Hello community, here is the log from the commit of package freeimage for openSUSE:Factory checked in at 2020-06-02 14:32:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/freeimage (Old) and /work/SRC/openSUSE:Factory/.freeimage.new.3606 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freeimage" Tue Jun 2 14:32:36 2020 rev:7 rq:808812 version:3.18.0 Changes: -------- --- /work/SRC/openSUSE:Factory/freeimage/freeimage.changes 2018-09-15 15:37:53.560920285 +0200 +++ /work/SRC/openSUSE:Factory/.freeimage.new.3606/freeimage.changes 2020-06-02 14:32:40.862390357 +0200 @@ -1,0 +2,13 @@ +Fri May 15 10:08:12 UTC 2020 - Tomáš Chvátal <[email protected]> + +- Add patch to fix build on bigendian: + * bigendian.patch + +------------------------------------------------------------------- +Fri May 15 10:05:15 UTC 2020 - Tomáš Chvátal <[email protected]> + +- Add patch CVE-2019-12211_2019-12213.patch to fix: + * bsc#113576 CVE-2019-12211 + * bsc#1135731 CVE-2019-12213 + +------------------------------------------------------------------- New: ---- CVE-2019-12211_2019-12213.patch bigendian.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freeimage.spec ++++++ --- /var/tmp/diff_new_pack.MzTcdv/_old 2020-06-02 14:32:41.742393142 +0200 +++ /var/tmp/diff_new_pack.MzTcdv/_new 2020-06-02 14:32:41.742393142 +0200 @@ -1,7 +1,7 @@ # # spec file for package freeimage # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,20 +12,18 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define so_ver 3 %define tarver 3180 - Name: freeimage Version: 3.18.0 Release: 0 Summary: Multi-format Image Decoder Library License: GPL-2.0-only OR GPL-3.0-only -Group: System/Libraries -Url: http://freeimage.sourceforge.net/ +URL: http://freeimage.sourceforge.net/ Source0: http://downloads.sourceforge.net/freeimage/FreeImage%{tarver}.zip Patch0: unbundle.patch # PATCH-FIX-OPENSUSE doxygen.patch [email protected] -- Fix documentation building (Based on patch from Fedora) @@ -33,20 +31,19 @@ # PATCH-FIX-OPENSUSE makefiles_fixes.patch [email protected] -- Fix CFLAGS and CXXFLAGS, removed -s (strip) option, add missing symlinks for libfreeimageplus, remove root user from install Patch3: makefiles_fixes.patch Patch4: freeimage-no-return-in-nonvoid.patch +Patch5: CVE-2019-12211_2019-12213.patch +Patch6: bigendian.patch BuildRequires: doxygen BuildRequires: gcc-c++ BuildRequires: jxrlib-devel BuildRequires: libjpeg-devel BuildRequires: openjpeg2-devel -BuildRequires: pkgconfig(libpng) -BuildRequires: pkgconfig(libraw) -%if 0%{?suse_version} >= 1320 -BuildRequires: pkgconfig(libmng) -%else -BuildRequires: libmng-devel -%endif +BuildRequires: pkgconfig BuildRequires: unzip BuildRequires: pkgconfig(OpenEXR) +BuildRequires: pkgconfig(libmng) +BuildRequires: pkgconfig(libpng) +BuildRequires: pkgconfig(libraw) BuildRequires: pkgconfig(libtiff-4) BuildRequires: pkgconfig(libwebp) BuildRequires: pkgconfig(zlib) @@ -59,7 +56,6 @@ %package devel Summary: Development Files for FreeImage -Group: Development/Libraries/C and C++ Requires: lib%{name}%{so_ver} = %{version} Requires: lib%{name}plus%{so_ver} = %{version} # libfreeimage-devel was last used at version 