Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

2016-10-15 Thread Kei Kebreau 
Leo Famulari  writes:

> On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote:
>> Efraim Flashner  writes:
>> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
>> >> Leo Famulari  writes:
>> >> > Debian has a patch to make it use "system" copies of the libraries:
>> >> >
>> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>> >> >
>> >> > For now, our freeimage package is probably vulnerable to many publicly
>> >> > disclosed security bugs.
>> >> >
>> >> > Who volunteers to try fixing this?
>> >> 
>> >> The patch is attached. I've removed the bit from Debian that disables JPEG
>> >> transformation functions, as seen below. JPEGTransform.cpp (in
>> >> Source/FreeImageToolkit) gave me some trouble when I left that part of
>> >> the patch alone.
>>
>> > I was looking at it and I thought it was going to be much more than 400
>> > lines in the end.
>> >
>> > Did we also need the other patch?
>> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
>> >
>> > On one hand we could carry a modified version of Debian's patch, on the
>> > other hand some of these look like they could be a series of substitute*
>> > commands. I started looking through the patch and thinking how to
>> > convert them from "../path/to/header.h" to  and realizing I
>> > myself wouldn't want to do that, so that could easily be an option for
>> > another time :).
>> 
>> Looking at its contents, adding that patch would make a lot of sense. :-)
>
> Yes, I think we need to use both patches. Will you submit an updated
> version of your patch?

I intend to. The updated patch requires a JPEG XR library to be packaged
(and maybe others), but I am having some trouble getting a source URL
from CodePlex.


signature.asc
Description: PGP signature

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

2016-10-15 Thread Leo Famulari 
On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote:
> Efraim Flashner  writes:
> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
> >> Leo Famulari  writes:
> >> > Debian has a patch to make it use "system" copies of the libraries:
> >> >
> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
> >> >
> >> > For now, our freeimage package is probably vulnerable to many publicly
> >> > disclosed security bugs.
> >> >
> >> > Who volunteers to try fixing this?
> >> 
> >> The patch is attached. I've removed the bit from Debian that disables JPEG
> >> transformation functions, as seen below. JPEGTransform.cpp (in
> >> Source/FreeImageToolkit) gave me some trouble when I left that part of
> >> the patch alone.
>
> > I was looking at it and I thought it was going to be much more than 400
> > lines in the end.
> >
> > Did we also need the other patch?
> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
> >
> > On one hand we could carry a modified version of Debian's patch, on the
> > other hand some of these look like they could be a series of substitute*
> > commands. I started looking through the patch and thinking how to
> > convert them from "../path/to/header.h" to  and realizing I
> > myself wouldn't want to do that, so that could easily be an option for
> > another time :).
> 
> Looking at its contents, adding that patch would make a lot of sense. :-)

Yes, I think we need to use both patches. Will you submit an updated
version of your patch?


signature.asc
Description: PGP signature

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

2016-10-15 Thread Kei Kebreau 
Efraim Flashner  writes:

> On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
>> Leo Famulari  writes:
>> 
>> > On Fri, Oct 14, 2016 at 10:44:05AM +, Efraim Flashner wrote:
>> >> efraim pushed a commit to branch master
>> >> in repository guix.
>> >> 
>> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> >> Author: Efraim Flashner 
>> >> Date:   Fri Oct 14 11:28:21 2016 +0300
>> >> 
>> >> gnu: freeimage: Fix CVE-2016-5684.
>> >> 
>> >> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>> >> * gnu/local.mk (dist_patch_DATA): Register it.
>> >> ---
>> >>  gnu/local.mk   |1 +
>> >>  gnu/packages/image.scm |3 +-
>> >>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 
>> >> 
>> >>  3 files changed, 37 insertions(+), 1 deletion(-)
>> >
>> > Efraim pointed out on IRC that our freeimage packages bundles many
>> > 3rd-party libraries:
>> >
>> > $ ls -1 FreeImage/Source
>> > CacheFile.h
>> > DeprecationManager
>> > FreeImage
>> > FreeImage.h
>> > FreeImageIO.h
>> > FreeImageLib
>> > FreeImageToolkit
>> > LibJPEG
>> > LibJXR
>> > LibOpenJPEG
>> > LibPNG
>> > LibRawLite
>> > LibTIFF4
>> > LibWebP
>> > MapIntrospector.h
>> > Metadata
>> > OpenEXR
>> > Plugin.h
>> > Quantizers.h
>> > ToneMapping.h
>> > Utilities.h
>> > ZLib
>> >
>> > Debian has a patch to make it use "system" copies of the libraries:
>> >
>> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>> >
>> > For now, our freeimage package is probably vulnerable to many publicly
>> > disclosed security bugs.
>> >
>> > Who volunteers to try fixing this?
>> 
>> The patch is attached. I've removed the bit from Debian that disables JPEG
>> transformation functions, as seen below. JPEGTransform.cpp (in
>> Source/FreeImageToolkit) gave me some trouble when I left that part of
>> the patch alone.
>> 
>> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
>>  FID_BAYER16x16  = 6 //! Bayer ordered dispersed dot 
>> dithering (order 4 dithering matrix)
>>  };
>>  
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our 
>> build
>> +   of FreeImage, since they require usage of the vendored copy of libjpeg. 
>> */
>> +#if 0
>>  /** Lossless JPEG transformations
>>  Constants used in FreeImage_JPEGTransform
>>  */
>> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
>>  FIJPEG_OP_ROTATE_180= 6,//! 180-degree rotation
>>  FIJPEG_OP_ROTATE_270= 7 //! 270-degree clockwise (or 90 
>> ccw)
>>  };
>> +#endif
>>  
>>  /** Tone mapping operators.
>>  Constants used in FreeImage_ToneMapping.
>> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV 
>> FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
>>  // 
>> --
>>  // JPEG lossless transformation routines
>>  // 
>> --
>> -
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our 
>> build
>> +   of FreeImage, since they require usage of the vendored copy of libjpeg. 
>> */
>> +#if 0
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, 
>> const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect 
>> FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, 
>> const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect 
>> FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const 
>> char *dst_file, int left, int top, int right, int bottom);
>> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV 
>> FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char 
>> *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* 
>> left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t 
>> *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, 
>> int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV 
>> FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* 
>> dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* 
>> right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>> +#endif
>
>> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau 
>> Date: Fri, 14 Oct 2016 18:09:45 -0400
>> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
>> 
>> *

