Re: [PATCH] graphics/libsixel security patches
On Wed Dec 11, 2019 at 07:36:47PM -0500, trondd wrote:
> Stuart Henderson wrote:
>
> > On 2019/12/10 21:58, trondd wrote:
> > > A handful of CVEs were assigned for bugs in libsixel. Heap buffer
> > > overflows and integer overflows.
> > >
> > > CVE-2019-19638
> > > CVE-2019-19635
> > > CVE-2019-19636
> > > CVE-2019-19637
> > >
> > > A pull request pointing out the issues and patching them was submitted
> > > about 10 days ago. The CVEs were assigned 3 days ago.
> > >
> > > https://github.com/saitoha/libsixel/pull/106
> > >
> > > There hasn't been a response yet so instead of waiting for a new release
> > > I'm being proactive to get the patches applied to the port of the current
> > > version.
> >
> > Please would you add a quick comment to the patches? A reference to
> > the PR and short description would be fine.
> >
> > > Tim.
> > >
>
> Added the info to the patches.
Reads fine, thanks! ++cc maintainer.
>
> Tim.
>
>
> Index: Makefile
> ===
> RCS file: /cvs/ports/graphics/libsixel/Makefile,v
> retrieving revision 1.5
> diff -u -p -r1.5 Makefile
> --- Makefile 12 Jul 2019 20:47:02 - 1.5
> +++ Makefile 12 Dec 2019 00:27:49 -
> @@ -9,6 +9,8 @@ SHARED_LIBS +=sixel 1.0 # 1.6
>
> CATEGORIES = graphics
>
> +REVISION = 0
> +
> HOMEPAGE = https://github.com/saitoha/libsixel
>
> MAINTAINER = Frederic Cambus
> Index: patches/patch-include_sixel_h_in
> ===
> RCS file: patches/patch-include_sixel_h_in
> diff -N patches/patch-include_sixel_h_in
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-include_sixel_h_in 12 Dec 2019 00:27:49 -
> @@ -0,0 +1,21 @@
> +$OpenBSD$
> +
> +Addresses buffer overlow and integer overflow CVEs
> +Patches from https://github.com/saitoha/libsixel/pull/106
> +
> +CVE-2019-19638
> +CVE-2019-19635
> +CVE-2019-19636
> +CVE-2019-19637
> +
> +Index: include/sixel.h.in
> +--- include/sixel.h.in.orig
> include/sixel.h.in
> +@@ -60,6 +60,7 @@ typedef int SIXELSTATUS;
> + #define SIXEL_BAD_ALLOCATION(SIXEL_RUNTIME_ERROR | 0x0001) /* malloc()
> failed */
> + #define SIXEL_BAD_ARGUMENT (SIXEL_RUNTIME_ERROR | 0x0002) /* bad
> argument detected */
> + #define SIXEL_BAD_INPUT (SIXEL_RUNTIME_ERROR | 0x0003) /* bad
> input detected */
> ++#define SIXEL_BAD_INTEGER_OVERFLOW (SIXEL_RUNTIME_ERROR | 0x0004) /*
> integer overflow */
> +
> + #define SIXEL_NOT_IMPLEMENTED (SIXEL_FEATURE_ERROR | 0x0001) /* feature
> not implemented */
> +
> Index: patches/patch-src_frompnm_c
> ===
> RCS file: patches/patch-src_frompnm_c
> diff -N patches/patch-src_frompnm_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_frompnm_c 12 Dec 2019 00:27:49 -