3.10.0 @@ -72,7 +68,6 @@ %package -n lib%{name}%{so_ver} Summary: Multi-format Image Decoder Library -Group: System/Libraries %description -n lib%{name}%{so_ver} FreeImage is an Open Source library project for developers who would like to @@ -82,7 +77,6 @@ %package -n lib%{name}plus%{so_ver} Summary: Multi-format Image Decoder Library -Group: System/Libraries %description -n lib%{name}plus%{so_ver} FreeImage is an Open Source library project for developers who would like to @@ -96,6 +90,8 @@ %patch1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 # Remove bundled libs to make sure these don't get used during compile rm -rf Source/LibPNG/ Source/LibRawLite/ Source/OpenEXR/ Source/ZLib/ Source/LibOpenJPEG/ Source/LibJPEG/ @@ -127,22 +123,18 @@ popd %install -make DESTDIR=%{buildroot} INSTALLDIR=%{buildroot}%{_libdir} install +%make_install INSTALLDIR=%{buildroot}%{_libdir} make -f Makefile.fip DESTDIR=%{buildroot} INSTALLDIR=%{buildroot}%{_libdir} install # Remove static libraries rm -f %{buildroot}%{_libdir}/*.a %post -n lib%{name}%{so_ver} -p /sbin/ldconfig - %postun -n lib%{name}%{so_ver} -p /sbin/ldconfig - %post -n lib%{name}plus%{so_ver} -p /sbin/ldconfig - %postun -n lib%{name}plus%{so_ver} -p /sbin/ldconfig %files devel -%defattr(-,root,root,-) %doc Whatsnew.txt license-*.txt %doc Wrapper/FreeImagePlus/doc/html/ %{_includedir}/FreeImage.h @@ -151,12 +143,10 @@ %{_libdir}/libfreeimageplus.so %files -n lib%{name}%{so_ver} -%defattr(-,root,root,-) %{_libdir}/lib%{name}.so.3* %{_libdir}/lib%{name}-%{version}.so %files -n lib%{name}plus%{so_ver} -%defattr(-,root,root,-) %{_libdir}/lib%{name}plus.so.3* %{_libdir}/lib%{name}plus-%{version}.so ++++++ CVE-2019-12211_2019-12213.patch ++++++ diff -rupN --no-dereference FreeImage/Source/FreeImage/PluginTIFF.cpp FreeImage-new/Source/FreeImage/PluginTIFF.cpp --- FreeImage/Source/FreeImage/PluginTIFF.cpp 2019-11-17 14:18:12.447058346 +0100 +++ FreeImage-new/Source/FreeImage/PluginTIFF.cpp 2019-11-17 14:18:12.630057689 +0100 @@ -122,9 +122,14 @@ static void ReadThumbnail(FreeImageIO *i static int s_format_id; typedef struct { + //! FreeImage IO functions FreeImageIO *io; + //! FreeImage handle fi_handle handle; + //! LibTIFF handle TIFF *tif; + //! Count the number of thumbnails already read (used to avoid recursion on loading) + unsigned thumbnailCount; } fi_TIFFIO; // ---------------------------------------------------------- @@ -184,10 +189,8 @@ Open a TIFF file descriptor for reading */ TIFF * TIFFFdOpen(thandle_t handle, const char *name, const char *mode) { - TIFF *tif; - // Open the file; the callback will set everything up - tif = TIFFClientOpen(name, mode, handle, + TIFF *tif = TIFFClientOpen(name, mode, handle, _tiffReadProc, _tiffWriteProc, _tiffSeekProc, _tiffCloseProc, _tiffSizeProc, _tiffMapProc, _tiffUnmapProc); @@ -449,12 +452,10 @@ CreateImageType(BOOL header_only, FREE_I } } - else { - - dib = FreeImage_AllocateHeader(header_only, width, height, MIN(bpp, 32), FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); + else if (bpp <= 32) { + dib = FreeImage_AllocateHeader(header_only, width, height, bpp, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); } - } else { // other bitmap types @@ -1039,9 +1040,12 @@ static void * DLL_CALLCONV Open(FreeImageIO *io, fi_handle handle, BOOL read) { // wrapper for TIFF I/O fi_TIFFIO *fio = (fi_TIFFIO*)malloc(sizeof(fi_TIFFIO)); - if(!fio) return NULL; + if (!fio) { + return NULL; + } fio->io = io; fio->handle = handle; + fio->thumbnailCount = 0; if (read) { fio->tif = TIFFFdOpen((thandle_t)fio, "", "r"); @@ -1097,6 +1101,27 @@ check for uncommon bitspersample values */ static BOOL IsValidBitsPerSample(uint16 photometric, uint16 bitspersample, uint16 samplesperpixel) { + // get the pixel depth in bits + const uint16 pixel_depth = bitspersample * samplesperpixel; + + // check for a supported pixel depth + switch (pixel_depth) { + case 1: + case 4: + case 8: + case 16: + case 24: + case 32: + case 48: + case 64: + case 96: + case 128: + // OK, go on + break; + default: + // unsupported pixel depth + return FALSE; + } switch(bitspersample) { case 1: @@ -1137,6 +1162,8 @@ IsValidBitsPerSample(uint16 photometric, default: return FALSE; } + + return FALSE; } static TIFFLoadMethod @@ -1226,15 +1253,30 @@ Read embedded thumbnail static void ReadThumbnail(FreeImageIO *io, fi_handle handle, void *data, TIFF *tiff, FIBITMAP *dib) { FIBITMAP* thumbnail = NULL; - + + fi_TIFFIO *fio = (fi_TIFFIO*)data; + + /* + Thumbnail loading can cause recursions because of the way + functions TIFFLastDirectory and TIFFSetSubDirectory are working. + We use here a hack to count the number of times the ReadThumbnail function was called. + We only allow one call, check for this + */ + if (fio->thumbnailCount > 0) { + return; + } + else { + // update the thumbnail count (used to avoid recursion) + fio->thumbnailCount++; + } + // read exif thumbnail (IFD 1) ... - /* - // this code can cause unwanted recursion causing an overflow, it is thus disabled until we have a better solution - // do we really need to read a thumbnail from the Exif segment ? knowing that TIFF store the thumbnail in the subIFD ... - // toff_t exif_offset = 0; if(TIFFGetField(tiff, TIFFTAG_EXIFIFD, &exif_offset)) { + + // this code can cause unwanted recursion causing an overflow, because of the way TIFFLastDirectory work + // => this is checked using if(!TIFFLastDirectory(tiff)) { // save current position @@ -1245,15 +1287,15 @@ ReadThumbnail(FreeImageIO *io, fi_handle int page = 1; int flags = TIFF_DEFAULT; thumbnail = Load(io, handle, page, flags, data); + // store the thumbnail (remember to release it before return) FreeImage_SetThumbnail(dib, thumbnail); - + // restore current position io->seek_proc(handle, tell_pos, SEEK_SET); TIFFSetDirectory(tiff, cur_dir); } } - */ // ... or read the first subIFD @@ -1270,11 +1312,14 @@ ReadThumbnail(FreeImageIO *io, fi_handle const long tell_pos = io->tell_proc(handle); const uint16 cur_dir = TIFFCurrentDirectory(tiff); + // this code can cause unwanted recursion causing an overflow, because of the way TIFFSetSubDirectory work + if(TIFFSetSubDirectory(tiff, subIFD_offsets[0])) { // load the thumbnail int page = -1; int flags = TIFF_DEFAULT; thumbnail = Load(io, handle, page, flags, data); + // store the thumbnail (remember to release it