gnu: netpbm: Fix CVE-2017-258[67].
* gnu/packages/netpbm.scm (netpbm)[source]: Add patches. * gnu/packages/patches/netpbm-CVE-2017-2586.patch, gnu/packages/patches/netpbm-CVE-2017-2587.patch: New files. * gnu/local.mk: Fix missing copyright year. (dist_patch_DATA): Add them.
This commit is contained in:
parent
13966cbd5e
commit
2a18b57222
|
@ -12,7 +12,7 @@
|
||||||
# Copyright © 2016, 2017, 2018, 2019 Alex Vong <alexvong1995@gmail.com>
|
# Copyright © 2016, 2017, 2018, 2019 Alex Vong <alexvong1995@gmail.com>
|
||||||
# Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
|
# Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
|
||||||
# Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org>
|
# Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org>
|
||||||
# Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
|
# Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
|
||||||
# Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
|
# Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
|
||||||
# Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
|
# Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
|
||||||
# Copyright © 2017, 2018 Gábor Boskovits <boskovits@gmail.com>
|
# Copyright © 2017, 2018 Gábor Boskovits <boskovits@gmail.com>
|
||||||
|
@ -1065,6 +1065,8 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/m4-gnulib-libio.patch \
|
%D%/packages/patches/m4-gnulib-libio.patch \
|
||||||
%D%/packages/patches/netcdf-date-time.patch \
|
%D%/packages/patches/netcdf-date-time.patch \
|
||||||
%D%/packages/patches/netcdf-tst_h_par.patch \
|
%D%/packages/patches/netcdf-tst_h_par.patch \
|
||||||
|
%D%/packages/patches/netpbm-CVE-2017-2586.patch \
|
||||||
|
%D%/packages/patches/netpbm-CVE-2017-2587.patch \
|
||||||
%D%/packages/patches/netsurf-message-timestamp.patch \
|
%D%/packages/patches/netsurf-message-timestamp.patch \
|
||||||
%D%/packages/patches/netsurf-system-utf8proc.patch \
|
%D%/packages/patches/netsurf-system-utf8proc.patch \
|
||||||
%D%/packages/patches/netsurf-y2038-tests.patch \
|
%D%/packages/patches/netsurf-y2038-tests.patch \
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
;;; GNU Guix --- Functional package management for GNU
|
;;; GNU Guix --- Functional package management for GNU
|
||||||
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
|
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
|
||||||
;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
|
;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
|
||||||
|
;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr>
|
||||||
;;;
|
;;;
|
||||||
;;; This file is part of GNU Guix.
|
;;; This file is part of GNU Guix.
|
||||||
;;;
|
;;;
|
||||||
|
@ -52,6 +53,8 @@
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"1k7as9qi1942wyjxpvbf02wg0h4braw44m3m3vvi8sm9y5z1m967"))
|
"1k7as9qi1942wyjxpvbf02wg0h4braw44m3m3vvi8sm9y5z1m967"))
|
||||||
|
(patches (search-patches "netpbm-CVE-2017-2586.patch"
|
||||||
|
"netpbm-CVE-2017-2587.patch"))
|
||||||
(file-name (string-append name "-" version "-checkout"))
|
(file-name (string-append name "-" version "-checkout"))
|
||||||
(modules '((guix build utils)))
|
(modules '((guix build utils)))
|
||||||
(snippet
|
(snippet
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
From: Tobias Geerinckx-Rice <me@tobias.gr>
|
||||||
|
Date: Thu, 28 Feb 2019 20:29:00 +0100
|
||||||
|
Subject: [PATCH] netpbm: Fix CVE-2017-2586.
|
||||||
|
|
||||||
|
Copied verbatim from Debian[0].
|
||||||
|
|
||||||
|
[0]: https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2586.patch
|
||||||
|
|
||||||
|
---
|
||||||
|
diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
|
||||||
|
--- old/converter/other/svgtopam.c 2017-02-08 12:11:02.593690917 +0100
|
||||||
|
+++ new/converter/other/svgtopam.c 2017-02-08 12:13:05.192846469 +0100
|
||||||
|
@@ -676,7 +676,7 @@ stringToUint(const char * const string
|
||||||
|
|
||||||
|
/* TODO: move this to nstring.c */
|
||||||
|
|
||||||
|
- if (strlen(string) == 0)
|
||||||
|
+ if (string == NULL || strlen(string) == 0)
|
||||||
|
pm_asprintf(errorP, "Value is a null string");
|
||||||
|
else {
|
||||||
|
char * tailptr;
|
|
@ -0,0 +1,35 @@
|
||||||
|
From: Tobias Geerinckx-Rice <me@tobias.gr>
|
||||||
|
Date: Thu, 28 Feb 2019 20:29:00 +0100
|
||||||
|
Subject: [PATCH] netpbm: Fix CVE-2017-2587.
|
||||||
|
|
||||||
|
Copied verbatim from Debian[0].
|
||||||
|
|
||||||
|
[0]: https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2587.patch
|
||||||
|
|
||||||
|
---
|
||||||
|
diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
|
||||||
|
--- old/converter/other/svgtopam.c 2017-02-08 12:11:02.593690917 +0100
|
||||||
|
+++ new/converter/other/svgtopam.c 2017-02-08 13:49:38.319029371 +0100
|
||||||
|
@@ -771,12 +771,17 @@ createCanvas(unsigned int const width,
|
||||||
|
|
||||||
|
MALLOCVAR_NOFAIL(canvasP);
|
||||||
|
|
||||||
|
- canvasP->width = width;
|
||||||
|
- canvasP->height = height;
|
||||||
|
- canvasP->pixels = ppm_allocarray(width, height);
|
||||||
|
- canvasP->maxval = maxval;
|
||||||
|
+ if(canvasP != NULL){
|
||||||
|
+ canvasP->width = width;
|
||||||
|
+ canvasP->height = height;
|
||||||
|
+ canvasP->pixels = ppm_allocarray(width, height);
|
||||||
|
+ canvasP->maxval = maxval;
|
||||||
|
+
|
||||||
|
+ *canvasPP = canvasP;
|
||||||
|
+ } else {
|
||||||
|
+ pm_error("can't allocate memory for canvas");
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- *canvasPP = canvasP;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue