Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Leo Famulariwrites: > On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote: >> Efraim Flashner writes: >> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote: >> >> Leo Famulari writes: >> >> > Debian has a patch to make it use "system" copies of the libraries: >> >> > >> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid >> >> > >> >> > For now, our freeimage package is probably vulnerable to many publicly >> >> > disclosed security bugs. >> >> > >> >> > Who volunteers to try fixing this? >> >> >> >> The patch is attached. I've removed the bit from Debian that disables JPEG >> >> transformation functions, as seen below. JPEGTransform.cpp (in >> >> Source/FreeImageToolkit) gave me some trouble when I left that part of >> >> the patch alone. >> >> > I was looking at it and I thought it was going to be much more than 400 >> > lines in the end. >> > >> > Did we also need the other patch? >> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/ >> > >> > On one hand we could carry a modified version of Debian's patch, on the >> > other hand some of these look like they could be a series of substitute* >> > commands. I started looking through the patch and thinking how to >> > convert them from "../path/to/header.h" to and realizing I >> > myself wouldn't want to do that, so that could easily be an option for >> > another time :). >> >> Looking at its contents, adding that patch would make a lot of sense. :-) > > Yes, I think we need to use both patches. Will you submit an updated > version of your patch? I intend to. The updated patch requires a JPEG XR library to be packaged (and maybe others), but I am having some trouble getting a source URL from CodePlex. signature.asc Description: PGP signature
Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote: > Efraim Flashnerwrites: > > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote: > >> Leo Famulari writes: > >> > Debian has a patch to make it use "system" copies of the libraries: > >> > > >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid > >> > > >> > For now, our freeimage package is probably vulnerable to many publicly > >> > disclosed security bugs. > >> > > >> > Who volunteers to try fixing this? > >> > >> The patch is attached. I've removed the bit from Debian that disables JPEG > >> transformation functions, as seen below. JPEGTransform.cpp (in > >> Source/FreeImageToolkit) gave me some trouble when I left that part of > >> the patch alone. > > > I was looking at it and I thought it was going to be much more than 400 > > lines in the end. > > > > Did we also need the other patch? > > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/ > > > > On one hand we could carry a modified version of Debian's patch, on the > > other hand some of these look like they could be a series of substitute* > > commands. I started looking through the patch and thinking how to > > convert them from "../path/to/header.h" to and realizing I > > myself wouldn't want to do that, so that could easily be an option for > > another time :). > > Looking at its contents, adding that patch would make a lot of sense. :-) Yes, I think we need to use both patches. Will you submit an updated version of your patch? signature.asc Description: PGP signature
Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Efraim Flashnerwrites: > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote: >> Leo Famulari writes: >> >> > On Fri, Oct 14, 2016 at 10:44:05AM +, Efraim Flashner wrote: >> >> efraim pushed a commit to branch master >> >> in repository guix. >> >> >> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134 >> >> Author: Efraim Flashner >> >> Date: Fri Oct 14 11:28:21 2016 +0300 >> >> >> >> gnu: freeimage: Fix CVE-2016-5684. >> >> >> >> * gnu/packages/image.scm (freeimage)[source]: Add patch. >> >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file. >> >> * gnu/local.mk (dist_patch_DATA): Register it. >> >> --- >> >> gnu/local.mk |1 + >> >> gnu/packages/image.scm |3 +- >> >> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 >> >> >> >> 3 files changed, 37 insertions(+), 1 deletion(-) >> > >> > Efraim pointed out on IRC that our freeimage packages bundles many >> > 3rd-party libraries: >> > >> > $ ls -1 FreeImage/Source >> > CacheFile.h >> > DeprecationManager >> > FreeImage >> > FreeImage.h >> > FreeImageIO.h >> > FreeImageLib >> > FreeImageToolkit >> > LibJPEG >> > LibJXR >> > LibOpenJPEG >> > LibPNG >> > LibRawLite >> > LibTIFF4 >> > LibWebP >> > MapIntrospector.h >> > Metadata >> > OpenEXR >> > Plugin.h >> > Quantizers.h >> > ToneMapping.h >> > Utilities.h >> > ZLib >> > >> > Debian has a patch to make it use "system" copies of the libraries: >> > >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid >> > >> > For now, our freeimage package is probably vulnerable to many publicly >> > disclosed security bugs. >> > >> > Who volunteers to try fixing this? >> >> The patch is attached. I've removed the bit from Debian that disables JPEG >> transformation functions, as seen below. JPEGTransform.cpp (in >> Source/FreeImageToolkit) gave me some trouble when I left that part of >> the patch alone. >> >> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) { >> FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot >> dithering (order 4 dithering matrix) >> }; >> >> +/* Debian: The JPEGTransform functions are deliberately disabled in our >> build >> + of FreeImage, since they require usage of the vendored copy of libjpeg. >> */ >> +#if 0 >> /** Lossless JPEG transformations >> Constants used in FreeImage_JPEGTransform >> */ >> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) { >> FIJPEG_OP_ROTATE_180= 6,//! 