> @@ -0,0 +1,31 @@
> +$OpenBSD$
> +
> +Addresses buffer overlow and integer overflow CVEs
> +Patches from https://github.com/saitoha/libsixel/pull/106
> +
> +CVE-2019-19638
> +CVE-2019-19635
> +CVE-2019-19636
> +CVE-2019-19637
> +
> +Index: src/frompnm.c
> +--- src/frompnm.c.orig
> src/frompnm.c
> +@@ -166,7 +166,7 @@ load_pnm(unsigned char /* in */ *p,
> + height = 0;
> + for (; *s >= '0' && *s <= '9'; ++s) {
> + height = height * 10 + (*s - '0');
> +-if (width > PNM_MAX_WIDTH) {
> ++if (height > PNM_MAX_HEIGHT) {
> + status = SIXEL_RUNTIME_ERROR;
> + sprintf(
> + message,
> +@@ -193,7 +193,7 @@ load_pnm(unsigned char /* in */ *p,
> + for (; *s >= '0' && *s <= '9'; ++s) {
> + deps = deps * 10 + (*s - '0');
> + }
> +-if (width > PNM_MAX_WIDTH) {
> ++if (deps > PNM_MAX_DEPTH) {
> + status = SIXEL_RUNTIME_ERROR;
> + sprintf(
> + message,
> Index: patches/patch-src_fromsixel_c
> ===
> RCS file: patches/patch-src_fromsixel_c
> diff -N patches/patch-src_fromsixel_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_fromsixel_c 12 Dec 2019 00:27:49 -
> @@ -0,0 +1,87 @@
> +$OpenBSD$
> +
> +Addresses buffer overlow and integer overflow CVEs
> +Patches from https://github.com/saitoha/libsixel/pull/106
> +
> +CVE-2019-19638
> +CVE-2019-19635
> +CVE-2019-19636
> +CVE-2019-19637
> +
> +Index: src/fromsixel.c
> +--- src/fromsixel.c.orig
> src/fromsixel.c
> +@@ -52,6 +52,7 @@
> + #include
> + #include/* isdigit */
> + #include /* memcpy */
> ++#include
> +
> + #if defined(HAVE_INTTYPES_H)
> + # include
> +@@ -367,7 +368,17 @@ parser_context_init(parser_context_t *context)
> + return status;
> + }
> +
> ++SIXELSTATUS safe_addition_for_params(parser_context_t *context, unsigned
> char *p){
> ++int x;
> +
> ++x = *p - '0'; /* 0 <= x <= 9 */
> ++if ((context->param > INT_MAX / 10)
Re: [PATCH] graphics/libsixel security patches
Stuart Henderson wrote:
> On 2019/12/10 21:58, trondd wrote:
> > A handful of CVEs were assigned for bugs in libsixel. Heap buffer
> > overflows and integer overflows.
> >
> > CVE-2019-19638
> > CVE-2019-19635
> > CVE-2019-19636
> > CVE-2019-19637
> >
> > A pull request pointing out the issues and patching them was submitted
> > about 10 days ago. The CVEs were assigned 3 days ago.
> >
> > https://github.com/saitoha/libsixel/pull/106
> >
> > There hasn't been a response yet so instead of waiting for a new release
> > I'm being proactive to get the patches applied to the port of the current
> > version.
>
> Please would you add a quick comment to the patches? A reference to
> the PR and short description would be fine.
>
> > Tim.
> >
Added the info to the patches.
Tim.