before return) FreeImage_SetThumbnail(dib, thumbnail); } @@ -2030,7 +2075,7 @@ Load(FreeImageIO *io, fi_handle handle, } // calculate src line and dst pitch - int dst_pitch = FreeImage_GetPitch(dib); + unsigned dst_pitch = FreeImage_GetPitch(dib); uint32 tileRowSize = (uint32)TIFFTileRowSize(tif); uint32 imageRowSize = (uint32)TIFFScanlineSize(tif); @@ -2060,7 +2105,7 @@ Load(FreeImageIO *io, fi_handle handle, BYTE *src_bits = tileBuffer; BYTE *dst_bits = bits + rowSize; for(int k = 0; k < nrows; k++) { - memcpy(dst_bits, src_bits, src_line); + memcpy(dst_bits, src_bits, MIN(dst_pitch, src_line)); src_bits += tileRowSize; dst_bits -= dst_pitch; } ++++++ bigendian.patch ++++++ diff -rupN FreeImage/Source/FreeImage/PluginBMP.cpp FreeImage-new/Source/FreeImage/PluginBMP.cpp --- FreeImage/Source/FreeImage/PluginBMP.cpp 2016-06-15 12:35:30.000000000 +0200 +++ FreeImage-new/Source/FreeImage/PluginBMP.cpp 2018-08-01 00:56:37.322692192 +0200 @@ -1419,7 +1419,7 @@ Save(FreeImageIO *io, FIBITMAP *dib, fi_ free(buffer); #ifdef FREEIMAGE_BIGENDIAN - } else if (bpp == 16) { + } else if (dst_bpp == 16) { int padding = dst_pitch - dst_width * sizeof(WORD); WORD pad = 0; WORD pixel; @@ -1440,7 +1440,7 @@ Save(FreeImageIO *io, FIBITMAP *dib, fi_ } #endif #if FREEIMAGE_COLORORDER == FREEIMAGE_COLORORDER_RGB - } else if (bpp == 24) { + } else if (dst_bpp == 24) { int padding = dst_pitch - dst_width * sizeof(FILE_BGR); DWORD pad = 0; FILE_BGR bgr; @@ -1461,7 +1461,7 @@ Save(FreeImageIO *io, FIBITMAP *dib, fi_ } } } - } else if (bpp == 32) { + } else if (dst_bpp == 32) { FILE_BGRA bgra; for(unsigned y = 0; y < dst_height; y++) { BYTE *line = FreeImage_GetScanLine(dib, y); diff -rupN FreeImage/Source/FreeImage/PluginDDS.cpp FreeImage-new/Source/FreeImage/PluginDDS.cpp --- FreeImage/Source/FreeImage/PluginDDS.cpp 2018-07-31 17:04:56.000000000 +0200 +++ FreeImage-new/Source/FreeImage/PluginDDS.cpp 2018-08-01 01:05:52.724661471 +0200 @@ -356,14 +356,14 @@ SwapHeader(DDSHEADER *header) { for(int i=0; i<11; i++) { SwapLong(&header->surfaceDesc.dwReserved1[i]); } - SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwSize); - SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwFlags); - SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwFourCC); - SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwRGBBitCount); - SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwRBitMask); - SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwGBitMask); - SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwBBitMask); - SwapLong(&header->surfaceDesc.ddpfPixelFormat.dwRGBAlphaBitMask); + SwapLong(&header->surfaceDesc.ddspf.dwSize); + SwapLong(&header->surfaceDesc.ddspf.dwFlags); + SwapLong(&header->surfaceDesc.ddspf.dwFourCC); + SwapLong(&header->surfaceDesc.ddspf.dwRGBBitCount); + SwapLong(&header->surfaceDesc.ddspf.dwRBitMask); + SwapLong(&header->surfaceDesc.ddspf.dwGBitMask); + SwapLong(&header->surfaceDesc.ddspf.dwBBitMask); + SwapLong(&header->surfaceDesc.ddspf.dwRGBAlphaBitMask); SwapLong(&header->surfaceDesc.ddsCaps.dwCaps1); SwapLong(&header->surfaceDesc.ddsCaps.dwCaps2); SwapLong(&header->surfaceDesc.ddsCaps.dwReserved[0]);
