From 7149e16c9e6890fa914b0a49f363439ab5627f3a Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 27 May 2017 12:56:54 -0400 Subject: [PATCH] WIP: libwmf: Fix CVE-2016-{9011,9317,10167,10168}. XXX: Not all of these patches apply. * gnu/packages/patches/libwmf-CVE-2016-9011.patch, gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libwmf)[source]: Use them. --- gnu/local.mk | 2 + gnu/packages/image.scm | 4 +- gnu/packages/patches/libwmf-CVE-2016-9011.patch | 45 ++++++++++++ .../patches/libwmf-fixes-for-bundled-gd.patch | 80 ++++++++++++++++++++++ 4 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libwmf-CVE-2016-9011.patch create mode 100644 gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch diff --git a/gnu/local.mk b/gnu/local.mk index d0117be85..f60b66948 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -781,6 +781,8 @@ dist_patch_DATA = \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ + %D%/packages/patches/libwmf-CVE-2016-9011.patch \ + %D%/packages/patches/libwmf-fixes-for-bundled-gd.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \ %D%/packages/patches/libxml2-CVE-2016-5131.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 86902d568..f33396968 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -421,7 +421,9 @@ collection of tools for doing simple manipulations of TIFF images.") "libwmf-CVE-2009-3546.patch" "libwmf-CVE-2015-0848+CVE-2015-4588.patch" "libwmf-CVE-2015-4695.patch" - "libwmf-CVE-2015-4696.patch")))) + "libwmf-CVE-2015-4696.patch" + "libwmf-CVE-2016-9011.patch" + "libwmf-fixes-for-bundled-gd.patch")))) (build-system gnu-build-system) (inputs diff --git a/gnu/packages/patches/libwmf-CVE-2016-9011.patch b/gnu/packages/patches/libwmf-CVE-2016-9011.patch new file mode 100644 index 000000000..a74120c15 --- /dev/null +++ b/gnu/packages/patches/libwmf-CVE-2016-9011.patch @@ -0,0 +1,45 @@ +Fix CVE-2016-9011: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011 +https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c/ + +Patch copied from Fedora: + +https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=9a43f910abce9940f07843e7186646ad46b686d6 + +--- libwmf-0.2.8.4/src/player.c ++++ libwmf-0.2.8.4/src/player.c +@@ -139,8 +139,31 @@ + WMF_DEBUG (API,"bailing..."); + return (API->err); + } +- +- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ ++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char); ++ if (nMaxRecordSize) ++ { ++ //before allocating memory do a sanity check on size by seeking ++ //to claimed end to see if its possible. We're constrained here ++ //by the api and existing implementations to not simply seeking ++ //to SEEK_END. So use what we have to skip to the last byte and ++ //try and read it. ++ const long nPos = WMF_TELL (API); ++ WMF_SEEK (API, nPos + nMaxRecordSize - 1); ++ if (ERR (API)) ++ { WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ int byte = WMF_READ (API); ++ if (byte == (-1)) ++ { WMF_ERROR (API,"Unexpected EOF!"); ++ API->err = wmf_E_EOF; ++ return (API->err); ++ } ++ WMF_SEEK (API, nPos); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); diff --git a/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch new file mode 100644 index 000000000..92a3f7cdb --- /dev/null +++ b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch @@ -0,0 +1,80 @@ +Fix CVE-2016-{9317,10167,10168} in bundled libgd: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168 + +Patches copied from Fedora: + +CVE-2016-9317: +https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d851798416d005977d9409babf710c050124cfda +CVE-2016-10167: +https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=b439c6f363d3f9c7b22e7f3b2211d423abd7d612 +CVE-2016-10168: +https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d8c724ed484d01f3535bd1f317d6c5aa6d33aa80 + +--- libwmf-0.2.8.4/src/extra/gd/gd.c ++++ libwmf-0.2.8.4/src/extra/gd/gd.c +@@ -65,6 +65,18 @@ + { + int i; + gdImagePtr im; ++ ++ if (overflow2(sx, sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof (unsigned char *), sy)) { ++ return NULL; ++ } ++ if (overflow2(sizeof (unsigned char), sx)) { ++ return NULL; ++ } ++ + im = (gdImage *) gdMalloc (sizeof (gdImage)); + memset (im, 0, sizeof (gdImage)); + /* Row-major ever since gd 1.3 */ +--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c ++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c +@@ -362,10 +362,9 @@ + { + if (!gdGetInt (&im->tpixels[y][x], in)) + { +- /*printf("EOF while reading\n"); */ +- /*gdImageDestroy(im); */ +- /*return 0; */ +- im->tpixels[y][x] = 0; ++ fprintf(stderr, "gd2: EOF while reading\n"); ++ gdImageDestroy(im); ++ return NULL; + } + } + else +@@ -373,10 +372,9 @@ + int ch; + if (!gdGetByte (&ch, in)) + { +- /*printf("EOF while reading\n"); */ +- /*gdImageDestroy(im); */ +- /*return 0; */ +- ch = 0; ++ fprintf(stderr, "gd2: EOF while reading\n"); ++ gdImageDestroy(im); ++ return NULL; + } + im->pixels[y][x] = ch; + } +--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c ++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c +@@ -145,6 +145,11 @@ + + if ((*fmt) == GD2_FMT_COMPRESSED) + { ++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) { ++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy)); ++ goto fail1; ++ } ++ + nc = (*ncx) * (*ncy); + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); + sidx = sizeof (t_chunk_info) * nc; -- 2.13.0