[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
02/04: gnu: netpbm: Fix CVE-2017-258[67].
From: |
guix-commits |
Subject: |
02/04: gnu: netpbm: Fix CVE-2017-258[67]. |
Date: |
Thu, 28 Feb 2019 16:36:01 -0500 (EST) |
nckx pushed a commit to branch master
in repository guix.
commit 2a18b57222895b167522fcdecd7a0c37e64b5fbd
Author: Tobias Geerinckx-Rice <address@hidden>
Date: Thu Feb 28 20:28:33 2019 +0100
gnu: netpbm: Fix CVE-2017-258[67].
* gnu/packages/netpbm.scm (netpbm)[source]: Add patches.
* gnu/packages/patches/netpbm-CVE-2017-2586.patch,
gnu/packages/patches/netpbm-CVE-2017-2587.patch: New files.
* gnu/local.mk: Fix missing copyright year.
(dist_patch_DATA): Add them.
---
gnu/local.mk | 4 ++-
gnu/packages/netpbm.scm | 3 +++
gnu/packages/patches/netpbm-CVE-2017-2586.patch | 21 +++++++++++++++
gnu/packages/patches/netpbm-CVE-2017-2587.patch | 35 +++++++++++++++++++++++++
4 files changed, 62 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 1981673..82050b9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -12,7 +12,7 @@
# Copyright © 2016, 2017, 2018, 2019 Alex Vong <address@hidden>
# Copyright © 2016, 2017 Efraim Flashner <address@hidden>
# Copyright © 2016, 2017 Jan Nieuwenhuizen <address@hidden>
-# Copyright © 2017 Tobias Geerinckx-Rice <address@hidden>
+# Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <address@hidden>
# Copyright © 2017, 2018 Clément Lassieur <address@hidden>
# Copyright © 2017 Mathieu Othacehe <address@hidden>
# Copyright © 2017, 2018 Gábor Boskovits <address@hidden>
@@ -1065,6 +1065,8 @@ dist_patch_DATA =
\
%D%/packages/patches/m4-gnulib-libio.patch \
%D%/packages/patches/netcdf-date-time.patch \
%D%/packages/patches/netcdf-tst_h_par.patch \
+ %D%/packages/patches/netpbm-CVE-2017-2586.patch \
+ %D%/packages/patches/netpbm-CVE-2017-2587.patch \
%D%/packages/patches/netsurf-message-timestamp.patch \
%D%/packages/patches/netsurf-system-utf8proc.patch \
%D%/packages/patches/netsurf-y2038-tests.patch \
diff --git a/gnu/packages/netpbm.scm b/gnu/packages/netpbm.scm
index 9c0e970..7fe0503 100644
--- a/gnu/packages/netpbm.scm
+++ b/gnu/packages/netpbm.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2015 Andreas Enge <address@hidden>
;;; Copyright © 2015, 2016 Ludovic Courtès <address@hidden>
+;;; Copyright © 2019 Tobias Geerinckx-Rice <address@hidden>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -52,6 +53,8 @@
(sha256
(base32
"1k7as9qi1942wyjxpvbf02wg0h4braw44m3m3vvi8sm9y5z1m967"))
+ (patches (search-patches "netpbm-CVE-2017-2586.patch"
+ "netpbm-CVE-2017-2587.patch"))
(file-name (string-append name "-" version "-checkout"))
(modules '((guix build utils)))
(snippet
diff --git a/gnu/packages/patches/netpbm-CVE-2017-2586.patch
b/gnu/packages/patches/netpbm-CVE-2017-2586.patch
new file mode 100644
index 0000000..9992187
--- /dev/null
+++ b/gnu/packages/patches/netpbm-CVE-2017-2586.patch
@@ -0,0 +1,21 @@
+From: Tobias Geerinckx-Rice <address@hidden>
+Date: Thu, 28 Feb 2019 20:29:00 +0100
+Subject: [PATCH] netpbm: Fix CVE-2017-2586.
+
+Copied verbatim from Debian[0].
+
+[0]:
https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2586.patch
+
+---
+diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
+--- old/converter/other/svgtopam.c 2017-02-08 12:11:02.593690917 +0100
++++ new/converter/other/svgtopam.c 2017-02-08 12:13:05.192846469 +0100
+@@ -676,7 +676,7 @@ stringToUint(const char * const string
+
+ /* TODO: move this to nstring.c */
+
+- if (strlen(string) == 0)
++ if (string == NULL || strlen(string) == 0)
+ pm_asprintf(errorP, "Value is a null string");
+ else {
+ char * tailptr;
diff --git a/gnu/packages/patches/netpbm-CVE-2017-2587.patch
b/gnu/packages/patches/netpbm-CVE-2017-2587.patch
new file mode 100644
index 0000000..70fa508
--- /dev/null
+++ b/gnu/packages/patches/netpbm-CVE-2017-2587.patch
@@ -0,0 +1,35 @@
+From: Tobias Geerinckx-Rice <address@hidden>
+Date: Thu, 28 Feb 2019 20:29:00 +0100
+Subject: [PATCH] netpbm: Fix CVE-2017-2587.
+
+Copied verbatim from Debian[0].
+
+[0]:
https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2587.patch
+
+---
+diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
+--- old/converter/other/svgtopam.c 2017-02-08 12:11:02.593690917 +0100
++++ new/converter/other/svgtopam.c 2017-02-08 13:49:38.319029371 +0100
+@@ -771,12 +771,17 @@ createCanvas(unsigned int const width,
+
+ MALLOCVAR_NOFAIL(canvasP);
+
+- canvasP->width = width;
+- canvasP->height = height;
+- canvasP->pixels = ppm_allocarray(width, height);
+- canvasP->maxval = maxval;
++ if(canvasP != NULL){
++ canvasP->width = width;
++ canvasP->height = height;
++ canvasP->pixels = ppm_allocarray(width, height);
++ canvasP->maxval = maxval;
++
++ *canvasPP = canvasP;
++ } else {
++ pm_error("can't allocate memory for canvas");
++ }
+
+- *canvasPP = canvasP;
+ }
+
+