Hello community, here is the log from the commit of package libwmf for openSUSE:Factory checked in at 2015-06-12 21:15:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libwmf (Old) and /work/SRC/openSUSE:Factory/.libwmf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libwmf" Changes: -------- --- /work/SRC/openSUSE:Factory/libwmf/libwmf.changes 2014-08-28 21:05:19.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libwmf.new/libwmf.changes 2015-06-12 21:15:02.000000000 +0200 @@ -1,0 +2,11 @@ +Thu Jun 11 07:11:53 UTC 2015 - fst...@suse.com + +- Added patches: + * libwmf-0.2.8.4-CVE-2015-0848.patch + - Fix CVE-2015-0848: Heap overflow on libwmf0.2-7 (bsc#933109) + * libwmf-0.2.8.4-badrle.patch + - Fix: DecodeImage() does not check that the run-length "count" + fits into the total size of the image, which can lead to a + heap-based buffer overflow (bsc#933109) + +------------------------------------------------------------------- New: ---- libwmf-0.2.8.4-CVE-2015-0848.patch libwmf-0.2.8.4-badrle.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libwmf.spec ++++++ --- /var/tmp/diff_new_pack.Dnvodo/_old 2015-06-12 21:15:03.000000000 +0200 +++ /var/tmp/diff_new_pack.Dnvodo/_new 2015-06-12 21:15:03.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package libwmf # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,12 +26,14 @@ Url: http://wvWare.sourceforge.net/ Source: http://downloads.sourceforge.net/project/wvware/%{name}/%{version}/%{name}-%{version}.tar.gz Source2: baselibs.conf -Patch0: libwmf-%{version}-ia64.patch -Patch1: libwmf-%{version}-fix.patch -Patch2: libwmf-%{version}-config.patch -Patch3: libwmf-%{version}-overflow-CVE-2006-3376.patch +Patch0: libwmf-0.2.8.4-ia64.patch +Patch1: libwmf-0.2.8.4-fix.patch +Patch2: libwmf-0.2.8.4-config.patch +Patch3: libwmf-0.2.8.4-overflow-CVE-2006-3376.patch Patch4: libwmf-0.2.8.4-gd_libpng.patch Patch5: libwmf-0.2.8.4-bnc495842.patch +Patch6: libwmf-0.2.8.4-CVE-2015-0848.patch +Patch7: libwmf-0.2.8.4-badrle.patch BuildRequires: gd-devel BuildRequires: gtk2-devel BuildRequires: libjpeg-devel @@ -104,9 +106,11 @@ %patch3 %patch4 %patch5 +%patch6 -p1 +%patch7 -p1 %build -%configure --prefix=/usr $RPM_ARCH-suse-linux --enable-magick --libdir=%{_libdir} +%configure --prefix=%{_prefix} $RPM_ARCH-suse-linux --enable-magick --libdir=%{_libdir} make %{?_smp_mflags} %install ++++++ libwmf-0.2.8.4-CVE-2015-0848.patch ++++++ --- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-02 11:35:04.072201795 +0100 +++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-02 11:35:20.647406414 +0100 @@ -1145,8 +1143,15 @@ } } else - { /* Convert run-length encoded raster pixels. */ - DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); + { + if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ + { + DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); + } + else + { WMF_ERROR (API,"Unexpected pixel depth"); + API->err = wmf_E_BadFormat; + } } if (ERR (API)) ++++++ libwmf-0.2.8.4-badrle.patch ++++++ diff -ru libwmf-0.2.8.4/src/ipa/ipa/bmp.h libwmf-0.2.8.4/src/ipa/ipa/bmp.h --- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-03 09:30:59.410501271 +0100 +++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-03 09:31:05.775572630 +0100 @@ -859,7 +859,7 @@ % % */ -static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) +static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) { int byte; int count; int i; @@ -870,12 +870,14 @@ U32 u; unsigned char* q; + unsigned char* end; for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; byte = 0; x = 0; q = pixels; + end = pixels + bmp->width * bmp->height; for (y = 0; y < bmp->height; ) { count = ReadBlobByte (src); @@ -884,7 +886,10 @@ { /* Encoded mode. */ byte = ReadBlobByte (src); for (i = 0; i < count; i++) - { if (compression == 1) + { + if (q == end) + return 0; + if (compression == 1) { (*(q++)) = (unsigned char) byte; } else @@ -896,13 +901,15 @@ else { /* Escape mode. */ count = ReadBlobByte (src); - if (count == 0x01) return; + if (count == 0x01) return 1; switch (count) { case 0x00: { /* End of line. */ x = 0; y++; + if (y >= bmp->height) + return 0; q = pixels + y * bmp->width; break; } @@ -910,13 +917,20 @@ { /* Delta mode. */ x += ReadBlobByte (src); y += ReadBlobByte (src); + if (y >= bmp->height) + return 0; + if (x >= bmp->width) + return 0; q = pixels + y * bmp->width + x; break; } default: { /* Absolute mode. */ for (i = 0; i < count; i++) - { if (compression == 1) + { + if (q == end) + return 0; + if (compression == 1) { (*(q++)) = ReadBlobByte (src); } else @@ -943,7 +957,7 @@ byte = ReadBlobByte (src); /* end of line */ byte = ReadBlobByte (src); - return; + return 1; } /* @@ -1146,7 +1160,10 @@ { if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ { - DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); + if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) + { WMF_ERROR (API,"corrupt bmp"); + API->err = wmf_E_BadFormat; + } } else { WMF_ERROR (API,"Unexpected pixel depth"); diff -ru libwmf-0.2.8.4/src/ipa/ipa.h libwmf-0.2.8.4/src/ipa/ipa.h --- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-03 09:30:59.410501271 +0100 +++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-03 09:31:08.687605277 +0100 @@ -48,7 +48,7 @@ static unsigned short ReadBlobLSBShort (BMPSource*); static unsigned long ReadBlobLSBLong (BMPSource*); static long TellBlob (BMPSource*); -static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); +static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