Index: Makefile
===
RCS file: /cvs/ports/graphics/libsixel/Makefile,v
retrieving revision 1.5
diff -u -p -r1.5 Makefile
--- Makefile12 Jul 2019 20:47:02 - 1.5
+++ Makefile12 Dec 2019 00:27:49 -
@@ -9,6 +9,8 @@ SHARED_LIBS += sixel 1.0 # 1.6
CATEGORIES = graphics
+REVISION = 0
+
HOMEPAGE = https://github.com/saitoha/libsixel
MAINTAINER = Frederic Cambus
Index: patches/patch-include_sixel_h_in
===
RCS file: patches/patch-include_sixel_h_in
diff -N patches/patch-include_sixel_h_in
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-include_sixel_h_in12 Dec 2019 00:27:49 -
@@ -0,0 +1,21 @@
+$OpenBSD$
+
+Addresses buffer overlow and integer overflow CVEs
+Patches from https://github.com/saitoha/libsixel/pull/106
+
+CVE-2019-19638
+CVE-2019-19635
+CVE-2019-19636
+CVE-2019-19637
+
+Index: include/sixel.h.in
+--- include/sixel.h.in.orig
include/sixel.h.in
+@@ -60,6 +60,7 @@ typedef int SIXELSTATUS;
+ #define SIXEL_BAD_ALLOCATION(SIXEL_RUNTIME_ERROR | 0x0001) /* malloc()
failed */
+ #define SIXEL_BAD_ARGUMENT (SIXEL_RUNTIME_ERROR | 0x0002) /* bad
argument detected */
+ #define SIXEL_BAD_INPUT (SIXEL_RUNTIME_ERROR | 0x0003) /* bad input
detected */
++#define SIXEL_BAD_INTEGER_OVERFLOW (SIXEL_RUNTIME_ERROR | 0x0004) /* integer
overflow */
+
+ #define SIXEL_NOT_IMPLEMENTED (SIXEL_FEATURE_ERROR | 0x0001) /* feature
not implemented */
+
Index: patches/patch-src_frompnm_c
===
RCS file: patches/patch-src_frompnm_c
diff -N patches/patch-src_frompnm_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-src_frompnm_c 12 Dec 2019 00:27:49 -
@@ -0,0 +1,31 @@
+$OpenBSD$
+
+Addresses buffer overlow and integer overflow CVEs
+Patches from https://github.com/saitoha/libsixel/pull/106
+
+CVE-2019-19638
+CVE-2019-19635
+CVE-2019-19636
+CVE-2019-19637
+
+Index: src/frompnm.c
+--- src/frompnm.c.orig
src/frompnm.c
+@@ -166,7 +166,7 @@ load_pnm(unsigned char /* in */ *p,
+ height = 0;
+ for (; *s >= '0' && *s <= '9'; ++s) {
+ height = height * 10 + (*s - '0');
+-if (width > PNM_MAX_WIDTH) {
++if (height > PNM_MAX_HEIGHT) {
+ status = SIXEL_RUNTIME_ERROR;
+ sprintf(
+ message,
+@@ -193,7 +193,7 @@ load_pnm(unsigned char /* in */ *p,
+ for (; *s >= '0' && *s <= '9'; ++s) {
+ deps = deps * 10 + (*s - '0');
+ }
+-if (width > PNM_MAX_WIDTH) {
++if (deps > PNM_MAX_DEPTH) {
+ status = SIXEL_RUNTIME_ERROR;
+ sprintf(
+ message,
Index: patches/patch-src_fromsixel_c
===
RCS file: patches/patch-src_fromsixel_c
diff -N patches/patch-src_fromsixel_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-src_fromsixel_c 12 Dec 2019 00:27:49 -
@@ -0,0 +1,87 @@
+$OpenBSD$
+
+Addresses buffer overlow and integer overflow CVEs
+Patches from https://github.com/saitoha/libsixel/pull/106
+
+CVE-2019-19638
+CVE-2019-19635
+CVE-2019-19636
+CVE-2019-19637
+
+Index: src/fromsixel.c
+--- src/fromsixel.c.orig
src/fromsixel.c
+@@ -52,6 +52,7 @@
+ #include
+ #include/* isdigit */
+ #include /* memcpy */
++#include
+
+ #if defined(HAVE_INTTYPES_H)
+ # include
+@@ -367,7 +368,17 @@ parser_context_init(parser_context_t *context)
+ return status;
+ }
+
++SIXELSTATUS safe_addition_for_params(parser_context_t *context, unsigned char
*p){
++int x;
+
++x = *p - '0'; /* 0 <= x <= 9 */
++if ((context->param > INT_MAX / 10) || (x > INT_MAX - context->param *
10)) {
++return SIXEL_BAD_INTEGER_OVERFLOW;
++}
++context->param = context->param * 10 + x;
++return SIXEL_OK;
++}
++
+ /* convert sixel data into indexed pixel bytes and palette data */
+ SIXELAPI SIXELSTATUS
+ sixel_decode_raw_impl(
+@@ -446,7 +457,10 @@ sixel_decode_raw_impl(
+ if (context->param < 0) {
+
Re: [PATCH] graphics/libsixel security patches
On 2019/12/10 21:58, trondd wrote:
> A handful of CVEs were assigned for bugs in libsixel. Heap buffer
> overflows and integer overflows.
