diff options
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/gimp.scm | 5 | ||||
-rw-r--r-- | gnu/packages/patches/gegl-CVE-2012-4433.patch | 117 |
3 files changed, 122 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index dc1b521b6e..66538e69cb 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -501,6 +501,7 @@ dist_patch_DATA = \ %D%/packages/patches/gcc-cross-environment-variables.patch \ %D%/packages/patches/gcc-libvtv-runpath.patch \ %D%/packages/patches/gcc-5.0-libvtv-runpath.patch \ + %D%/packages/patches/gegl-CVE-2012-4433.patch \ %D%/packages/patches/geoclue-config.patch \ %D%/packages/patches/ghostscript-CVE-2015-3228.patch \ %D%/packages/patches/ghostscript-runpath.patch \ diff --git a/gnu/packages/gimp.scm b/gnu/packages/gimp.scm index bd2794305b..b11791b921 100644 --- a/gnu/packages/gimp.scm +++ b/gnu/packages/gimp.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2014, 2015 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net> +;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il> ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,6 +25,7 @@ #:use-module ((guix licenses) #:prefix license:) #:use-module (guix build-system gnu) #:use-module (guix build-system glib-or-gtk) + #:use-module (gnu packages) #:use-module (gnu packages algebra) #:use-module (gnu packages pkg-config) #:use-module (gnu packages glib) @@ -75,7 +77,8 @@ provided as well as the framework to add new color models and data types.") "/" name "-" version ".tar.bz2"))) (sha256 (base32 - "09nlv06li9nrn74ifpm7223mxpg0s7cii702z72cpbwrjh6nlbnz")))) + "09nlv06li9nrn74ifpm7223mxpg0s7cii702z72cpbwrjh6nlbnz")) + (patches (search-patches "gegl-CVE-2012-4433.patch")))) (build-system gnu-build-system) (arguments `(;; More than just the one test disabled below now fails; disable them diff --git a/gnu/packages/patches/gegl-CVE-2012-4433.patch b/gnu/packages/patches/gegl-CVE-2012-4433.patch new file mode 100644 index 0000000000..7352b78dba --- /dev/null +++ b/gnu/packages/patches/gegl-CVE-2012-4433.patch @@ -0,0 +1,117 @@ +From: Michael Gilbert <mgilbert@debian.org> +Date: Mon, 9 Sep 2013 17:34:32 +0200 +Subject: Fix_CVE-2012-4433 + +Multiple buffer overflow issues. + +Closes: #692435 +--- + operations/external/ppm-load.c | 62 ++++++++++++++++++++++++++++++++++++------ + 1 file changed, 53 insertions(+), 9 deletions(-) + +diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c +index efe6d56..465096d 100644 +--- a/operations/external/ppm-load.c ++++ b/operations/external/ppm-load.c +@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load.")) + #include "gegl-chant.h" + #include <stdio.h> + #include <stdlib.h> ++#include <errno.h> + + typedef enum { + PIXMAP_ASCII = 51, +@@ -44,8 +45,8 @@ typedef enum { + + typedef struct { + map_type type; +- gint width; +- gint height; ++ glong width; ++ glong height; + gsize numsamples; /* width * height * channels */ + gsize bpc; /* bytes per channel */ + guchar *data; +@@ -82,12 +83,33 @@ ppm_load_read_header(FILE *fp, + } + + /* Get Width and Height */ +- img->width = strtol (header,&ptr,0); +- img->height = atoi (ptr); +- img->numsamples = img->width * img->height * CHANNEL_COUNT; ++ errno = 0; ++ img->width = strtol (header,&ptr,10); ++ if (errno) ++ { ++ g_warning ("Error reading width: %s", strerror(errno)); ++ return FALSE; ++ } ++ else if (img->width < 0) ++ { ++ g_warning ("Error: width is negative"); ++ return FALSE; ++ } ++ ++ img->height = strtol (ptr,&ptr,10); ++ if (errno) ++ { ++ g_warning ("Error reading height: %s", strerror(errno)); ++ return FALSE; ++ } ++ else if (img->width < 0) ++ { ++ g_warning ("Error: height is negative"); ++ return FALSE; ++ } + + fgets (header,MAX_CHARS_IN_ROW,fp); +- maxval = strtol (header,&ptr,0); ++ maxval = strtol (header,&ptr,10); + + if ((maxval != 255) && (maxval != 65535)) + { +@@ -109,6 +131,16 @@ ppm_load_read_header(FILE *fp, + g_warning ("%s: Programmer stupidity error", G_STRLOC); + } + ++ /* Later on, img->numsamples is multiplied with img->bpc to allocate ++ * memory. Ensure it doesn't overflow. */ ++ if (!img->width || !img->height || ++ G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc) ++ { ++ g_warning ("Illegal width/height: %ld/%ld", img->width, img->height); ++ return FALSE; ++ } ++ img->numsamples = img->width * img->height * CHANNEL_COUNT; ++ + return TRUE; + } + +@@ -229,12 +261,24 @@ process (GeglOperation *operation, + if (!ppm_load_read_header (fp, &img)) + goto out; + +- rect.height = img.height; +- rect.width = img.width; +- + /* Allocating Array Size */ ++ ++ /* Should use g_try_malloc(), but this causes crashes elsewhere because the ++ * error signalled by returning FALSE isn't properly acted upon. Therefore ++ * g_malloc() is used here which aborts if the requested memory size can't be ++ * allocated causing a controlled crash. */ + img.data = (guchar*) g_malloc (img.numsamples * img.bpc); + ++ /* No-op without g_try_malloc(), see above. */ ++ if (! img.data) ++ { ++ g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc)); ++ goto out; ++ } ++ ++ rect.height = img.height; ++ rect.width = img.width; ++ + switch (img.bpc) + { + case 1: |