2 files changed, 66 insertions, 0 deletions

diff --git a/gnu/packages/patches/openjpeg-CVE-2017-12982.patch b/gnu/packages/patches/openjpeg-CVE-2017-12982.patch
new file mode 100644
index 0000000000..3929a73570
--- /dev/null
+++ b/gnu/packages/patches/openjpeg-CVE-2017-12982.patch
@@ -0,0 +1,28 @@
+http://openwall.com/lists/oss-security/2017/08/21/1
+https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch
+
+From baf0c1ad4572daa89caa3b12985bdd93530f0dd7 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Mon, 14 Aug 2017 17:26:58 +0200
+Subject: [PATCH] bmp_read_info_header(): reject bmp files with biBitCount == 0
+ (#983)
+
+---
+ src/bin/jp2/convertbmp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
+index b49e7a080..2715fdf24 100644
+--- a/src/bin/jp2/convertbmp.c
++++ b/src/bin/jp2/convertbmp.c
+@@ -392,6 +392,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
+ 
+     header->biBitCount  = (OPJ_UINT16)getc(IN);
+     header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8);
++    if (header->biBitCount == 0) {
++        fprintf(stderr, "Error, invalid biBitCount %d\n", 0);
++        return OPJ_FALSE;
++    }
+ 
+     if (header->biSize >= 40U) {
+         header->biCompression  = (OPJ_UINT32)getc(IN);
diff --git a/gnu/packages/patches/qemu-CVE-2017-12809.patch b/gnu/packages/patches/qemu-CVE-2017-12809.patch
new file mode 100644
index 0000000000..e40a14b4e0
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-12809.patch
@@ -0,0 +1,38 @@
+http://openwall.com/lists/oss-security/2017/08/21/2
+https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html
+
+The block backend changed in a way that flushing empty CDROM drives now
+crashes.  Amend IDE to avoid doing so until the root problem can be
+addressed for 2.11.
+
+Original patch by John Snow <address@hidden>.
+
+Reported-by: Kieron Shorrock <address@hidden>
+Signed-off-by: Stefan Hajnoczi <address@hidden>
+---
+ hw/ide/core.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 0b48b64d3a..bea39536b0 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -1063,7 +1063,15 @@ static void ide_flush_cache(IDEState *s)
+     s->status |= BUSY_STAT;
+     ide_set_retry(s);
+     block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH);
+-    s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
++
++    if (blk_bs(s->blk)) {
++        s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
++    } else {
++        /* XXX blk_aio_flush() crashes when blk_bs(blk) is NULL, remove this
++         * temporary workaround when blk_aio_*() functions handle NULL blk_bs.
++         */
++        ide_flush_cb(s, 0);
++    }
+ }
+      
+ static void ide_cfata_metadata_inquiry(IDEState *s)
+-- 
+2.13.3