gnu: pixman: Add fix for CVE-2016-5296.

* gnu/packages/patches/pixman-CVE-2016-5296.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xdisorg.scm (pixman)[replacement]: New field. (pixman/fixed): New variable.
2016-11-16 02:14:28 -05:00 · 2016-11-16 02:14:28 -05:00 · 56ac2bf442
parent 05ceb8dcaf
commit 56ac2bf442
3 changed files with 29 additions and 1 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -785,6 +785,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/pinball-src-deps.patch			\
  %D%/packages/patches/pinball-system-ltdl.patch		\
  %D%/packages/patches/pingus-sdl-libs-config.patch		\
+  %D%/packages/patches/pixman-CVE-2016-5296.patch		\
  %D%/packages/patches/plink-1.07-unclobber-i.patch		\
  %D%/packages/patches/plink-endian-detection.patch		\
  %D%/packages/patches/plotutils-libpng-jmpbuf.patch		\
--- a/gnu/packages/patches/pixman-CVE-2016-5296.patch
+++ b/gnu/packages/patches/pixman-CVE-2016-5296.patch
@ -0,0 +1,19 @@
+Fix CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
+Adapted for upstream pixman based on:
+
+  https://hg.mozilla.org/releases/mozilla-esr45/rev/5e39c1c2fded
+
+--- pixman-0.34.0/pixman/pixman-edge-imp.h.orig	2015-06-30 05:48:31.000000000 -0400
+++ pixman-0.34.0/pixman/pixman-edge-imp.h	2016-11-16 01:09:34.046335106 -0500
+@@ -55,8 +55,9 @@
+ 	 *
+ 	 * (The AA case does a similar  adjustment in RENDER_SAMPLES_X)
+ 	 */
+-	lx += X_FRAC_FIRST(1) - pixman_fixed_e;
+-	rx += X_FRAC_FIRST(1) - pixman_fixed_e;
+	/* we cast to unsigned to get defined behaviour for overflow */
+	lx = (unsigned)lx + X_FRAC_FIRST(1) - pixman_fixed_e;
+	rx = (unsigned)rx + X_FRAC_FIRST(1) - pixman_fixed_e;
+ #endif
+ 	/* clip X */
+ 	if (lx < 0)
--- a/gnu/packages/xdisorg.scm
+++ b/gnu/packages/xdisorg.scm
@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2014 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2014 Eric Bavier <bavier@member.fsf.org>
 ;;; Copyright © 2014, 2015, 2016 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2013, 2015 Ludovic Courtès <ludo@gnu.org>
@ -241,6 +241,7 @@ following the mouse.")
  (package
    (name "pixman")
    (version "0.34.0")
+    (replacement pixman/fixed)
    (source (origin
              (method url-fetch)
              (uri (string-append
@ -262,6 +263,13 @@ manipulation, providing features such as image compositing and trapezoid
 rasterisation.")
    (license license:x11)))

+(define pixman/fixed
+  (package
+    (inherit pixman)
+    (source (origin
+              (inherit (package-source pixman))
+              (patches (search-patches "pixman-CVE-2016-5296.patch"))))))
+

 (define-public libdrm
  (package