[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/02: gnu: jbig2dec: Fix CVE-2017-{7885,7975,7976}.
From: |
Leo Famulari |
Subject: |
01/02: gnu: jbig2dec: Fix CVE-2017-{7885,7975,7976}. |
Date: |
Sat, 20 May 2017 16:26:48 -0400 (EDT) |
lfam pushed a commit to branch master
in repository guix.
commit 10cb88f85cb4a967fac756ee76f6dc60d60d7bef
Author: Leo Famulari <address@hidden>
Date: Sat May 20 15:48:11 2017 -0400
gnu: jbig2dec: Fix CVE-2017-{7885,7975,7976}.
* gnu/packages/patches/jbig2dec-CVE-2017-7885.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7975.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7976.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (jbig2dec)[source]: Use them.
---
gnu/local.mk | 3 +
gnu/packages/image.scm | 5 +-
gnu/packages/patches/jbig2dec-CVE-2017-7885.patch | 38 +++++++
gnu/packages/patches/jbig2dec-CVE-2017-7975.patch | 40 +++++++
gnu/packages/patches/jbig2dec-CVE-2017-7976.patch | 122 ++++++++++++++++++++++
5 files changed, 207 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 04d259d..3ca5469 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -689,6 +689,9 @@ dist_patch_DATA =
\
%D%/packages/patches/jasper-CVE-2017-6850.patch \
%D%/packages/patches/jbig2dec-ignore-testtest.patch \
%D%/packages/patches/jbig2dec-CVE-2016-9601.patch \
+ %D%/packages/patches/jbig2dec-CVE-2017-7885.patch \
+ %D%/packages/patches/jbig2dec-CVE-2017-7975.patch \
+ %D%/packages/patches/jbig2dec-CVE-2017-7976.patch \
%D%/packages/patches/jq-CVE-2015-8863.patch \
%D%/packages/patches/kdbusaddons-kinit-file-name.patch \
%D%/packages/patches/khmer-use-libraries.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index de8043d..86902d5 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -509,7 +509,10 @@ arithmetic ops.")
(sha256
(base32 "04akiwab8iy5iy34razcvh9mcja9wy737civ3sbjxk4j143s1b2s"))
(patches (search-patches "jbig2dec-ignore-testtest.patch"
- "jbig2dec-CVE-2016-9601.patch"))))
+ "jbig2dec-CVE-2016-9601.patch"
+ "jbig2dec-CVE-2017-7885.patch"
+ "jbig2dec-CVE-2017-7975.patch"
+ "jbig2dec-CVE-2017-7976.patch"))))
(build-system gnu-build-system)
(synopsis "Decoder of the JBIG2 image compression format")
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch
b/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch
new file mode 100644
index 0000000..a598392
--- /dev/null
+++ b/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch
@@ -0,0 +1,38 @@
+Fix CVE-2017-7885:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885
+https://bugs.ghostscript.com/show_bug.cgi?id=697703
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=258290340bb657c9efb44457f717b0d8b49f4aa3
+
+From 258290340bb657c9efb44457f717b0d8b49f4aa3 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <address@hidden>
+Date: Wed, 3 May 2017 22:06:01 +0100
+Subject: [PATCH] Bug 697703: Prevent integer overflow vulnerability.
+
+Add extra check for the offset being greater than the size
+of the image and hence reading off the end of the buffer.
+
+Thank you to Dai Ge for finding this issue and suggesting a patch.
+---
+ jbig2_symbol_dict.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
+index 4acaba9..36225cb 100644
+--- a/jbig2_symbol_dict.c
++++ b/jbig2_symbol_dict.c
+@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ byte *dst = image->data;
+
+ /* SumatraPDF: prevent read access violation */
+- if (size - jbig2_huffman_offset(hs) < image->height * stride)
{
++ if ((size - jbig2_huffman_offset(hs) < image->height *
stride) || (size < jbig2_huffman_offset(hs))) {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"not enough data for decoding (%d/%d)", image->height * stride,
+ size - jbig2_huffman_offset(hs));
+ jbig2_image_release(ctx, image);
+--
+2.13.0
+
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch
b/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch
new file mode 100644
index 0000000..c83fe9d
--- /dev/null
+++ b/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch
@@ -0,0 +1,40 @@
+Fix CVE-2017-7975:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
+https://bugs.ghostscript.com/show_bug.cgi?id=697693
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=f8992b8fe65c170c8624226f127c5c4bfed42c66
+
+From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <address@hidden>
+Date: Wed, 26 Apr 2017 22:12:14 +0100
+Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
+
+While building a Huffman table, the start and end points were susceptible
+to integer overflow.
