Hello community, here is the log from the commit of package libpgf for openSUSE:Factory checked in at 2015-09-19 06:53:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libpgf (Old) and /work/SRC/openSUSE:Factory/.libpgf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libpgf" Changes: -------- --- /work/SRC/openSUSE:Factory/libpgf/libpgf.changes 2014-08-13 08:48:12.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libpgf.new/libpgf.changes 2015-09-19 06:53:03.000000000 +0200 @@ -1,0 +2,8 @@ +Mon Sep 7 19:57:21 UTC 2015 - [email protected] + +- Added the following security patches from upstream: + * libpgf-r147.patch, libpgf-r148.patch + Fix use-after-free vulnerability in Decoder.cpp + CVE-2015-6673, bnc#943304, boo#941059 + +------------------------------------------------------------------- New: ---- libpgf-r147.patch libpgf-r148.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libpgf.spec ++++++ --- /var/tmp/diff_new_pack.jtDzO0/_old 2015-09-19 06:53:03.000000000 +0200 +++ /var/tmp/diff_new_pack.jtDzO0/_new 2015-09-19 06:53:03.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package libpgf # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,6 +26,10 @@ Group: Productivity/Graphics/Other Url: http://www.libpgf.org/ Source0: http://downloads.sourceforge.net/%{name}/%{name}-src-%{version}.tar.gz +# PATCH-FIX-UPSTREAM libpgf-r147.patch CVE-2015-6673 bnc#943304 boo#941059 [email protected] -- Fix use-after-free vulnerability in Decoder.cpp +Patch0: libpgf-r147.patch +# PATCH-FIX-UPSTREAM libpgf-r148.patch CVE-2015-6673 bnc#943304 boo#941059 [email protected] -- Fix use-after-free vulnerability in Decoder.cpp +Patch1: libpgf-r148.patch BuildRequires: doxygen BuildRequires: fdupes BuildRequires: gcc-c++ @@ -55,6 +59,8 @@ %prep %setup -q -n %{name} +%patch0 -p1 +%patch1 -p1 # Add "libpgf-" prefix to all man pages to prevent conflicts with other packages sed -i 's/\/man\/man3\/\$\$f/\/man\/man3\/libpgf-\$\$f/' doc/Makefile.am ++++++ libpgf-r147.patch ++++++ diff -up libpgf/include/PGFimage.h.r147 libpgf/include/PGFimage.h --- libpgf/include/PGFimage.h.r147 2015-08-10 10:24:28.319204436 -0500 +++ libpgf/include/PGFimage.h 2015-08-10 10:44:12.588655556 -0500 @@ -538,7 +538,7 @@ private: ProgressMode m_progressMode; ///< progress mode used in Read and Write; PM_Relative is default mode void ComputeLevels(); - void CompleteHeader(); + bool CompleteHeader(); void RgbToYuv(int pitch, UINT8* rgbBuff, BYTE bpp, int channelMap[], CallbackPtr cb, void *data) THROW_; void Downsample(int nChannel); UINT32 UpdatePostHeaderSize() THROW_; diff -up libpgf/src/Decoder.cpp.r147 libpgf/src/Decoder.cpp --- libpgf/src/Decoder.cpp.r147 2015-08-10 10:24:28.637208326 -0500 +++ libpgf/src/Decoder.cpp 2015-08-10 10:45:04.349979345 -0500 @@ -158,7 +158,7 @@ CDecoder::CDecoder(CPGFStream* stream, P if (size > 0) { // read post-header if (header.mode == ImageModeIndexedColor) { - ASSERT((size_t)size >= ColorTableSize); + if (size < ColorTableSize) ReturnWithError(FormatCannotRead); // read color table count = expected = ColorTableSize; m_stream->Read(&count, postHeader.clut); diff -up libpgf/src/PGFimage.cpp.r147 libpgf/src/PGFimage.cpp --- libpgf/src/PGFimage.cpp.r147 2014-03-21 07:09:10.000000000 -0500 +++ libpgf/src/PGFimage.cpp 2015-08-10 10:45:33.371423512 -0500 @@ -145,7 +145,7 @@ void CPGFImage::Open(CPGFStream *stream) m_height[0] = m_header.height; // complete header - CompleteHeader(); + if (!CompleteHeader()) ReturnWithError(FormatCannotRead); // interpret quant parameter if (m_header.quality > DownsampleThreshold && @@ -205,7 +205,7 @@ void CPGFImage::Open(CPGFStream *stream) } //////////////////////////////////////////////////////////// -void CPGFImage::CompleteHeader() { +bool CPGFImage::CompleteHeader() { if (m_header.mode == ImageModeUnknown) { // undefined mode switch(m_header.bpp) { @@ -261,20 +261,20 @@ void CPGFImage::CompleteHeader() { // change mode m_header.mode = ImageModeRGBA; } - ASSERT(m_header.mode != ImageModeBitmap || m_header.bpp == 1); - ASSERT(m_header.mode != ImageModeIndexedColor || m_header.bpp == 8); - ASSERT(m_header.mode != ImageModeGrayScale || m_header.bpp == 8); - ASSERT(m_header.mode != ImageModeGray16 || m_header.bpp == 16); - ASSERT(m_header.mode != ImageModeGray32 || m_header.bpp == 32); - ASSERT(m_header.mode != ImageModeRGBColor || m_header.bpp == 24); - ASSERT(m_header.mode != ImageModeRGBA || m_header.bpp == 32); - ASSERT(m_header.mode != ImageModeRGB12 || m_header.bpp == 12); - ASSERT(m_header.mode != ImageModeRGB16 || m_header.bpp == 16); - ASSERT(m_header.mode != ImageModeRGB48 || m_header.bpp == 48); - ASSERT(m_header.mode != ImageModeLabColor || m_header.bpp == 24); - ASSERT(m_header.mode != ImageModeLab48 || m_header.bpp == 48); - ASSERT(m_header.mode != ImageModeCMYKColor || m_header.bpp == 32); - ASSERT(m_header.mode != ImageModeCMYK64 || m_header.bpp == 64); + if (m_header.mode == ImageModeBitmap && m_header.bpp != 1) return false; + if (m_header.mode == ImageModeIndexedColor && m_header.bpp != 8) return false; + if (m_header.mode == ImageModeGrayScale && m_header.bpp != 8) return false; + if (m_header.mode == ImageModeGray16 && m_header.bpp != 16) return false; + if (m_header.mode == ImageModeGray32 && m_header.bpp != 32) return false; + if (m_header.mode == ImageModeRGBColor && m_header.bpp != 24) return false; + if (m_header.mode == ImageModeRGBA && m_header.bpp != 32) return false; + if (m_header.mode == ImageModeRGB12 && m_header.bpp != 12) return false; + if (m_header.mode == ImageModeRGB16 && m_header.bpp != 16) return false; + if (m_header.mode == ImageModeRGB48 && m_header.bpp != 48) return false; + if (m_header.mode == ImageModeLabColor && m_header.bpp != 24) return false; + if (m_header.mode == ImageModeLab48 && m_header.bpp != 48) return false; + if (m_header.mode == ImageModeCMYKColor && m_header.bpp != 32) return false; + if (m_header.mode == ImageModeCMYK64 && m_header.bpp != 64) return false; // set number of channels if (!m_header.channels) { @@ -300,8 +300,7 @@ void CPGFImage::CompleteHeader() { m_header.channels = 4; break; default: - ASSERT(false); - m_header.channels = 3; + return false; } } @@ -311,6 +310,8 @@ void CPGFImage::CompleteHeader() { if (!m_header.usedBitsPerChannel || m_header.usedBitsPerChannel > bpc) { m_header.usedBitsPerChannel = bpc; } + + return true; } ////////////////////////////////////////////////////////////////////// ++++++ libpgf-r148.patch ++++++ diff -up libpgf/src/Decoder.cpp.r148 libpgf/src/Decoder.cpp --- libpgf/src/Decoder.cpp.r148 2015-08-10 10:46:21.632558343 -0500 +++ libpgf/src/Decoder.cpp 2015-08-10 10:46:21.945565702 -0500 @@ -87,29 +87,6 @@ CDecoder::CDecoder(CPGFStream* stream, P int count, expected; - // set number of threads -#ifdef LIBPGF_USE_OPENMP - m_macroBlockLen = omp_get_num_procs(); -#else - m_macroBlockLen = 1; -#endif - - if (useOMP && m_macroBlockLen > 1) { -#ifdef LIBPGF_USE_OPENMP - omp_set_num_threads(m_macroBlockLen); -#endif - - // create macro block array - m_macroBlocks = new(std::nothrow) CMacroBlock*[m_macroBlockLen]; - if (!m_macroBlocks) ReturnWithError(InsufficientMemory); - for (int i=0; i < m_macroBlockLen; i++) m_macroBlocks[i] = new CMacroBlock(); - m_currentBlock = m_macroBlocks[m_currentBlockIndex]; - } else { - m_macroBlocks = 0; - m_macroBlockLen = 1; // there is only one macro block - m_currentBlock = new CMacroBlock(); - } - // store current stream position m_startPos = m_stream->GetPos(); @@ -209,6 +186,30 @@ CDecoder::CDecoder(CPGFStream* stream, P // store current stream position m_encodedHeaderLength = UINT32(m_stream->GetPos() - m_startPos); + + // set number of threads +#ifdef LIBPGF_USE_OPENMP + m_macroBlockLen = omp_get_num_procs(); +#else + m_macroBlockLen = 1; +#endif + + if (useOMP && m_macroBlockLen > 1) { +#ifdef LIBPGF_USE_OPENMP + omp_set_num_threads(m_macroBlockLen); +#endif + + // create macro block array + m_macroBlocks = new(std::nothrow) CMacroBlock*[m_macroBlockLen]; + if (!m_macroBlocks) ReturnWithError(InsufficientMemory); + for (int i = 0; i < m_macroBlockLen; i++) m_macroBlocks[i] = new CMacroBlock(); + m_currentBlock = m_macroBlocks[m_currentBlockIndex]; + } else { + m_macroBlocks = 0; + m_macroBlockLen = 1; // there is only one macro block + m_currentBlock = new(std::nothrow) CMacroBlock(); + if (!m_currentBlock) ReturnWithError(InsufficientMemory); + } } /////////////////////////////////////////////////////////////////////
