Hello community,
here is the log from the commit of package gdk-pixbuf for openSUSE:Factory
checked in at 2018-01-16 09:27:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gdk-pixbuf (Old)
and /work/SRC/openSUSE:Factory/.gdk-pixbuf.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gdk-pixbuf"
Tue Jan 16 09:27:52 2018 rev:67 rq:562495 version:2.36.11
Changes:
--------
--- /work/SRC/openSUSE:Factory/gdk-pixbuf/gdk-pixbuf.changes 2017-10-06
11:01:32.642640297 +0200
+++ /work/SRC/openSUSE:Factory/.gdk-pixbuf.new/gdk-pixbuf.changes
2018-01-16 09:27:54.422299032 +0100
@@ -1,0 +2,14 @@
+Fri Jan 5 17:38:55 UTC 2018 - mgo...@suse.com
+
+- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential
+ integer overflow (boo#1027026 CVE-2017-6312).
+- Add gdk-pixbuf-gif-negative-array-indexes.patch and
+ gdk-pixbuf-gif-uninitialized-variable.patch: protect against
+ access to negative array indexes (BGO#778584).
+- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size
+ computation (bgo#779020).
+- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against
+ short block length when reading icns (boo#1027024
+ CVE-2017-6313).
+
+-------------------------------------------------------------------
New:
----
gdk-pixbuf-bgo779012-ico-overflow.patch
gdk-pixbuf-gif-negative-array-indexes.patch
gdk-pixbuf-gif-uninitialized-variable.patch
gdk-pixbuf-icns-handle-short-blocklen.patch
gdk-pixbuf-tiff-overflow.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gdk-pixbuf.spec ++++++
--- /var/tmp/diff_new_pack.Nne12t/_old 2018-01-16 09:27:55.294258236 +0100
+++ /var/tmp/diff_new_pack.Nne12t/_new 2018-01-16 09:27:55.298258050 +0100
@@ -1,7 +1,7 @@
#
# spec file for package gdk-pixbuf
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -30,6 +30,16 @@
Source2: README.SUSE
Source3: gdk-pixbuf-rpmlintrc
Source99: baselibs.conf
+# PATCH-FIX-UPSTREAM gdk-pixbuf-bgo779012-ico-overflow.patch boo#1027026
mgo...@suse.com -- fix potential integer overflow (CVE-2017-6312).
+Patch0: gdk-pixbuf-bgo779012-ico-overflow.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-negative-array-indexes.patch bgo#778584
mgo...@suse.com -- gif: prevent access to negative array indexes.
+Patch1: gdk-pixbuf-gif-negative-array-indexes.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-uninitialized-variable.patch bgo#778584
mgo...@suse.com -- fix uninitialized variable.
+Patch2: gdk-pixbuf-gif-uninitialized-variable.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-tiff-overflow.patch bgo#779020 mgo...@suse.com
-- avoid overflow during size computation.
+Patch3: gdk-pixbuf-tiff-overflow.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-icns-handle-short-blocklen.patch boo#1027024
bgo#779016 mgo...@suse.com -- icns: protect against too short blocklen
(CVE-2017-6313).
+Patch4: gdk-pixbuf-icns-handle-short-blocklen.patch
BuildRequires: docbook-xsl-stylesheets
BuildRequires: gtk-doc
BuildRequires: libjpeg-devel
@@ -119,6 +129,11 @@
%if !0%{?is_opensuse}
translation-update-upstream
%endif
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
%if "%_lib" == "lib64"
cp -a %{SOURCE2} .
%endif
++++++ gdk-pixbuf-bgo779012-ico-overflow.patch ++++++
>From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001
From: Dhiru Kholia <dhiru.kho...@gmail.com>
Date: Thu, 30 Nov 2017 02:36:26 +0100
Subject: [PATCH] ico: Fix potential integer overflow
Which relies on undefined behaviour. Instead of checking for an
overflowed integer after the fact, check whether the addition would
be possible at all.
