Hello community,

here is the log from the commit of package gdk-pixbuf for openSUSE:Factory 
checked in at 2017-07-17 09:00:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gdk-pixbuf (Old)
 and      /work/SRC/openSUSE:Factory/.gdk-pixbuf.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "gdk-pixbuf"

Mon Jul 17 09:00:18 2017 rev:61 rq:510609 version:2.36.6

Changes:
--------
--- /work/SRC/openSUSE:Factory/gdk-pixbuf/gdk-pixbuf.changes    2017-05-18 
20:37:56.371158099 +0200
+++ /work/SRC/openSUSE:Factory/.gdk-pixbuf.new/gdk-pixbuf.changes       
2017-07-17 09:00:22.871001037 +0200
@@ -1,0 +2,8 @@
+Sun Jul 16 20:57:27 CEST 2017 - h...@suse.com
+
+- Add fixes for crashes, taken from upstream git (CVE-2017-2862,
+  CVE-2017-2870, bgo#784866, bgo#780269):
+  gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
+  gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
+
+-------------------------------------------------------------------

New:
----
  gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
  gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ gdk-pixbuf.spec ++++++
--- /var/tmp/diff_new_pack.awTGTS/_old  2017-07-17 09:00:23.506911495 +0200
+++ /var/tmp/diff_new_pack.awTGTS/_new  2017-07-17 09:00:23.510910932 +0200
@@ -32,6 +32,10 @@
 Source99:       baselibs.conf
 # PATCH-FIX-UPSTREAM u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch boo#929462 
bsc#1010497 bgo#775896 msta...@suse.com -- Fix RGBA conversion for big endian 
X11 environments
 Patch0:         u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2862-jpeg-channels.patch bsc#1048289 
bgo#784866 CVE-2017-2862 h...@suse.com -- fix heap overwrite when JPEG channels 
is not 3 or 4.
+Patch1:         gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch 
bgo#780269 CVE-2017-2870 h...@suse.com -- fix reliance on undefined behavior to 
handle integer overflows.
+Patch2:         gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
 BuildRequires:  libjasper-devel
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtiff-devel
@@ -117,6 +121,8 @@
 translation-update-upstream
 %endif
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
 %if "%_lib" == "lib64"
 cp -a %{S:2} .
 %endif

++++++ gdk-pixbuf-cve-2017-2862-jpeg-channels.patch ++++++
commit c2a40a92fe3df4111ed9da51fe3368c079b86926
Author: Tobias Mueller <mue...@cryptobitch.de>
Date:   Wed Jul 12 20:36:11 2017 +0200

    jpeg: Throw error when number of color components is unsupported
    
    Explicitly check "3" or "4" output color components.
    
    gdk-pixbuf assumed that the value of output_components to be either
    3 or 4, but not an invalid value (9) or an unsupported value (1).
    
    The way the buffer size was deduced was using a naive "== 4" check,
    with a 1, 3 or 9 color component picture getting the same buffer size,
    a size just sufficient for 3 color components, causing invalid writes
    later when libjpeg-turbo was decoding the image.
    
    CVE-2017-2862
    
    Sent by from Marcin 'Icewall' Noga of Cisco Talos
    
    https://bugzilla.gnome.org/show_bug.cgi?id=784866

diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
index dd88a350a..1c0eba1a9 100644
--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
@@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
                if (!context->got_header) {
                        int rc;
                        gchar* comment;
+                       gboolean has_alpha;
                
                        jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff);
                        jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff);
@@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
                                }
                        }
                        jpeg_calc_output_dimensions (cinfo);
-                       
-                       context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, 
-                                                         
cinfo->output_components == 4 ? TRUE : FALSE,
-                                                         8, 
+
+                       if (cinfo->output_components == 3) {
+                               has_alpha = FALSE;
+                       } else if (cinfo->output_components == 4) {
+                               has_alpha = TRUE;
+                       } else {
+                               g_set_error (error,
+                                            GDK_PIXBUF_ERROR,
+                                            GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                            _("Unsupported number of color 
components (%d)"),
+                                            cinfo->output_components);
+                               retval = FALSE;
+                               goto out;
+                       }
+
+                       context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+                                                         has_alpha,
+                                                         8,
                                                          cinfo->output_width,
                                                          cinfo->output_height);
 
++++++ gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch ++++++
commit 31a6cff3dfc6944aad4612a9668b8ad39122e48b
Author: Ludovico de Nittis <aason...@gmail.com>
Date:   Sun Mar 19 16:11:13 2017 +0100

    tiff: Check for integer overflows in multiplication
    
    The checks currently in use are not sufficient, because they depend on
    undefined behaviour:
    
        rowstride = width * 4;
        if (rowstride / 4 != width) { /* overflow */
    
    If the multiplication has already overflowed, the compiler may decide
    to optimize the if out and thus we do not handle the erroneous case.
    
    Rearrange the checks to avoid the undefined behaviour.
    
    Note that gcc doesn't seem to be impacted, though a defined behaviour is
    obviously preferred.
    
    CVE-2017-2870
    
    https://bugzilla.gnome.org/show_bug.cgi?id=780269

diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index fb5d55095..7d055cfa8 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, 
GError **error)
                                      _("Width or height of TIFF image is 
zero"));
                 return NULL;                
         }
-        
-        rowstride = width * 4;
-        if (rowstride / 4 != width) { /* overflow */
+
+        if (width > G_MAXINT / 4) { /* overflow */
                 g_set_error_literal (error,
                                      GDK_PIXBUF_ERROR,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
                                      _("Dimensions of TIFF image too large"));
                 return NULL;                
         }
-        
-        bytes = height * rowstride;
-        if (bytes / rowstride != height) { /* overflow */
+
+        rowstride = width * 4;
+
+        if (height > G_MAXINT / rowstride) { /* overflow */
                 g_set_error_literal (error,
                                      GDK_PIXBUF_ERROR,
                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError 
**error)
                 return NULL;                
         }
 
+        bytes = height * rowstride;
+
        if (context && context->size_func) {
                 gint w = width;
                 gint h = height;

Reply via email to