gnu: netpbm: Fix CVE-2017-258[67].

* gnu/packages/netpbm.scm (netpbm)[source]: Add patches.
* gnu/packages/patches/netpbm-CVE-2017-2586.patch,
gnu/packages/patches/netpbm-CVE-2017-2587.patch: New files.
* gnu/local.mk: Fix missing copyright year.
(dist_patch_DATA): Add them.
This commit is contained in:
Tobias Geerinckx-Rice 2019-02-28 20:28:33 +01:00
parent 13966cbd5e
commit 2a18b57222
No known key found for this signature in database
GPG Key ID: 0DB0FF884F556D79
4 changed files with 62 additions and 1 deletions

View File

@ -12,7 +12,7 @@
# Copyright © 2016, 2017, 2018, 2019 Alex Vong <alexvong1995@gmail.com> # Copyright © 2016, 2017, 2018, 2019 Alex Vong <alexvong1995@gmail.com>
# Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> # Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
# Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org> # Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org>
# Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> # Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr>
# Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org> # Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
# Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com> # Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
# Copyright © 2017, 2018 Gábor Boskovits <boskovits@gmail.com> # Copyright © 2017, 2018 Gábor Boskovits <boskovits@gmail.com>
@ -1065,6 +1065,8 @@ dist_patch_DATA = \
%D%/packages/patches/m4-gnulib-libio.patch \ %D%/packages/patches/m4-gnulib-libio.patch \
%D%/packages/patches/netcdf-date-time.patch \ %D%/packages/patches/netcdf-date-time.patch \
%D%/packages/patches/netcdf-tst_h_par.patch \ %D%/packages/patches/netcdf-tst_h_par.patch \
%D%/packages/patches/netpbm-CVE-2017-2586.patch \
%D%/packages/patches/netpbm-CVE-2017-2587.patch \
%D%/packages/patches/netsurf-message-timestamp.patch \ %D%/packages/patches/netsurf-message-timestamp.patch \
%D%/packages/patches/netsurf-system-utf8proc.patch \ %D%/packages/patches/netsurf-system-utf8proc.patch \
%D%/packages/patches/netsurf-y2038-tests.patch \ %D%/packages/patches/netsurf-y2038-tests.patch \

View File

@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU ;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -52,6 +53,8 @@
(sha256 (sha256
(base32 (base32
"1k7as9qi1942wyjxpvbf02wg0h4braw44m3m3vvi8sm9y5z1m967")) "1k7as9qi1942wyjxpvbf02wg0h4braw44m3m3vvi8sm9y5z1m967"))
(patches (search-patches "netpbm-CVE-2017-2586.patch"
"netpbm-CVE-2017-2587.patch"))
(file-name (string-append name "-" version "-checkout")) (file-name (string-append name "-" version "-checkout"))
(modules '((guix build utils))) (modules '((guix build utils)))
(snippet (snippet

View File

@ -0,0 +1,21 @@
From: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Thu, 28 Feb 2019 20:29:00 +0100
Subject: [PATCH] netpbm: Fix CVE-2017-2586.
Copied verbatim from Debian[0].
[0]: https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2586.patch
---
diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
--- old/converter/other/svgtopam.c 2017-02-08 12:11:02.593690917 +0100
+++ new/converter/other/svgtopam.c 2017-02-08 12:13:05.192846469 +0100
@@ -676,7 +676,7 @@ stringToUint(const char * const string
/* TODO: move this to nstring.c */
- if (strlen(string) == 0)
+ if (string == NULL || strlen(string) == 0)
pm_asprintf(errorP, "Value is a null string");
else {
char * tailptr;

View File

@ -0,0 +1,35 @@
From: Tobias Geerinckx-Rice <me@tobias.gr>
Date: Thu, 28 Feb 2019 20:29:00 +0100
Subject: [PATCH] netpbm: Fix CVE-2017-2587.
Copied verbatim from Debian[0].
[0]: https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2587.patch
---
diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c
--- old/converter/other/svgtopam.c 2017-02-08 12:11:02.593690917 +0100
+++ new/converter/other/svgtopam.c 2017-02-08 13:49:38.319029371 +0100
@@ -771,12 +771,17 @@ createCanvas(unsigned int const width,
MALLOCVAR_NOFAIL(canvasP);
- canvasP->width = width;
- canvasP->height = height;
- canvasP->pixels = ppm_allocarray(width, height);
- canvasP->maxval = maxval;
+ if(canvasP != NULL){
+ canvasP->width = width;
+ canvasP->height = height;
+ canvasP->pixels = ppm_allocarray(width, height);
+ canvasP->maxval = maxval;
+
+ *canvasPP = canvasP;
+ } else {
+ pm_error("can't allocate memory for canvas");
+ }
- *canvasPP = canvasP;
}