6 +95,17 @@
;; To build poppler-glib (as needed by Evince), we need Cairo and
;; GLib. But of course, that Cairo must not depend on Poppler.
("cairo" ,(package (inherit cairo)
+ (replacement
+ (package
+ (inherit cairo)
+ (replacement #f)
+ (source
+ (origin
+ (inherit (package-source cairo))
+ (patches (search-patches
+ "cairo-CVE-2016-9082.patch"))))
+ (inputs (alist-delete "poppler"
+ (package-inputs cairo)))))
(inputs (alist-delete "poppler"
(package-inputs cairo)))))
("glib" ,glib)))