>
> CVE-2019-19638
> CVE-2019-19635
> CVE-2019-19636
> CVE-2019-19637
>
> A pull request pointing out the issues and patching them was submitted
> about 10 days ago. The CVEs were assigned 3 days ago.
>
> https://github.com/saitoha/libsixel/pull/106
>
> There hasn't been a response yet so instead of waiting for a new release
> I'm being proactive to get the patches applied to the port of the current
> version.
Please would you add a quick comment to the patches? A reference to
the PR and short description would be fine.
> Tim.
>
> Index: Makefile
> ===
> RCS file: /cvs/ports/graphics/libsixel/Makefile,v
> retrieving revision 1.5
> diff -u -p -r1.5 Makefile
> --- Makefile 12 Jul 2019 20:47:02 - 1.5
> +++ Makefile 11 Dec 2019 02:51:09 -
> @@ -9,6 +9,8 @@ SHARED_LIBS +=sixel 1.0 # 1.6
>
> CATEGORIES = graphics
>
> +REVISION = 0
> +
> HOMEPAGE = https://github.com/saitoha/libsixel
>
> MAINTAINER = Frederic Cambus
> Index: patches/patch-include_sixel_h_in
> ===
> RCS file: patches/patch-include_sixel_h_in
> diff -N patches/patch-include_sixel_h_in
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-include_sixel_h_in 11 Dec 2019 02:51:09 -
> @@ -0,0 +1,13 @@
> +$OpenBSD$
> +
> +Index: include/sixel.h.in
> +--- include/sixel.h.in.orig
> include/sixel.h.in
> +@@ -60,6 +60,7 @@ typedef int SIXELSTATUS;
> + #define SIXEL_BAD_ALLOCATION(SIXEL_RUNTIME_ERROR | 0x0001) /* malloc()
> failed */
> + #define SIXEL_BAD_ARGUMENT (SIXEL_RUNTIME_ERROR | 0x0002) /* bad
> argument detected */
> + #define SIXEL_BAD_INPUT (SIXEL_RUNTIME_ERROR | 0x0003) /* bad
> input detected */
> ++#define SIXEL_BAD_INTEGER_OVERFLOW (SIXEL_RUNTIME_ERROR | 0x0004) /*
> integer overflow */
> +
> + #define SIXEL_NOT_IMPLEMENTED (SIXEL_FEATURE_ERROR | 0x0001) /* feature
> not implemented */
> +
> Index: patches/patch-src_frompnm_c
> ===
> RCS file: patches/patch-src_frompnm_c
> diff -N patches/patch-src_frompnm_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_frompnm_c 11 Dec 2019 02:51:09 -
> @@ -0,0 +1,23 @@
> +$OpenBSD$
> +
> +Index: src/frompnm.c
> +--- src/frompnm.c.orig
> src/frompnm.c
> +@@ -166,7 +166,7 @@ load_pnm(unsigned char /* in */ *p,
> + height = 0;
> + for (; *s >= '0' && *s <= '9'; ++s) {
> + height = height * 10 + (*s - '0');
> +-if (width > PNM_MAX_WIDTH) {
> ++if (height > PNM_MAX_HEIGHT) {
> + status = SIXEL_RUNTIME_ERROR;
> + sprintf(
> + message,
> +@@ -193,7 +193,7 @@ load_pnm(unsigned char /* in */ *p,
> + for (; *s >= '0' && *s <= '9'; ++s) {
> + deps = deps * 10 + (*s - '0');
> + }
> +-if (width > PNM_MAX_WIDTH) {
> ++if (deps > PNM_MAX_DEPTH) {
> + status = SIXEL_RUNTIME_ERROR;
> + sprintf(
> + message,
> Index: patches/patch-src_fromsixel_c
> ===
> RCS file: patches/patch-src_fromsixel_c
