Hello community, here is the log from the commit of package freeimage for openSUSE:Factory checked in at 2018-01-25 12:40:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/freeimage (Old) and /work/SRC/openSUSE:Factory/.freeimage.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freeimage" Thu Jan 25 12:40:27 2018 rev:5 rq:569343 version:3.17.0 Changes: -------- --- /work/SRC/openSUSE:Factory/freeimage/freeimage.changes 2016-06-19 10:48:43.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.freeimage.new/freeimage.changes 2018-01-25 12:40:33.662606267 +0100 @@ -1,0 +2,7 @@ +Wed Jan 24 14:01:21 UTC 2018 - [email protected] + +- Add CVE-2016-5684.patch: Fix an exploitable out-of-bounds write vulnerability + in the XMP image handling functionality, which can cause an arbitrary memory + overwrite resulting in code execution (CVE-2016-5684 boo#1002621). + +------------------------------------------------------------------- New: ---- CVE-2016-5684.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freeimage.spec ++++++ --- /var/tmp/diff_new_pack.8UQqgu/_old 2018-01-25 12:40:35.374526345 +0100 +++ /var/tmp/diff_new_pack.8UQqgu/_new 2018-01-25 12:40:35.378526159 +0100 @@ -1,7 +1,7 @@ # # spec file for package freeimage # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -35,6 +35,7 @@ Patch2: CVE-2015-0852.patch # PATCH-FIX-OPENSUSE makefiles_fixes.patch [email protected] -- Fix CFLAGS and CXXFLAGS, removed -s (strip) option, add missing symlinks for libfreeimageplus, remove root user from install Patch3: makefiles_fixes.patch +Patch4: CVE-2016-5684.patch BuildRequires: doxygen BuildRequires: gcc-c++ BuildRequires: jxrlib-devel @@ -98,6 +99,7 @@ %patch1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Remove bundled libs to make sure these don't get used during compile rm -rf Source/LibPNG/ Source/LibRawLite/ Source/OpenEXR/ Source/ZLib/ Source/LibOpenJPEG/ Source/LibJPEG/ ++++++ CVE-2016-5684.patch ++++++ From: Debian Science Maintainers <[email protected]> Date: Mon, 10 Oct 2016 08:22:44 +0100 Subject: CVE-2016-5684 --- Source/FreeImage/PluginXPM.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Source/FreeImage/PluginXPM.cpp b/Source/FreeImage/PluginXPM.cpp index a698321..cc7bd07 100644 --- a/Source/FreeImage/PluginXPM.cpp +++ b/Source/FreeImage/PluginXPM.cpp @@ -181,6 +181,11 @@ Load(FreeImageIO *io, fi_handle handle, int page, int flags, void *data) { } free(str); + // check info string + if((width <= 0) || (height <= 0) || (colors <= 0) || (cpp <= 0)) { + throw "Improperly formed info string"; + } + if (colors > 256) { dib = FreeImage_AllocateHeader(header_only, width, height, 24, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); } else { @@ -193,7 +198,7 @@ Load(FreeImageIO *io, fi_handle handle, int page, int flags, void *data) { FILE_RGBA rgba; str = ReadString(io, handle); - if(!str) + if(!str || (strlen(str) < (size_t)cpp)) throw "Error reading color strings"; std::string chrs(str,cpp); //create a string for the color chars using the first cpp chars
