From 10cb88f85cb4a967fac756ee76f6dc60d60d7bef Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 20 May 2017 15:48:11 -0400 Subject: [PATCH] gnu: jbig2dec: Fix CVE-2017-{7885,7975,7976}. * gnu/packages/patches/jbig2dec-CVE-2017-7885.patch, gnu/packages/patches/jbig2dec-CVE-2017-7975.patch, gnu/packages/patches/jbig2dec-CVE-2017-7976.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (jbig2dec)[source]: Use them. --- gnu/local.mk | 3 + gnu/packages/image.scm | 5 +- .../patches/jbig2dec-CVE-2017-7885.patch | 38 ++++++ .../patches/jbig2dec-CVE-2017-7975.patch | 40 ++++++ .../patches/jbig2dec-CVE-2017-7976.patch | 122 ++++++++++++++++++ 5 files changed, 207 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/jbig2dec-CVE-2017-7885.patch create mode 100644 gnu/packages/patches/jbig2dec-CVE-2017-7975.patch create mode 100644 gnu/packages/patches/jbig2dec-CVE-2017-7976.patch diff --git a/gnu/local.mk b/gnu/local.mk index 04d259df9c..3ca546913c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -689,6 +689,9 @@ dist_patch_DATA = \ %D%/packages/patches/jasper-CVE-2017-6850.patch \ %D%/packages/patches/jbig2dec-ignore-testtest.patch \ %D%/packages/patches/jbig2dec-CVE-2016-9601.patch \ + %D%/packages/patches/jbig2dec-CVE-2017-7885.patch \ + %D%/packages/patches/jbig2dec-CVE-2017-7975.patch \ + %D%/packages/patches/jbig2dec-CVE-2017-7976.patch \ %D%/packages/patches/jq-CVE-2015-8863.patch \ %D%/packages/patches/kdbusaddons-kinit-file-name.patch \ %D%/packages/patches/khmer-use-libraries.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index de8043d236..86902d5680 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -509,7 +509,10 @@ arithmetic ops.") (sha256 (base32 "04akiwab8iy5iy34razcvh9mcja9wy737civ3sbjxk4j143s1b2s")) (patches (search-patches "jbig2dec-ignore-testtest.patch" - "jbig2dec-CVE-2016-9601.patch")))) + "jbig2dec-CVE-2016-9601.patch" + "jbig2dec-CVE-2017-7885.patch" + "jbig2dec-CVE-2017-7975.patch" + "jbig2dec-CVE-2017-7976.patch")))) (build-system gnu-build-system) (synopsis "Decoder of the JBIG2 image compression format") diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch new file mode 100644 index 0000000000..a598392765 --- /dev/null +++ b/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch @@ -0,0 +1,38 @@ +Fix CVE-2017-7885: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885 +https://bugs.ghostscript.com/show_bug.cgi?id=697703 + +Patch copied from upstream source repository: + +https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=258290340bb657c9efb44457f717b0d8b49f4aa3 + +From 258290340bb657c9efb44457f717b0d8b49f4aa3 Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry +Date: Wed, 3 May 2017 22:06:01 +0100 +Subject: [PATCH] Bug 697703: Prevent integer overflow vulnerability. + +Add extra check for the offset being greater than the size +of the image and hence reading off the end of the buffer. + +Thank you to Dai Ge for finding this issue and suggesting a patch. +--- + jbig2_symbol_dict.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c +index 4acaba9..36225cb 100644 +--- a/jbig2_symbol_dict.c ++++ b/jbig2_symbol_dict.c +@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + byte *dst = image->data; + + /* SumatraPDF: prevent read access violation */ +- if (size - jbig2_huffman_offset(hs) < image->height * stride) { ++ if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride, + size - jbig2_huffman_offset(hs)); + jbig2_image_release(ctx, image); +-- +2.13.0 + diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch new file mode 100644 index 0000000000..c83fe9d9f2 --- /dev/null +++ b/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch @@ -0,0 +1,40 @@ +Fix CVE-2017-7975: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975 +https://bugs.ghostscript.com/show_bug.cgi?id=697693 + +Patch copied from upstream source repository: + +https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=f8992b8fe65c170c8624226f127c5c4bfed42c66 + +From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry +Date: Wed, 26 Apr 2017 22:12:14 +0100 +Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow. + +While building a Huffman table, the start and end points were susceptible +to integer overflow. + +Thank you to Jiaqi for finding this issue and suggesting a patch. +--- + jbig2_huffman.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/jbig2_huffman.c b/jbig2_huffman.c +index 511e461..b4189a1 100644 +--- a/jbig2_huffman.c ++++ b/jbig2_huffman.c +@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params) + + if (PREFLEN == CURLEN) { + int RANGELEN = lines[CURTEMP].RANGELEN; +- int start_j = CURCODE << shift; +- int end_j = (CURCODE + 1) << shift; ++ uint32_t start_j = CURCODE << shift; ++ uint32_t end_j = (CURCODE + 1) << shift; + byte eflags = 0; + + if (end_j > max_j) { +-- +2.13.0 + diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch new file mode 100644 index 0000000000..2fe02358b8 --- /dev/null +++ b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch @@ -0,0 +1,122 @@ +Fix CVE-2017-7976: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976 +https://bugs.ghostscript.com/show_bug.cgi?id=697683 + +In order to make the bug-fix patch apply, we also include an earlier commit +that it depends on. + +Patches copied from upstream source repository: + +Earlier commit, creating context for the CVE fix: +https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544 + +CVE-2017-7976 bug fix: +https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6 + +From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001 +From: Tor Andersson +Date: Wed, 14 Dec 2016 15:56:31 +0100 +Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always + false. + +--- + jbig2_image.c | 2 +- + jbig2_mmr.c | 2 +- + jbig2_symbol_dict.c | 9 ++------- + 3 files changed, 4 insertions(+), 9 deletions(-) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 94e5a4c..00f966b 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { +diff --git a/jbig2_mmr.c b/jbig2_mmr.c +index 390e27c..da54934 100644 +--- a/jbig2_mmr.c ++++ b/jbig2_mmr.c +@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) + if (b1 < 2) + break; + if (c) { +- if (b1 - 2 < a0 || a0 < 0) ++ if (a0 == MINUS1 || b1 - 2 < a0) + return -1; + jbig2_set_bits(dst, a0, b1 - 2); + } +diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c +index 11a2252..4acaba9 100644 +--- a/jbig2_symbol_dict.c ++++ b/jbig2_symbol_dict.c +@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols) + { + Jbig2SymbolDict *new_dict = NULL; + +- if (n_symbols < 0) { +- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols); +- return NULL; +- } +- + new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1); + if (new_dict != NULL) { + new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols); +@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + uint32_t j; + int x; + +- if (code || (BMSIZE < 0)) { ++ if (code) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!"); + goto cleanup4; + } +@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength); + /* prevent infinite loop */ + zerolength = exrunlength > 0 ? 0 : zerolength + 1; +- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { ++ if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { + if (code) + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols"); + else if (exrunlength <= 0) +-- +2.13.0 + +From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry +Date: Wed, 10 May 2017 17:50:39 +0100 +Subject: [PATCH] Bug 697683: Bounds check before reading from image source + data. + +Add extra check to prevent reading off the end of the image source +data buffer. + +Thank you to Dai Ge for finding this issue and suggesting a patch. +--- + jbig2_image.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 661d0a5..ae161b9 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || ++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { +-- +2.13.0 +