> diff -N patches/patch-src_fromsixel_c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ patches/patch-src_fromsixel_c 11 Dec 2019 02:51:09 -
> @@ -0,0 +1,79 @@
> +$OpenBSD$
> +
> +Index: src/fromsixel.c
> +--- src/fromsixel.c.orig
> src/fromsixel.c
> +@@ -52,6 +52,7 @@
> + #include
> + #include/* isdigit */
> + #include /* memcpy */
> ++#include
> +
> + #if defined(HAVE_INTTYPES_H)
> + # include
> +@@ -367,7 +368,17 @@ parser_context_init(parser_context_t *context)
> + return status;
> + }
> +
> ++SIXELSTATUS safe_addition_for_params(parser_context_t *context, unsigned
> char *p){
> ++int x;
> +
> ++x = *p - '0'; /* 0 <= x <= 9 */
> ++if ((context->param > INT_MAX / 10) || (x > INT_MAX - context->param *
> 10)) {
> ++return SIXEL_BAD_INTEGER_OVERFLOW;
> ++}
> ++context->param = context->param * 10 + x;
> ++return SIXEL_OK;
> ++}
> ++
> + /* convert sixel data into indexed pixel bytes and palette data */
> + SIXELAPI SIXELSTATUS
> + sixel_decode_raw_impl(
> +@@ -446,7 +457,10 @@ sixel_decode_raw_impl(
> + if (context->param < 0) {
> + context->param = 0;
> + }
> +-context->param = context->param * 10 + *p - '0';
> ++status = safe_addition_for_params(context, p);
> ++if (SIXEL_FAILED(status)) {
> ++goto end;
> ++}
> + p++;
> + break;
> + case ';':
> +@@ -647,7 +661,10 @@ sixel_decode_raw_impl(
> + case '7':
[PATCH] graphics/libsixel security patches
A handful of CVEs were assigned for bugs in libsixel. Heap buffer
overflows and integer overflows.
CVE-2019-19638
CVE-2019-19635
CVE-2019-19636
CVE-2019-19637
A pull request pointing out the issues and patching them was submitted
about 10 days ago. The CVEs were assigned 3 days ago.
https://github.com/saitoha/libsixel/pull/106
There hasn't been a response yet so instead of waiting for a new release
I'm being proactive to get the patches applied to the port of the current
version.
Tim.
Index: Makefile
===
RCS file: /cvs/ports/graphics/libsixel/Makefile,v
retrieving revision 1.5
diff -u -p -r1.5 Makefile
--- Makefile12 Jul 2019 20:47:02 - 1.5
+++ Makefile11 Dec 2019 02:51:09 -
@@ -9,6 +9,8 @@ SHARED_LIBS += sixel 1.0 # 1.6
CATEGORIES = graphics
+REVISION = 0
+
HOMEPAGE = https://github.com/saitoha/libsixel
MAINTAINER = Frederic Cambus
Index: patches/patch-include_sixel_h_in
===
RCS file: patches/patch-include_sixel_h_in
diff -N patches/patch-include_sixel_h_in
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-include_sixel_h_in11 Dec 2019 02:51:09 -
@@ -0,0 +1,13 @@
+$OpenBSD$
+
+Index: include/sixel.h.in
+--- include/sixel.h.in.orig
include/sixel.h.in
+@@ -60,6 +60,7 @@ typedef int SIXELSTATUS;
+ #define SIXEL_BAD_ALLOCATION(SIXEL_RUNTIME_ERROR | 0x0001) /* malloc()
failed */