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

2016-10-15 Thread Efraim Flashner 
On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
> Leo Famulari  writes:
> 
> > On Fri, Oct 14, 2016 at 10:44:05AM +, Efraim Flashner wrote:
> >> efraim pushed a commit to branch master
> >> in repository guix.
> >> 
> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
> >> Author: Efraim Flashner 
> >> Date:   Fri Oct 14 11:28:21 2016 +0300
> >> 
> >> gnu: freeimage: Fix CVE-2016-5684.
> >> 
> >> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
> >> * gnu/local.mk (dist_patch_DATA): Register it.
> >> ---
> >>  gnu/local.mk   |1 +
> >>  gnu/packages/image.scm |3 +-
> >>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 
> >> 
> >>  3 files changed, 37 insertions(+), 1 deletion(-)
> >
> > Efraim pointed out on IRC that our freeimage packages bundles many
> > 3rd-party libraries:
> >
> > $ ls -1 FreeImage/Source
> > CacheFile.h
> > DeprecationManager
> > FreeImage
> > FreeImage.h
> > FreeImageIO.h
> > FreeImageLib
> > FreeImageToolkit
> > LibJPEG
> > LibJXR
> > LibOpenJPEG
> > LibPNG
> > LibRawLite
> > LibTIFF4
> > LibWebP
> > MapIntrospector.h
> > Metadata
> > OpenEXR
> > Plugin.h
> > Quantizers.h
> > ToneMapping.h
> > Utilities.h
> > ZLib
> >
> > Debian has a patch to make it use "system" copies of the libraries:
> >
> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
> >
> > For now, our freeimage package is probably vulnerable to many publicly
> > disclosed security bugs.
> >
> > Who volunteers to try fixing this?
> 
> The patch is attached. I've removed the bit from Debian that disables JPEG
> transformation functions, as seen below. JPEGTransform.cpp (in
> Source/FreeImageToolkit) gave me some trouble when I left that part of
> the patch alone.
> 
> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
>   FID_BAYER16x16  = 6 //! Bayer ordered dispersed dot 
> dithering (order 4 dithering matrix)
>  };
>  
> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
> +   of FreeImage, since they require usage of the vendored copy of libjpeg. */
> +#if 0
>  /** Lossless JPEG transformations
>  Constants used in FreeImage_JPEGTransform
>  */
> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
>   FIJPEG_OP_ROTATE_180= 6,//! 180-degree rotation
>   FIJPEG_OP_ROTATE_270= 7 //! 270-degree clockwise (or 90 
> ccw)
>  };
> +#endif
>  
>  /** Tone mapping operators.
>  Constants used in FreeImage_ToneMapping.
> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV 
> FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
>  // --
>  // JPEG lossless transformation routines
>  // --
> -
> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
> +   of FreeImage, since they require usage of the vendored copy of libjpeg. */
> +#if 0
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, 
> const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect 
> FI_DEFAULT(TRUE));
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, 
> const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect 
> FI_DEFAULT(TRUE));
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const 
> char *dst_file, int left, int top, int right, int bottom);
> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV 
> FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char 
> *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* 
> left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t 
> *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* 
> left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>  DLL_API BOOL DLL_CALLCONV 
> FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* 
> dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* 
> right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
> +#endif

> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
> From: Kei Kebreau 
> Date: Fri, 14 Oct 2016 18:09:45 -0400
> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
> 
> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New 
> file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
>

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

2016-10-14 Thread Kei Kebreau 
Leo Famulari  writes:

> On Fri, Oct 14, 2016 at 10:44:05AM +, Efraim Flashner wrote:
>> efraim pushed a commit to branch master
>> in repository guix.
>> 
>> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> Author: Efraim Flashner 
>> Date:   Fri Oct 14 11:28:21 2016 +0300
>> 
>> gnu: freeimage: Fix CVE-2016-5684.
>> 
>> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> ---
>>  gnu/local.mk   |1 +
>>  gnu/packages/image.scm |3 +-
>>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 
>> 
>>  3 files changed, 37 insertions(+), 1 deletion(-)
>
> Efraim pointed out on IRC that our freeimage packages bundles many
> 3rd-party libraries:
>
> $ ls -1 FreeImage/Source
> CacheFile.h
> DeprecationManager
> FreeImage
> FreeImage.h
> FreeImageIO.h
> FreeImageLib
> FreeImageToolkit
> LibJPEG
> LibJXR
> LibOpenJPEG
> LibPNG
> LibRawLite
> LibTIFF4
> LibWebP
> MapIntrospector.h
> Metadata
> OpenEXR
> Plugin.h
> Quantizers.h
> ToneMapping.h
> Utilities.h
> ZLib
>
> Debian has a patch to make it use "system" copies of the libraries:
>
> https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>
> For now, our freeimage package is probably vulnerable to many publicly
> disclosed security bugs.
>
> Who volunteers to try fixing this?

The patch is attached. I've removed the bit from Debian that disables JPEG
transformation functions, as seen below. JPEGTransform.cpp (in
Source/FreeImageToolkit) gave me some trouble when I left that part of
the patch alone.

@@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
FID_BAYER16x16  = 6 //! Bayer ordered dispersed dot 
dithering (order 4 dithering matrix)
 };
 
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+   of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
 /** Lossless JPEG transformations
 Constants used in FreeImage_JPEGTransform
 */
@@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
FIJPEG_OP_ROTATE_180= 6,//! 180-degree rotation
FIJPEG_OP_ROTATE_270= 7 //! 270-degree clockwise (or 90 
ccw)
 };
+#endif
 
 /** Tone mapping operators.
 Constants used in FreeImage_ToneMapping.
@@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV 
FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
 // --
 // JPEG lossless transformation routines
 // --
-
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+   of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const 
char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect 
FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, 
const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect 
FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char 
*dst_file, int left, int top, int right, int bottom);
@@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV 
FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char 
*src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* 
left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t 
*src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* 
left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* 
src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* 
left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
+#endif
From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
From: Kei Kebreau 
Date: Fri, 14 Oct 2016 18:09:45 -0400
Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.

* gnu/packages/image.scm (freeimage)[source]: Add patch.
* gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk   |   1 +
 gnu/packages/image.scm |   6 +-
 .../freeimage-disable-vendored-dependencies.patch  | 398 +
 3 files changed, 404 insertions(+), 1 deletion(-)
 create mode 100644

Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

2016-10-14 Thread Leo Famulari 
On Fri, Oct 14, 2016 at 10:44:05AM +, Efraim Flashner wrote:
> efraim pushed a commit to branch master
> in repository guix.
> 
> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
> Author: Efraim Flashner 
> Date:   Fri Oct 14 11:28:21 2016 +0300
> 
> gnu: freeimage: Fix CVE-2016-5684.
> 
> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
>  gnu/local.mk   |1 +
>  gnu/packages/image.scm |3 +-
>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 
> 
>  3 files changed, 37 insertions(+), 1 deletion(-)

Efraim pointed out on IRC that our freeimage packages bundles many
3rd-party libraries:

$ ls -1 FreeImage/Source
CacheFile.h
DeprecationManager
FreeImage
FreeImage.h
FreeImageIO.h
FreeImageLib
FreeImageToolkit
LibJPEG
LibJXR
LibOpenJPEG
LibPNG
LibRawLite
LibTIFF4
LibWebP
MapIntrospector.h
Metadata
OpenEXR
Plugin.h
Quantizers.h
ToneMapping.h
Utilities.h
ZLib

Debian has a patch to make it use "system" copies of the libraries:

https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid

For now, our freeimage package is probably vulnerable to many publicly
disclosed security bugs.

Who volunteers to try fixing this?