Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: fr

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: fr

From:	Kei Kebreau
Subject:	Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Date:	Fri, 14 Oct 2016 20:09:08 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Leo Famulari <address@hidden> writes:

> On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
>> efraim pushed a commit to branch master
>> in repository guix.
>> 
>> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> Author: Efraim Flashner <address@hidden>
>> Date:   Fri Oct 14 11:28:21 2016 +0300
>> 
>>     gnu: freeimage: Fix CVE-2016-5684.
>>     
>>     * gnu/packages/image.scm (freeimage)[source]: Add patch.
>>     * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>>     * gnu/local.mk (dist_patch_DATA): Register it.
>> ---
>>  gnu/local.mk                                       |    1 +
>>  gnu/packages/image.scm                             |    3 +-
>>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 
>> ++++++++++++++++++++
>>  3 files changed, 37 insertions(+), 1 deletion(-)
>
> Efraim pointed out on IRC that our freeimage packages bundles many
> 3rd-party libraries:
>
> $ ls -1 FreeImage/Source
> CacheFile.h
> DeprecationManager
> FreeImage
> FreeImage.h
> FreeImageIO.h
> FreeImageLib
> FreeImageToolkit
> LibJPEG
> LibJXR
> LibOpenJPEG
> LibPNG
> LibRawLite
> LibTIFF4
> LibWebP
> MapIntrospector.h
> Metadata
> OpenEXR
> Plugin.h
> Quantizers.h
> ToneMapping.h
> Utilities.h
> ZLib
>
> Debian has a patch to make it use "system" copies of the libraries:
>
> https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>
> For now, our freeimage package is probably vulnerable to many publicly
> disclosed security bugs.
>
> Who volunteers to try fixing this?

The patch is attached. I've removed the bit from Debian that disables JPEG
transformation functions, as seen below. JPEGTransform.cpp (in
Source/FreeImageToolkit) gave me some trouble when I left that part of
the patch alone.

@@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
        FID_BAYER16x16  = 6             //! Bayer ordered dispersed dot 
dithering (order 4 dithering matrix)
 };
 
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+   of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
 /** Lossless JPEG transformations
 Constants used in FreeImage_JPEGTransform
 */
@@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
        FIJPEG_OP_ROTATE_180    = 6,    //! 180-degree rotation
        FIJPEG_OP_ROTATE_270    = 7             //! 270-degree clockwise (or 90 
ccw)
 };
+#endif
 
 /** Tone mapping operators.
 Constants used in FreeImage_ToneMapping.
@@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV 
FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
 // --------------------------------------------------------------------------
 // JPEG lossless transformation routines
 // --------------------------------------------------------------------------
-
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+   of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const 
char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect 
FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, 
const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect 
FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char 
*dst_file, int left, int top, int right, int bottom);
@@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV 
FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char 
*src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* 
left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t 
*src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* 
left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* 
src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* 
left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
+#endif

0001-gnu-freeimage-Disable-in-tree-third-party-libraries.patch
Description: Text document

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.], Leo Famulari, 2016/10/14
- Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.], Kei Kebreau <=
  - Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.], Efraim Flashner, 2016/10/15
    - Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.], Kei Kebreau, 2016/10/15
    - Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.], Leo Famulari, 2016/10/15
    - Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.], Kei Kebreau, 2016/10/15

Prev by Date: [PATCH] gnu: node: Update to 6.8.0.
Next by Date: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Previous by thread: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Next by thread: Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Index(es):
- Date
- Thread