+ #define SIXEL_BAD_ARGUMENT (SIXEL_RUNTIME_ERROR | 0x0002) /* bad
argument detected */
+ #define SIXEL_BAD_INPUT (SIXEL_RUNTIME_ERROR | 0x0003) /* bad input
detected */
++#define SIXEL_BAD_INTEGER_OVERFLOW (SIXEL_RUNTIME_ERROR | 0x0004) /* integer
overflow */
+
+ #define SIXEL_NOT_IMPLEMENTED (SIXEL_FEATURE_ERROR | 0x0001) /* feature
not implemented */
+
Index: patches/patch-src_frompnm_c
===
RCS file: patches/patch-src_frompnm_c
diff -N patches/patch-src_frompnm_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-src_frompnm_c 11 Dec 2019 02:51:09 -
@@ -0,0 +1,23 @@
+$OpenBSD$
+
+Index: src/frompnm.c
+--- src/frompnm.c.orig
src/frompnm.c
+@@ -166,7 +166,7 @@ load_pnm(unsigned char /* in */ *p,
+ height = 0;
+ for (; *s >= '0' && *s <= '9'; ++s) {
+ height = height * 10 + (*s - '0');
+-if (width > PNM_MAX_WIDTH) {
++if (height > PNM_MAX_HEIGHT) {
+ status = SIXEL_RUNTIME_ERROR;
+ sprintf(
+ message,
+@@ -193,7 +193,7 @@ load_pnm(unsigned char /* in */ *p,
+ for (; *s >= '0' && *s <= '9'; ++s) {
+ deps = deps * 10 + (*s - '0');
+ }
+-if (width > PNM_MAX_WIDTH) {
++if (deps > PNM_MAX_DEPTH) {
+ status = SIXEL_RUNTIME_ERROR;
+ sprintf(
+ message,
Index: patches/patch-src_fromsixel_c
===
RCS file: patches/patch-src_fromsixel_c
diff -N patches/patch-src_fromsixel_c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ patches/patch-src_fromsixel_c 11 Dec 2019 02:51:09 -
@@ -0,0 +1,79 @@
+$OpenBSD$
+
+Index: src/fromsixel.c
+--- src/fromsixel.c.orig
src/fromsixel.c
+@@ -52,6 +52,7 @@
+ #include
+ #include/* isdigit */
+ #include /* memcpy */
++#include
+
+ #if defined(HAVE_INTTYPES_H)
+ # include
+@@ -367,7 +368,17 @@ parser_context_init(parser_context_t *context)
+ return status;
+ }
+
++SIXELSTATUS safe_addition_for_params(parser_context_t *context, unsigned char
*p){
++int x;
+
++x = *p - '0'; /* 0 <= x <= 9 */
++if ((context->param > INT_MAX / 10) || (x > INT_MAX - context->param *
10)) {
++return SIXEL_BAD_INTEGER_OVERFLOW;
++}
++context->param = context->param * 10 + x;
++return SIXEL_OK;
++}
++
+ /* convert sixel data into indexed pixel bytes and palette data */
+ SIXELAPI SIXELSTATUS
+ sixel_decode_raw_impl(
+@@ -446,7 +457,10 @@ sixel_decode_raw_impl(
+ if (context->param < 0) {
+ context->param = 0;
+ }
+-context->param = context->param * 10 + *p - '0';
++status = safe_addition_for_params(context, p);
++if (SIXEL_FAILED(status)) {
++goto end;
++}
+ p++;
+ break;
+ case ';':
+@@ -647,7 +661,10 @@ sixel_decode_raw_impl(
+ case '7':
+ case '8':
+ case '9':
+-context->param = context->param * 10 + *p - '0';
++status = safe_addition_for_params(context, p);
++if (SIXEL_FAILED(status)) {
++goto end;
++}
+ p++;
+ break;
+ case ';':
+@@ -721,7 +738,10 @@ sixel_decode_raw_impl(
+ case '7':
+
