Hello community, here is the log from the commit of package gegl for openSUSE:Factory checked in at 2017-02-08 12:05:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gegl (Old) and /work/SRC/openSUSE:Factory/.gegl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gegl" Changes: -------- --- /work/SRC/openSUSE:Factory/gegl/gegl.changes 2016-04-22 16:17:39.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.gegl.new/gegl.changes 2017-02-08 12:05:56.318863122 +0100 @@ -1,0 +2,7 @@ +Sun Feb 5 22:25:15 UTC 2017 - [email protected] + +- Fix CVE-2012-4433: + + Add gegl-0.2.0-CVE-2012-4433.patch: Fix buffer overflow in and + add plausibility checks to ppm-load op. + +------------------------------------------------------------------- New: ---- gegl-0.2.0-CVE-2012-4433.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gegl.spec ++++++ --- /var/tmp/diff_new_pack.xnfrI8/_old 2017-02-08 12:05:57.670672450 +0100 +++ /var/tmp/diff_new_pack.xnfrI8/_new 2017-02-08 12:05:57.674671885 +0100 @@ -1,7 +1,7 @@ # # spec file for package gegl # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -36,6 +36,8 @@ Patch2: gegl-UF_long.patch # PATCH-FIX-UPSTREAM gegl-0.2.0-linker-flags.patch [email protected] -- Add -lm to linker flags Patch3: gegl-0.2.0-linker-flags.patch +# PATCH-FIX-UPSTREAM gegl-0.2.0-CVE-2012-4433.patch CVE-2012-4433 [email protected] -- Fix buffer overflow in and add plausibility checks to ppm-load op +Patch4: gegl-0.2.0-CVE-2012-4433.patch BuildRequires: ImageMagick BuildRequires: OpenEXR-devel BuildRequires: SDL-devel @@ -162,6 +164,7 @@ %endif %patch3 -p1 # docs-build-fix.diff +%patch4 -p1 %build export RPM_OPT_FLAGS="%{optflags} -fno-strict-aliasing" ++++++ gegl-0.2.0-CVE-2012-4433.patch ++++++ >From ffa77a246652c7e706d690682fe659f50fbe5656 Mon Sep 17 00:00:00 2001 From: Nils Philippsen <[email protected]> Date: Mon, 1 Jul 2013 12:03:51 +0200 Subject: [PATCH] patch: CVE-2012-4433 Squashed commit of the following: commit 2a9071e2dc4cfe1aaa7a726805985281936f9874 Author: Nils Philippsen <[email protected]> Date: Tue Oct 16 16:57:37 2012 +0200 ppm-load: bring comment in line with reality (cherry picked from commit 6975a9cfeaf0698b42ac81b1c2f00d13c8755453) commit 8bb88ebf78e54837322d3be74688f98800e9f33a Author: Nils Philippsen <[email protected]> Date: Tue Oct 16 16:56:40 2012 +0200 ppm-load: CVE-2012-4433: add plausibility checks for header fields Refuse values that are non-decimal, negative or overflow the target type. (cherry picked from commit 4757cdf73d3675478d645a3ec8250ba02168a230) commit 2b099886969bf055a8635d06a4d89f20fed1ee42 Author: Nils Philippsen <[email protected]> Date: Tue Oct 16 16:58:27 2012 +0200 ppm-load: CVE-2012-4433: don't overflow memory allocation Carefully selected width/height values could cause the size of a later allocation to overflow, resulting in a buffer much too small to store the data which would then written beyond its end. (cherry picked from commit 1e92e5235ded0415d555aa86066b8e4041ee5a53) --- operations/external/ppm-load.c | 64 +++++++++++++++++++++++++++++++++++------- 1 file changed, 54 insertions(+), 10 deletions(-) diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c index efe6d56..e22521c 100644 --- a/operations/external/ppm-load.c +++ b/operations/external/ppm-load.c @@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load.")) #include "gegl-chant.h" #include <stdio.h> #include <stdlib.h> +#include <errno.h> typedef enum { PIXMAP_ASCII = 51, @@ -44,8 +45,8 @@ typedef enum { typedef struct { map_type type; - gint width; - gint height; + glong width; + glong height; gsize numsamples; /* width * height * channels */ gsize bpc; /* bytes per channel */ guchar *data; @@ -61,7 +62,7 @@ ppm_load_read_header(FILE *fp, gchar header[MAX_CHARS_IN_ROW]; gint maxval; - /* Check the PPM file Type P2 or P5 */ + /* Check the PPM file Type P3 or P6 */ fgets (header,MAX_CHARS_IN_ROW,fp); if (header[0] != ASCII_P || @@ -82,12 +83,33 @@ ppm_load_read_header(FILE *fp, } /* Get Width and Height */ - img->width = strtol (header,&ptr,0); - img->height = atoi (ptr); - img->numsamples = img->width * img->height * CHANNEL_COUNT; + errno = 0; + img->width = strtol (header,&ptr,10); + if (errno) + { + g_warning ("Error reading width: %s", strerror(errno)); + return FALSE; + } + else if (img->width < 0) + { + g_warning ("Error: width is negative"); + return FALSE; + } + + img->height = strtol (ptr,&ptr,10); + if (errno) + { + g_warning ("Error reading height: %s", strerror(errno)); + return FALSE; + } + else if (img->width < 0) + { + g_warning ("Error: height is negative"); + return FALSE; + } fgets (header,MAX_CHARS_IN_ROW,fp); - maxval = strtol (header,&ptr,0); + maxval = strtol (header,&ptr,10); if ((maxval != 255) && (maxval != 65535)) { @@ -109,6 +131,16 @@ ppm_load_read_header(FILE *fp, g_warning ("%s: Programmer stupidity error", G_STRLOC); } + /* Later on, img->numsamples is multiplied with img->bpc to allocate + * memory. Ensure it doesn't overflow. */ + if (!img->width || !img->height || + G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc) + { + g_warning ("Illegal width/height: %ld/%ld", img->width, img->height); + return FALSE; + } + img->numsamples = img->width * img->height * CHANNEL_COUNT; + return TRUE; } @@ -229,12 +261,24 @@ process (GeglOperation *operation, if (!ppm_load_read_header (fp, &img)) goto out; - rect.height = img.height; - rect.width = img.width; - /* Allocating Array Size */ + + /* Should use g_try_malloc(), but this causes crashes elsewhere because the + * error signalled by returning FALSE isn't properly acted upon. Therefore + * g_malloc() is used here which aborts if the requested memory size can't be + * allocated causing a controlled crash. */ img.data = (guchar*) g_malloc (img.numsamples * img.bpc); + /* No-op without g_try_malloc(), see above. */ + if (! img.data) + { + g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc)); + goto out; + } + + rect.height = img.height; + rect.width = img.width; + switch (img.bpc) { case 1: -- 1.8.3.1