+
+Thank you to Jiaqi for finding this issue and suggesting a patch.
+---
+ jbig2_huffman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/jbig2_huffman.c b/jbig2_huffman.c
+index 511e461..b4189a1 100644
+--- a/jbig2_huffman.c
++++ b/jbig2_huffman.c
+@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const
Jbig2HuffmanParams *params)
+
+ if (PREFLEN == CURLEN) {
+ int RANGELEN = lines[CURTEMP].RANGELEN;
+- int start_j = CURCODE << shift;
+- int end_j = (CURCODE + 1) << shift;
++ uint32_t start_j = CURCODE << shift;
++ uint32_t end_j = (CURCODE + 1) << shift;
+ byte eflags = 0;
+
+ if (end_j > max_j) {
+--
+2.13.0
+
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
new file mode 100644
index 0000000..2fe0235
--- /dev/null
+++ b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
@@ -0,0 +1,122 @@
+Fix CVE-2017-7976:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
+https://bugs.ghostscript.com/show_bug.cgi?id=697683
+
+In order to make the bug-fix patch apply, we also include an earlier commit
+that it depends on.
+
+Patches copied from upstream source repository:
+
+Earlier commit, creating context for the CVE fix:
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544
+
+CVE-2017-7976 bug fix:
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6
+
+From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <address@hidden>
+Date: Wed, 14 Dec 2016 15:56:31 +0100
+Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always
+ false.
+
+---
+ jbig2_image.c | 2 +-
+ jbig2_mmr.c | 2 +-
+ jbig2_symbol_dict.c | 9 ++-------
+ 3 files changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 94e5a4c..00f966b 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst,
Jbig2Image *src, int x, int
+ /* general OR case */
+ s = ss;
+ d = dd = dst->data + y * dst->stride + leftbyte;
+- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d -
leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h *
dst->stride > dst->data + dst->height * dst->stride) {
+ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap
overflow in jbig2_image_compose");
+ }
+ if (leftbyte == rightbyte) {
+diff --git a/jbig2_mmr.c b/jbig2_mmr.c
+index 390e27c..da54934 100644
+--- a/jbig2_mmr.c
++++ b/jbig2_mmr.c
+@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref,
byte *dst)
+ if (b1 < 2)
+ break;
+ if (c) {
+- if (b1 - 2 < a0 || a0 < 0)
++ if (a0 == MINUS1 || b1 - 2 < a0)
+ return -1;
+ jbig2_set_bits(dst, a0, b1 - 2);
+ }
+diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
+index 11a2252..4acaba9 100644
+--- a/jbig2_symbol_dict.c
++++ b/jbig2_symbol_dict.c
+@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
+ {
+ Jbig2SymbolDict *new_dict = NULL;
+
+- if (n_symbols < 0) {
+- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of
symbols in symbol dict: %d", n_symbols);
+- return NULL;
+- }
+-
+ new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
+ if (new_dict != NULL) {
+ new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
+@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ uint32_t j;
+ int x;
+
+- if (code || (BMSIZE < 0)) {
++ if (code) {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"error decoding size of collective bitmap!");
+ goto cleanup4;
+ }
+@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ code = jbig2_arith_int_decode(IAEX, as, (int32_t
*)&exrunlength);
+ /* prevent infinite loop */
+ zerolength = exrunlength > 0 ? 0 : zerolength + 1;
+- if (code || (exrunlength > limit - i) || (exrunlength < 0) ||
(zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
++ if (code || (exrunlength > limit - i) || (zerolength > 4) ||
(exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
+ if (code)
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"failed to decode exrunlength for exported symbols");
+ else if (exrunlength <= 0)
+--
+2.13.0
+
+From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <address@hidden>
+Date: Wed, 10 May 2017 17:50:39 +0100
+Subject: [PATCH] Bug 697683: Bounds check before reading from image source
+ data.
+
+Add extra check to prevent reading off the end of the image source
+data buffer.
+
+Thank you to Dai Ge for finding this issue and suggesting a patch.
+---
+ jbig2_image.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 661d0a5..ae161b9 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst,
Jbig2Image *src, int x, int
+ /* general OR case */
+ s = ss;
+ d = dd = dst->data + y * dst->stride + leftbyte;
+- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h *
dst->stride > dst->data + dst->height * dst->stride) {
++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h *
dst->stride > dst->data + dst->height * dst->stride ||
++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data +
src->height * src->stride) {
+ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap
overflow in jbig2_image_compose");
+ }
+ if (leftbyte == rightbyte) {
+--
+2.13.0
+