180-degree rotation >> FIJPEG_OP_ROTATE_270= 7 //! 270-degree clockwise (or 90 >> ccw) >> }; >> +#endif >> >> /** Tone mapping operators. >> Constants used in FreeImage_ToneMapping. >> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV >> FreeImage_TagToString(FREE_IMAGE_MDMODEL model, >> // >> -- >> // JPEG lossless transformation routines >> // >> -- >> - >> +/* Debian: The JPEGTransform functions are deliberately disabled in our >> build >> + of FreeImage, since they require usage of the vendored copy of libjpeg. >> */ >> +#if 0 >> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, >> const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect >> FI_DEFAULT(TRUE)); >> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, >> const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect >> FI_DEFAULT(TRUE)); >> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const >> char *dst_file, int left, int top, int right, int bottom); >> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV >> FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io, >> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char >> *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* >> left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); >> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t >> *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, >> int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); >> DLL_API BOOL DLL_CALLCONV >> FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* >> dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* >> right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); >> +#endif > >> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001 >> From: Kei Kebreau >> Date: Fri, 14 Oct 2016 18:09:45 -0400 >> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries. >> >> *
Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote: > Leo Famulariwrites: > > > On Fri, Oct 14, 2016 at 10:44:05AM +, Efraim Flashner wrote: > >> efraim pushed a commit to branch master > >> in repository guix. > >> > >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134 > >> Author: Efraim Flashner > >> Date: Fri Oct 14 11:28:21 2016 +0300 > >> > >> gnu: freeimage: Fix CVE-2016-5684. > >> > >> * gnu/packages/image.scm (freeimage)[source]: Add patch. > >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file. > >> * gnu/local.mk (dist_patch_DATA): Register it. > >> --- > >> gnu/local.mk |1 + > >> gnu/packages/image.scm |3 +- > >> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 > >> > >> 3 files changed, 37 insertions(+), 1 deletion(-) > > > > Efraim pointed out on IRC that our freeimage packages bundles many > > 3rd-party libraries: > > > > $ ls -1 FreeImage/Source > > CacheFile.h > > DeprecationManager > > FreeImage > > FreeImage.h > > FreeImageIO.h > > FreeImageLib > > FreeImageToolkit > > LibJPEG > > LibJXR > > LibOpenJPEG > > LibPNG > > LibRawLite > > LibTIFF4 > > LibWebP > > MapIntrospector.h > > Metadata > > OpenEXR > > Plugin.h > > Quantizers.h > > ToneMapping.h > > Utilities.h > > ZLib > > > > Debian has a patch to make it use "system" copies of the libraries: > > > > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid > > > > For now, our freeimage package is probably vulnerable to many publicly > > disclosed security bugs. > > > > Who volunteers to try fixing this? > > The patch is attached. I've removed the bit from Debian that disables JPEG > transformation functions, as seen below. JPEGTransform.cpp (in > Source/FreeImageToolkit) gave me some trouble when I left that part of > the patch alone. > > @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) { > FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot > dithering (order 4 dithering matrix) > }; > > +/* Debian: The JPEGTransform functions are deliberately disabled in our build > + of FreeImage, since they require usage of the vendored copy of libjpeg. */ > +#if 0 > /** Lossless JPEG transformations > Constants used in FreeImage_JPEGTransform > */ > @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) { > FIJPEG_OP_ROTATE_180= 6,//! 180-degree rotation > FIJPEG_OP_ROTATE_270= 7 //! 270-degree clockwise (or 90 > ccw) > }; > +#endif > > /** Tone mapping operators. > Constants used in FreeImage_ToneMapping. > @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV > FreeImage_TagToString(FREE_IMAGE_MDMODEL model, > // -- > // JPEG lossless transformation routines > // -- > - > +/* Debian: The JPEGTransform functions are deliberately disabled in our build > + of FreeImage, since they require usage of the vendored copy of libjpeg. */ > +#if 0 > DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, > const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect > FI_DEFAULT(TRUE)); > DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, > const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect > FI_DEFAULT(TRUE)); > DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const > char *dst_file, int left, int top, int right, int bottom); > @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV > FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io, > DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char > *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* > left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); > DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t > *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* > left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); > DLL_API BOOL DLL_CALLCONV > FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* > dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* > right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); > +#endif > From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001 > From: Kei Kebreau > Date: Fri, 14 Oct 2016 18:09:45 -0400 > Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries. > > * gnu/packages/image.scm (freeimage)[source]: Add patch. > * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New > file. > * gnu/local.mk (dist_patch_DATA): Register it. > --- >
Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Leo Famulariwrites: > On Fri, Oct 14, 2016 at 10:44:05AM +, Efraim Flashner wrote: >> efraim pushed a commit to branch master >> in repository guix. >> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134 >> Author: Efraim Flashner >> Date: Fri Oct 14 11:28:21 2016 +0300 >> >> gnu: freeimage: Fix CVE-2016-5684. >> >> * gnu/packages/image.scm (freeimage)[source]: Add patch. >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Register it. >> --- >> gnu/local.mk |1 + >> gnu/packages/image.scm |3 +- >> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 >> >> 3 files changed, 37 insertions(+), 1 deletion(-) > > Efraim pointed out on IRC that our freeimage packages bundles many > 3rd-party libraries: > > $ ls -1 FreeImage/Source > CacheFile.h > DeprecationManager > FreeImage > FreeImage.h > FreeImageIO.h > FreeImageLib > FreeImageToolkit > LibJPEG > LibJXR > LibOpenJPEG > LibPNG > LibRawLite > LibTIFF4 > LibWebP > MapIntrospector.h > Metadata > OpenEXR > Plugin.h > Quantizers.h > ToneMapping.h > Utilities.h > ZLib > > Debian has a patch to make it use "system" copies of the libraries: > > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid > > For now, our freeimage package is probably vulnerable to many publicly > disclosed security bugs. > > Who volunteers to try fixing this? The patch is attached. I've removed the bit from Debian that disables JPEG transformation functions, as seen below. JPEGTransform.cpp (in Source/FreeImageToolkit) gave me some trouble when I left that part of the patch alone. @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) { FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot dithering (order 4 dithering matrix) }; +/* Debian: The JPEGTransform functions are deliberately disabled in our build + of FreeImage, since they require usage of the vendored copy of libjpeg. */ +#if 0 /** Lossless JPEG transformations Constants used in FreeImage_JPEGTransform */ @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) { FIJPEG_OP_ROTATE_180= 6,//! 180-degree rotation FIJPEG_OP_ROTATE_270= 7 //! 270-degree clockwise (or 90 ccw) }; +#endif /** Tone mapping operators. Constants used in FreeImage_ToneMapping. @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToString(FREE_IMAGE_MDMODEL model, // -- // JPEG lossless transformation routines // -- - +/* Debian: The JPEGTransform functions are deliberately disabled in our build + of FreeImage, since they require usage of the vendored copy of libjpeg. */ +#if 0 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE)); DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE)); DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom); @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io, DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); +#endif From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Fri, 14 Oct 2016 18:09:45 -0400 Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries. * gnu/packages/image.scm (freeimage)[source]: Add patch. * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/image.scm | 6 +- .../freeimage-disable-vendored-dependencies.patch | 398 + 3 files changed, 404 insertions(+), 1 deletion(-) create mode 100644
Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
On Fri, Oct 14, 2016 at 10:44:05AM +, Efraim Flashner wrote: > efraim pushed a commit to branch master > in repository guix. > > commit 76e8566c1b3c4876d649e712a5c8c473fd48d134 > Author: Efraim Flashner> Date: Fri Oct 14 11:28:21 2016 +0300 > > gnu: freeimage: Fix CVE-2016-5684. > > * gnu/packages/image.scm (freeimage)[source]: Add patch. > * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file. > * gnu/local.mk (dist_patch_DATA): Register it. > --- > gnu/local.mk |1 + > gnu/packages/image.scm |3 +- > gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 > > 3 files changed, 37 insertions(+), 1 deletion(-) Efraim pointed out on IRC that our freeimage packages bundles many 3rd-party libraries: $ ls -1 FreeImage/Source CacheFile.h DeprecationManager FreeImage FreeImage.h FreeImageIO.h FreeImageLib FreeImageToolkit LibJPEG LibJXR LibOpenJPEG LibPNG LibRawLite LibTIFF4 LibWebP MapIntrospector.h Metadata OpenEXR Plugin.h Quantizers.h ToneMapping.h Utilities.h ZLib Debian has a patch to make it use "system" copies of the libraries: https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid For now, our freeimage package is probably vulnerable to many publicly disclosed security bugs. Who volunteers to try fixing this?