Date: Saturday, December 16, 2017 @ 19:50:06 Author: heftig Revision: 312973
1.4.1+6+gf08c25d-1 Added: colord/trunk/0001-Make-cd_color_get_blackbody_rgb_full-safer.patch colord/trunk/0002-Avoid-buffer-overflow-when-reading-profile_id.patch Modified: colord/trunk/PKGBUILD Deleted: colord/trunk/colord.install ----------------------------------------------------------+ 0001-Make-cd_color_get_blackbody_rgb_full-safer.patch | 74 +++++++++++++ 0002-Avoid-buffer-overflow-when-reading-profile_id.patch | 62 ++++++++++ PKGBUILD | 31 ++--- colord.install | 8 - 4 files changed, 152 insertions(+), 23 deletions(-) Added: 0001-Make-cd_color_get_blackbody_rgb_full-safer.patch =================================================================== --- 0001-Make-cd_color_get_blackbody_rgb_full-safer.patch (rev 0) +++ 0001-Make-cd_color_get_blackbody_rgb_full-safer.patch 2017-12-16 19:50:06 UTC (rev 312973) @@ -0,0 +1,74 @@ +From 264981ddfd1984b25c629d8e3ef6cf25c70cc61a Mon Sep 17 00:00:00 2001 +Message-Id: <264981ddfd1984b25c629d8e3ef6cf25c70cc61a.1513453349.git.jan.steff...@gmail.com> +From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> +Date: Sat, 16 Dec 2017 04:18:01 +0100 +Subject: [PATCH 1/2] Make cd_color_get_blackbody_rgb_full safer + +Validate arguments. If temp is divisible by 100, avoid interpolation +because it accesses beyond the data for temp == 10000. +--- + lib/colord/cd-color.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +diff --git a/lib/colord/cd-color.c b/lib/colord/cd-color.c +index 6062595187616846..3907a7349c1351ba 100644 +--- a/lib/colord/cd-color.c ++++ b/lib/colord/cd-color.c +@@ -29,6 +29,7 @@ + #include "config.h" + + #include <math.h> ++#include <stdlib.h> + #include <glib-object.h> + #include <lcms2.h> + +@@ -1444,33 +1445,38 @@ cd_color_get_blackbody_rgb_full (gdouble temp, + CdColorBlackbodyFlags flags) + { + gboolean ret = TRUE; +- gdouble alpha; +- gint temp_index; ++ div_t temp_int; + const CdColorRGB *blackbody_func = blackbody_data_d65modified; + ++ g_return_val_if_fail (!isnan (temp), FALSE); ++ g_return_val_if_fail (result != NULL, FALSE); ++ + /* use modified curve */ + if (flags & CD_COLOR_BLACKBODY_FLAG_USE_PLANCKIAN) + blackbody_func = blackbody_data_d65plankian; + + /* check lower bound */ + if (temp < 1000) { + ret = FALSE; + temp = 1000; + } + + /* check upper bound */ + if (temp > 10000) { + ret = FALSE; + temp = 10000; + } + + /* bilinear interpolate the blackbody data */ +- alpha = ((guint) temp % 100) / 100.0; +- temp_index = ((guint) temp - 1000) / 100; +- cd_color_rgb_interpolate (&blackbody_func[temp_index], +- &blackbody_func[temp_index + 1], +- alpha, +- result); ++ temp_int = div (temp, 100); ++ if (temp_int.rem == 0) ++ *result = blackbody_func[temp_int.quot - 10]; ++ else ++ cd_color_rgb_interpolate (&blackbody_func[temp_int.quot - 10], ++ &blackbody_func[temp_int.quot - 9], ++ temp_int.rem / 100.0, ++ result); ++ + return ret; + } + +-- +2.15.1 + Added: 0002-Avoid-buffer-overflow-when-reading-profile_id.patch =================================================================== --- 0002-Avoid-buffer-overflow-when-reading-profile_id.patch (rev 0) +++ 0002-Avoid-buffer-overflow-when-reading-profile_id.patch 2017-12-16 19:50:06 UTC (rev 312973) @@ -0,0 +1,62 @@ +From 1b9d7f1c7e32c831157868b536bfaf4ce436c1ee Mon Sep 17 00:00:00 2001 +Message-Id: <1b9d7f1c7e32c831157868b536bfaf4ce436c1ee.1513453349.git.jan.steff...@gmail.com> +In-Reply-To: <264981ddfd1984b25c629d8e3ef6cf25c70cc61a.1513453349.git.jan.steff...@gmail.com> +References: <264981ddfd1984b25c629d8e3ef6cf25c70cc61a.1513453349.git.jan.steff...@gmail.com> +From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> +Date: Sat, 16 Dec 2017 20:40:51 +0100 +Subject: [PATCH 2/2] Avoid buffer overflow when reading profile_id + +The profile ID is 16 bytes, not 4 bytes. Use the union type specified by +the LCMS API. +--- + lib/colord/cd-icc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/lib/colord/cd-icc.c b/lib/colord/cd-icc.c +index 99fa27b2988b26d0..8b7841fdd66de3f6 100644 +--- a/lib/colord/cd-icc.c ++++ b/lib/colord/cd-icc.c +@@ -227,20 +227,20 @@ gchar * + cd_icc_to_string (CdIcc *icc) + { + CdIccPrivate *priv = GET_PRIVATE (icc); ++ cmsProfileID profile_id; + cmsInt32Number tag_size; + cmsTagSignature sig; + cmsTagSignature sig_link; + cmsTagTypeSignature tag_type; + gboolean ret; + gchar tag_str[5] = " "; + GDateTime *created; + GError *error_local = NULL; + GString *str; + guint32 i; + guint32 number_tags; + guint32 tmp; + guint64 header_flags; +- guint8 profile_id[4]; + + g_return_val_if_fail (CD_IS_ICC (icc), NULL); + +@@ -335,12 +335,12 @@ cd_icc_to_string (CdIcc *icc) + g_string_append_printf (str, " Creator\t= %s\n", tag_str); + + /* profile ID */ +- cmsGetHeaderProfileID (priv->lcms_profile, profile_id); +- g_string_append_printf (str, " Profile ID\t= 0x%02x%02x%02x%02x\n", +- profile_id[0], +- profile_id[1], +- profile_id[2], +- profile_id[3]); ++ cmsGetHeaderProfileID (priv->lcms_profile, profile_id.ID8); ++ g_string_append_printf (str, " Profile ID\t= %08x%08x%08x%08x\n", ++ profile_id.ID32[0], ++ profile_id.ID32[1], ++ profile_id.ID32[2], ++ profile_id.ID32[3]); + + /* print tags */ + g_string_append (str, "\n"); +-- +2.15.1 + Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-12-16 19:44:13 UTC (rev 312972) +++ PKGBUILD 2017-12-16 19:50:06 UTC (rev 312973) @@ -3,7 +3,7 @@ # Contributor: Ionut Biru <ib...@archlinux.org> pkgname=colord -pkgver=1.4.1 +pkgver=1.4.1+6+gf08c25d pkgrel=1 pkgdesc="System daemon for managing color devices" arch=(x86_64) @@ -15,10 +15,14 @@ optdepends=('sane: scanner support' 'argyllcms: color profiling') replaces=(shared-color-profiles) -install=colord.install -_commit=ef560710602ce590e72f8412cb200f68d6e3e153 # tags/1.4.1^0 -source=("git+https://github.com/hughsie/colord#commit=$_commit") -sha1sums=('SKIP') +options=(!emptydirs) +_commit=f08c25ddd93ad3fa691172119a038465cd178420 # master +source=("git+https://github.com/hughsie/colord#commit=$_commit" + 0001-Make-cd_color_get_blackbody_rgb_full-safer.patch + 0002-Avoid-buffer-overflow-when-reading-profile_id.patch) +sha256sums=('SKIP' + 'b804aa00631040fff7032af12c2c92c1b6de42b7adfd8d05671257071ef348ce' + 'db50941a8f35f819123f4dac55269acf6e1916287c69087e69d506499c0ee974') validpgpkeys=('163EB50119225DB3DF8F49EA17ACBA8DFA970E17') pkgver() { @@ -27,20 +31,19 @@ } prepare() { - mkdir build cd $pkgname + patch -Np1 -i ../0001-Make-cd_color_get_blackbody_rgb_full-safer.patch + patch -Np1 -i ../0002-Avoid-buffer-overflow-when-reading-profile_id.patch } build() { - cd build - meson setup --prefix=/usr --buildtype=release ../$pkgname \ - --localstatedir=/var --libexecdir=/usr/lib/$pkgname \ + arch-meson $pkgname build \ -Denable-libcolordcompat=true \ -Denable-sane=true \ -Denable-vala=true \ -Denable-print-profiles=true \ -Dwith-daemon-user=colord - ninja + ninja -C build } check() { @@ -49,11 +52,9 @@ } package() { - cd build - DESTDIR="$pkgdir" ninja install - - # the build system has no colord user, so the chown fails - chown -R 124:124 "$pkgdir/var/lib/colord" + DESTDIR="$pkgdir" ninja -C build install + echo 'u colord - "Color management daemon" /var/lib/colord' | + install -Dm644 /dev/stdin "$pkgdir/usr/lib/sysusers.d/$pkgname.conf" } # vim:set ts=2 sw=2 et: Deleted: colord.install =================================================================== --- colord.install 2017-12-16 19:44:13 UTC (rev 312972) +++ colord.install 2017-12-16 19:50:06 UTC (rev 312973) @@ -1,8 +0,0 @@ -post_install() { - getent group colord >/dev/null || groupadd -g 124 colord - getent passwd colord >/dev/null || useradd -d /var/lib/colord -u 124 -g colord -s /bin/false colord -} - -post_upgrade() { - post_install -}