Fixes: CVE-2017-6312
https://bugzilla.gnome.org/show_bug.cgi?id=779012
---
gdk-pixbuf/io-ico.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
index 8729a0fb9..a86725751 100644
--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
@@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
for (l = State->entries; l != NULL; l = g_list_next (l)) {
entry = l->data;
- /* We know how many bytes are in the "header" part. */
- State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
-
- if (State->HeaderSize < 0) {
+ /* Avoid invoking undefined behavior in the State->HeaderSize
calculation below */
+ if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
g_set_error (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
return;
}
+ /* We know how many bytes are in the "header" part. */
+ State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
+
if (State->HeaderSize>State->BytesInHeaderBuf) {
guchar
*tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
if (!tmp) {
--
2.15.1
++++++ gdk-pixbuf-gif-negative-array-indexes.patch ++++++
>From 23e2a7c4b7794220ecd77389b3976c0767fc839d Mon Sep 17 00:00:00 2001
From: Tobias Mueller <mue...@cryptobitch.de>
Date: Wed, 14 Dec 2016 08:03:16 +0100
Subject: [PATCH] gif: Prevent access to negative array indexes
It seems that a pathological gif file can cause a negative array index
to be read. UBSAN reported this:
io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]'
io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]'
https://bugzilla.gnome.org/show_bug.cgi?id=778584
---
gdk-pixbuf/io-gif.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index ef1001779..acbd1f3be 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context)
return -2;
}
+ if (context->code_last_byte < 2) {
+ g_set_error_literal (context->error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Bad code encountered"));
+ return -2;
+ }
+
context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
context->block_buf[1] = context->block_buf[context->code_last_byte - 1];
--
2.15.1
++++++ gdk-pixbuf-gif-uninitialized-variable.patch ++++++
>From c1fd9f5d6592c0183c54efc806b3ca6871e1f496 Mon Sep 17 00:00:00 2001
From: Tobias Mueller <mue...@cryptobitch.de>
Date: Fri, 10 Nov 2017 18:51:21 +0100
Subject: [PATCH] gif: Initialise code_last_byte to not cause undefined
behaviour
Currently, code_last_byte is set only after it has been used, i.e.
context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
comes before anything has touched context->code_last_byte yet.
Except for the initialisation.
context->code_last_byte is set a few lines later, though.
And nowhere else, except for the initialisation which sets it
to 0. That will inevitably lead to context->block_buf[-2] which is
undefined behaviour.
We hence set the code_last_byte to 2 in order to not make that
array index invalid.
https://bugzilla.gnome.org/show_bug.cgi?id=778584
---
gdk-pixbuf/io-gif.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index acbd1f3be..61821bdf9 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -1165,7 +1165,12 @@ gif_prepare_lzw (GifContext *context)
context->lzw_fresh = TRUE;
context->code_curbit = 0;
context->code_lastbit = 0;
- context->code_last_byte = 0;
+ /* During initialistion (in gif_lzw_fill_buffer) we substract 2 from
+ * this value to peek into a buffer.
+ * In order to not get a negative array index later, we set the value
+ * to that magic 2 now.
+ */
+ context->code_last_byte = 2;
context->code_done = FALSE;
g_assert (context->lzw_clear_code <=
--
2.15.1
++++++ gdk-pixbuf-icns-handle-short-blocklen.patch ++++++
>From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <had...@hadess.net>
Date: Tue, 5 Dec 2017 11:51:02 +0100
Subject: [PATCH] icns: Protect against too short blocklen (CVE-2017-6313)
The blocklen needs to be at least header sized to be valid, otherwise we
can underflow picture data or mask data lengths.
https://bugzilla.gnome.org/show_bug.cgi?id=779016
---
gdk-pixbuf/io-icns.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c
index a432e463f..41732b153 100644
--- a/gdk-pixbuf/io-icns.c
+++ b/gdk-pixbuf/io-icns.c
@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize
datalen,
blocklen = GUINT32_FROM_BE (header->size);
/* Check that blocklen isn't garbage */
- if (blocklen > icnslen - (current - bytes))
+ if (blocklen > icnslen - (current - bytes) ||
+ blocklen < sizeof (IcnsBlockHeader))
return FALSE;
switch (size)
--
2.15.1
++++++ gdk-pixbuf-tiff-overflow.patch ++++++
>From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001
From: Bastien Nocera <had...@hadess.net>
Date: Tue, 5 Dec 2017 10:26:49 +0100
Subject: [PATCH] tiff: Avoid overflowing buffer size computation
Use g_uint_checked_mul() to avoid overflowing the guint used for buffer
size calculation.
https://bugzilla.gnome.org/show_bug.cgi?id=779020
---
gdk-pixbuf/io-tiff.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index 7ca0a565a..49fe60eee 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint
needed)
need_alloc = context->used + needed;
if (need_alloc > context->allocated) {
guint new_size = 1;
- while (new_size < need_alloc)
- new_size *= 2;
+ while (new_size < need_alloc) {
+ if (!g_uint_checked_mul (&new_size, new_size, 2)) {
+ new_size = 0;
+ break;
+ }
+ }
+
+ if (new_size == 0)
+ return FALSE;
new_buffer = g_try_realloc (context->buffer, new_size);
if (new_buffer) {
--
2.15.1
