diff options
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/gimp-CVE-2016-4994.patch | 96 | ||||
| -rw-r--r-- | gnu/packages/patches/mupdf-CVE-2016-6265.patch | 30 | ||||
| -rw-r--r-- | gnu/packages/patches/mupdf-CVE-2016-6525.patch | 21 | ||||
| -rw-r--r-- | gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch | 15 |
4 files changed, 51 insertions, 111 deletions
diff --git a/gnu/packages/patches/gimp-CVE-2016-4994.patch b/gnu/packages/patches/gimp-CVE-2016-4994.patch deleted file mode 100644 index 6c81c63386..0000000000 --- a/gnu/packages/patches/gimp-CVE-2016-4994.patch +++ /dev/null @@ -1,96 +0,0 @@ -Fix CVE-2016-4994: -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994 - -Copied from upstream repository: -https://git.gnome.org/browse/gimp/patch/?id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f - -From e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f Mon Sep 17 00:00:00 2001 -From: Shmuel H <shmuelgimp@gmail.com> -Date: Mon, 20 Jun 2016 17:14:41 +0300 -Subject: Bug 767873 - (CVE-2016-4994) Multiple Use-After-Free when parsing... - -...XCF channel and layer properties - -The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION, -PROP_ACTIVE_CHANNEL saves the current object pointer the @info -structure. Others like PROP_SELECTION (for channel) and -PROP_GROUP_ITEM (for layer) will delete the current object and create -a new object, leaving the pointers in @info invalid (dangling). - -Therefore, if a property from the first type will come before the -second, the result will be an UaF in the last lines of xcf_load_image -(when it actually using the pointers from @info). - -I wasn't able to exploit this bug because that -g_object_instance->c_class gets cleared by the last g_object_unref and -GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE. - -(cherry picked from commit 6d804bf9ae77bc86a0a97f9b944a129844df9395) ---- - app/xcf/xcf-load.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c -index b180377..67cc6d4 100644 ---- a/app/xcf/xcf-load.c -+++ b/app/xcf/xcf-load.c -@@ -904,6 +904,18 @@ xcf_load_layer_props (XcfInfo *info, - case PROP_GROUP_ITEM: - { - GimpLayer *group; -+ gboolean is_active_layer; -+ -+ /* We're going to delete *layer, Don't leave its pointers -+ * in @info. After that, we'll restore them back with the -+ * new pointer. See bug #767873. -+ */ -+ is_active_layer = (*layer == info->active_layer); -+ if (is_active_layer) -+ info->active_layer = NULL; -+ -+ if (*layer == info->floating_sel) -+ info->floating_sel = NULL; - - group = gimp_group_layer_new (image); - -@@ -916,6 +928,13 @@ xcf_load_layer_props (XcfInfo *info, - g_object_ref_sink (*layer); - g_object_unref (*layer); - *layer = group; -+ -+ if (is_active_layer) -+ info->active_layer = *layer; -+ -+ /* Don't restore info->floating_sel because group layers -+ * can't be floating selections -+ */ - } - break; - -@@ -986,6 +1005,12 @@ xcf_load_channel_props (XcfInfo *info, - { - GimpChannel *mask; - -+ /* We're going to delete *channel, Don't leave its pointer -+ * in @info. See bug #767873. -+ */ -+ if (*channel == info->active_channel) -+ info->active_channel = NULL; -+ - mask = - gimp_selection_new (image, - gimp_item_get_width (GIMP_ITEM (*channel)), -@@ -1000,6 +1025,10 @@ xcf_load_channel_props (XcfInfo *info, - *channel = mask; - (*channel)->boundary_known = FALSE; - (*channel)->bounds_known = FALSE; -+ -+ /* Don't restore info->active_channel because the -+ * selection can't be the active channel -+ */ - } - break; - --- -cgit v0.12 - diff --git a/gnu/packages/patches/mupdf-CVE-2016-6265.patch b/gnu/packages/patches/mupdf-CVE-2016-6265.patch new file mode 100644 index 0000000000..58f5c3726c --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-6265.patch @@ -0,0 +1,30 @@ +Fix CVE-2016-6265 (use after free in pdf_load_xref()). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265 +https://security-tracker.debian.org/tracker/CVE-2016-6265 + +Patch copied from upstream source repository: + +http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958 + +diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c +index 576c315..3222599 100644 +--- a/source/pdf/pdf-xref.c ++++ b/source/pdf/pdf-xref.c +@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf) + fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i); + } + if (entry->type == 'o') +- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n') +- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i); ++ { ++ /* Read this into a local variable here, because pdf_get_xref_entry ++ * may solidify the xref, hence invalidating "entry", meaning we ++ * need a stashed value for the throw. */ ++ fz_off_t ofs = entry->ofs; ++ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n') ++ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i); ++ } + } + } + diff --git a/gnu/packages/patches/mupdf-CVE-2016-6525.patch b/gnu/packages/patches/mupdf-CVE-2016-6525.patch new file mode 100644 index 0000000000..370af5ade6 --- /dev/null +++ b/gnu/packages/patches/mupdf-CVE-2016-6525.patch @@ -0,0 +1,21 @@ +Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525 +https://security-tracker.debian.org/tracker/CVE-2016-6525 + +Patch copied from upstream source repository: +http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e + +diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c +index 7815b3c..6e25efa 100644 +--- a/source/pdf/pdf-shade.c ++++ b/source/pdf/pdf-shade.c +@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob + obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode); + if (pdf_array_len(ctx, obj) >= 6) + { +- n = (pdf_array_len(ctx, obj) - 4) / 2; ++ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2); + shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0)); + shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1)); + shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2)); diff --git a/gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch b/gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch deleted file mode 100644 index 4ed7ab00bf..0000000000 --- a/gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch +++ /dev/null @@ -1,15 +0,0 @@ -Allow builds with glibc 2.20. -Based on a patch by Peter Hutterer <peter.hutterer@who-t.net>. -See <https://raw.githubusercontent.com/openembedded/oe-core/master/meta/recipes-graphics/xorg-driver/xf86-input-synaptics/always_include_xorg_server.h.patch>. - ---- xf86-video-openchrome-0.3.3/src/via_3d.h.~1~ 2013-05-23 11:11:28.000000000 -0400 -+++ xf86-video-openchrome-0.3.3/src/via_3d.h 2014-12-19 01:17:04.000953259 -0500 -@@ -24,6 +24,8 @@ - #ifndef VIA_3D_H - #define VIA_3D_H - -+#include <xorg-server.h> -+ - #include "xf86.h" - #include "via_dmabuffer.h" - |