Hello community, here is the log from the commit of package gdk-pixbuf for openSUSE:Factory checked in at 2018-01-16 09:27:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gdk-pixbuf (Old) and /work/SRC/openSUSE:Factory/.gdk-pixbuf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gdk-pixbuf" Tue Jan 16 09:27:52 2018 rev:67 rq:562495 version:2.36.11 Changes: -------- --- /work/SRC/openSUSE:Factory/gdk-pixbuf/gdk-pixbuf.changes 2017-10-06 11:01:32.642640297 +0200 +++ /work/SRC/openSUSE:Factory/.gdk-pixbuf.new/gdk-pixbuf.changes 2018-01-16 09:27:54.422299032 +0100 @@ -1,0 +2,14 @@ +Fri Jan 5 17:38:55 UTC 2018 - mgorse@suse.com + +- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential + integer overflow (boo#1027026 CVE-2017-6312). +- Add gdk-pixbuf-gif-negative-array-indexes.patch and + gdk-pixbuf-gif-uninitialized-variable.patch: protect against + access to negative array indexes (BGO#778584). +- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size + computation (bgo#779020). +- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against + short block length when reading icns (boo#1027024 + CVE-2017-6313). + +------------------------------------------------------------------- New: ---- gdk-pixbuf-bgo779012-ico-overflow.patch gdk-pixbuf-gif-negative-array-indexes.patch gdk-pixbuf-gif-uninitialized-variable.patch gdk-pixbuf-icns-handle-short-blocklen.patch gdk-pixbuf-tiff-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gdk-pixbuf.spec ++++++ --- /var/tmp/diff_new_pack.Nne12t/_old 2018-01-16 09:27:55.294258236 +0100 +++ /var/tmp/diff_new_pack.Nne12t/_new 2018-01-16 09:27:55.298258050 +0100 @@ -1,7 +1,7 @@ # # spec file for package gdk-pixbuf # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -30,6 +30,16 @@ Source2: README.SUSE Source3: gdk-pixbuf-rpmlintrc Source99: baselibs.conf +# PATCH-FIX-UPSTREAM gdk-pixbuf-bgo779012-ico-overflow.patch boo#1027026 mgorse@suse.com -- fix potential integer overflow (CVE-2017-6312). +Patch0: gdk-pixbuf-bgo779012-ico-overflow.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-negative-array-indexes.patch bgo#778584 mgorse@suse.com -- gif: prevent access to negative array indexes. +Patch1: gdk-pixbuf-gif-negative-array-indexes.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-uninitialized-variable.patch bgo#778584 mgorse@suse.com -- fix uninitialized variable. +Patch2: gdk-pixbuf-gif-uninitialized-variable.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-tiff-overflow.patch bgo#779020 mgorse@suse.com -- avoid overflow during size computation. +Patch3: gdk-pixbuf-tiff-overflow.patch +# PATCH-FIX-UPSTREAM gdk-pixbuf-icns-handle-short-blocklen.patch boo#1027024 bgo#779016 mgorse@suse.com -- icns: protect against too short blocklen (CVE-2017-6313). +Patch4: gdk-pixbuf-icns-handle-short-blocklen.patch BuildRequires: docbook-xsl-stylesheets BuildRequires: gtk-doc BuildRequires: libjpeg-devel @@ -119,6 +129,11 @@ %if !0%{?is_opensuse} translation-update-upstream %endif +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %if "%_lib" == "lib64" cp -a %{SOURCE2} . %endif ++++++ gdk-pixbuf-bgo779012-ico-overflow.patch ++++++
From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001 From: Dhiru Kholia
Date: Thu, 30 Nov 2017 02:36:26 +0100 Subject: [PATCH] ico: Fix potential integer overflow
Which relies on undefined behaviour. Instead of checking for an overflowed integer after the fact, check whether the addition would be possible at all. Fixes: CVE-2017-6312 https://bugzilla.gnome.org/show_bug.cgi?id=779012 --- gdk-pixbuf/io-ico.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c index 8729a0fb9..a86725751 100644 --- a/gdk-pixbuf/io-ico.c +++ b/gdk-pixbuf/io-ico.c @@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes, for (l = State->entries; l != NULL; l = g_list_next (l)) { entry = l->data; - /* We know how many bytes are in the "header" part. */ - State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; - - if (State->HeaderSize < 0) { + /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */ + if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) { g_set_error (error, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, @@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes, return; } + /* We know how many bytes are in the "header" part. */ + State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; + if (State->HeaderSize>State->BytesInHeaderBuf) { guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize); if (!tmp) { -- 2.15.1 ++++++ gdk-pixbuf-gif-negative-array-indexes.patch ++++++
