Hello community, here is the log from the commit of package gdk-pixbuf for openSUSE:Factory checked in at 2017-07-17 09:00:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gdk-pixbuf (Old) and /work/SRC/openSUSE:Factory/.gdk-pixbuf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gdk-pixbuf" Mon Jul 17 09:00:18 2017 rev:61 rq:510609 version:2.36.6 Changes: -------- --- /work/SRC/openSUSE:Factory/gdk-pixbuf/gdk-pixbuf.changes 2017-05-18 20:37:56.371158099 +0200 +++ /work/SRC/openSUSE:Factory/.gdk-pixbuf.new/gdk-pixbuf.changes 2017-07-17 09:00:22.871001037 +0200 @@ -1,0 +2,8 @@ +Sun Jul 16 20:57:27 CEST 2017 - [email protected] + +- Add fixes for crashes, taken from upstream git (CVE-2017-2862, + CVE-2017-2870, bgo#784866, bgo#780269): + gdk-pixbuf-cve-2017-2862-jpeg-channels.patch + gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch + +------------------------------------------------------------------- New: ---- gdk-pixbuf-cve-2017-2862-jpeg-channels.patch gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gdk-pixbuf.spec ++++++ --- /var/tmp/diff_new_pack.awTGTS/_old 2017-07-17 09:00:23.506911495 +0200 +++ /var/tmp/diff_new_pack.awTGTS/_new 2017-07-17 09:00:23.510910932 +0200 @@ -32,6 +32,10 @@ Source99: baselibs.conf # PATCH-FIX-UPSTREAM u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch boo#929462 bsc#1010497 bgo#775896 [email protected] -- Fix RGBA conversion for big endian X11 environments Patch0: u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2862-jpeg-channels.patch bsc#1048289 bgo#784866 CVE-2017-2862 [email protected] -- fix heap overwrite when JPEG channels is not 3 or 4. +Patch1: gdk-pixbuf-cve-2017-2862-jpeg-channels.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch bgo#780269 CVE-2017-2870 [email protected] -- fix reliance on undefined behavior to handle integer overflows. +Patch2: gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch BuildRequires: libjasper-devel BuildRequires: libjpeg-devel BuildRequires: libtiff-devel @@ -117,6 +121,8 @@ translation-update-upstream %endif %patch0 -p1 +%patch1 -p1 +%patch2 -p1 %if "%_lib" == "lib64" cp -a %{S:2} . %endif ++++++ gdk-pixbuf-cve-2017-2862-jpeg-channels.patch ++++++ commit c2a40a92fe3df4111ed9da51fe3368c079b86926 Author: Tobias Mueller <[email protected]> Date: Wed Jul 12 20:36:11 2017 +0200 jpeg: Throw error when number of color components is unsupported Explicitly check "3" or "4" output color components. gdk-pixbuf assumed that the value of output_components to be either 3 or 4, but not an invalid value (9) or an unsupported value (1). The way the buffer size was deduced was using a naive "== 4" check, with a 1, 3 or 9 color component picture getting the same buffer size, a size just sufficient for 3 color components, causing invalid writes later when libjpeg-turbo was decoding the image. CVE-2017-2862 Sent by from Marcin 'Icewall' Noga of Cisco Talos https://bugzilla.gnome.org/show_bug.cgi?id=784866 diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c index dd88a350a..1c0eba1a9 100644 --- a/gdk-pixbuf/io-jpeg.c +++ b/gdk-pixbuf/io-jpeg.c @@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, if (!context->got_header) { int rc; gchar* comment; + gboolean has_alpha; jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff); jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff); @@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, } } jpeg_calc_output_dimensions (cinfo); - - context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, - cinfo->output_components == 4 ? TRUE : FALSE, - 8, + + if (cinfo->output_components == 3) { + has_alpha = FALSE; + } else if (cinfo->output_components == 4) { + has_alpha = TRUE; + } else { + g_set_error (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("Unsupported number of color components (%d)"), + cinfo->output_components); + retval = FALSE; + goto out; + } + + context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, + has_alpha, + 8, cinfo->output_width, cinfo->output_height); ++++++ gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch ++++++ commit 31a6cff3dfc6944aad4612a9668b8ad39122e48b Author: Ludovico de Nittis <[email protected]> Date: Sun Mar 19 16:11:13 2017 +0100 tiff: Check for integer overflows in multiplication The checks currently in use are not sufficient, because they depend on undefined behaviour: rowstride = width * 4; if (rowstride / 4 != width) { /* overflow */ If the multiplication has already overflowed, the compiler may decide to optimize the if out and thus we do not handle the erroneous case. Rearrange the checks to avoid the undefined behaviour. Note that gcc doesn't seem to be impacted, though a defined behaviour is obviously preferred. CVE-2017-2870 https://bugzilla.gnome.org/show_bug.cgi?id=780269 diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c index fb5d55095..7d055cfa8 100644 --- a/gdk-pixbuf/io-tiff.c +++ b/gdk-pixbuf/io-tiff.c @@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error) _("Width or height of TIFF image is zero")); return NULL; } - - rowstride = width * 4; - if (rowstride / 4 != width) { /* overflow */ + + if (width > G_MAXINT / 4) { /* overflow */ g_set_error_literal (error, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, _("Dimensions of TIFF image too large")); return NULL; } - - bytes = height * rowstride; - if (bytes / rowstride != height) { /* overflow */ + + rowstride = width * 4; + + if (height > G_MAXINT / rowstride) { /* overflow */ g_set_error_literal (error, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, @@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error) return NULL; } + bytes = height * rowstride; + if (context && context->size_func) { gint w = width; gint h = height;