From 23e2a7c4b7794220ecd77389b3976c0767fc839d Mon Sep 17 00:00:00 2001 From: Tobias Mueller
Date: Wed, 14 Dec 2016 08:03:16 +0100 Subject: [PATCH] gif: Prevent access to negative array indexes
It seems that a pathological gif file can cause a negative array index to be read. UBSAN reported this: io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]' io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]' https://bugzilla.gnome.org/show_bug.cgi?id=778584 --- gdk-pixbuf/io-gif.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c index ef1001779..acbd1f3be 100644 --- a/gdk-pixbuf/io-gif.c +++ b/gdk-pixbuf/io-gif.c @@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context) return -2; } + if (context->code_last_byte < 2) { + g_set_error_literal (context->error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("Bad code encountered")); + return -2; + } + context->block_buf[0] = context->block_buf[context->code_last_byte - 2]; context->block_buf[1] = context->block_buf[context->code_last_byte - 1]; -- 2.15.1 ++++++ gdk-pixbuf-gif-uninitialized-variable.patch ++++++
From c1fd9f5d6592c0183c54efc806b3ca6871e1f496 Mon Sep 17 00:00:00 2001 From: Tobias Mueller
Date: Fri, 10 Nov 2017 18:51:21 +0100 Subject: [PATCH] gif: Initialise code_last_byte to not cause undefined behaviour
Currently, code_last_byte is set only after it has been used, i.e. context->block_buf[0] = context->block_buf[context->code_last_byte - 2]; comes before anything has touched context->code_last_byte yet. Except for the initialisation. context->code_last_byte is set a few lines later, though. And nowhere else, except for the initialisation which sets it to 0. That will inevitably lead to context->block_buf[-2] which is undefined behaviour. We hence set the code_last_byte to 2 in order to not make that array index invalid. https://bugzilla.gnome.org/show_bug.cgi?id=778584 --- gdk-pixbuf/io-gif.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c index acbd1f3be..61821bdf9 100644 --- a/gdk-pixbuf/io-gif.c +++ b/gdk-pixbuf/io-gif.c @@ -1165,7 +1165,12 @@ gif_prepare_lzw (GifContext *context) context->lzw_fresh = TRUE; context->code_curbit = 0; context->code_lastbit = 0; - context->code_last_byte = 0; + /* During initialistion (in gif_lzw_fill_buffer) we substract 2 from + * this value to peek into a buffer. + * In order to not get a negative array index later, we set the value + * to that magic 2 now. + */ + context->code_last_byte = 2; context->code_done = FALSE; g_assert (context->lzw_clear_code <= -- 2.15.1 ++++++ gdk-pixbuf-icns-handle-short-blocklen.patch ++++++
From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001 From: Bastien Nocera
Date: Tue, 5 Dec 2017 11:51:02 +0100 Subject: [PATCH] icns: Protect against too short blocklen (CVE-2017-6313)
The blocklen needs to be at least header sized to be valid, otherwise we can underflow picture data or mask data lengths. https://bugzilla.gnome.org/show_bug.cgi?id=779016 --- gdk-pixbuf/io-icns.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c index a432e463f..41732b153 100644 --- a/gdk-pixbuf/io-icns.c +++ b/gdk-pixbuf/io-icns.c @@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen, blocklen = GUINT32_FROM_BE (header->size); /* Check that blocklen isn't garbage */ - if (blocklen > icnslen - (current - bytes)) + if (blocklen > icnslen - (current - bytes) || + blocklen < sizeof (IcnsBlockHeader)) return FALSE; switch (size) -- 2.15.1 ++++++ gdk-pixbuf-tiff-overflow.patch ++++++
From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001 From: Bastien Nocera
Date: Tue, 5 Dec 2017 10:26:49 +0100 Subject: [PATCH] tiff: Avoid overflowing buffer size computation
Use g_uint_checked_mul() to avoid overflowing the guint used for buffer size calculation. https://bugzilla.gnome.org/show_bug.cgi?id=779020 --- gdk-pixbuf/io-tiff.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c index 7ca0a565a..49fe60eee 100644 --- a/gdk-pixbuf/io-tiff.c +++ b/gdk-pixbuf/io-tiff.c @@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint needed) need_alloc = context->used + needed; if (need_alloc > context->allocated) { guint new_size = 1; - while (new_size < need_alloc) - new_size *= 2; + while (new_size < need_alloc) { + if (!g_uint_checked_mul (&new_size, new_size, 2)) { + new_size = 0; + break; + } + } + + if (new_size == 0) + return FALSE; new_buffer = g_try_realloc (context->buffer, new_size); if (new_buffer) { -- 2.15.1