From e224495ce1ce373cc43b49faa538116c9cac1466 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 8 Mar 2016 11:49:04 +0200 Subject: [PATCH] gnu: jasper: Add fixes for CVE-2016-1577, CVE-2016-2089, CVE-2016-2116. * gnu/packages/patches/jasper-CVE-2016-1557.patch, gnu/packages/patches/jasper-CVE-2016-2089.patch, gnu/packages/patches/jasper-CVE-2016-2116.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/image.scm (jasper)[source]: Add patches. --- gnu-system.am | 3 + gnu/packages/image.scm | 6 +- .../patches/jasper-CVE-2016-1577.patch | 19 ++++ .../patches/jasper-CVE-2016-2089.patch | 90 +++++++++++++++++++ .../patches/jasper-CVE-2016-2116.patch | 19 ++++ 5 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/jasper-CVE-2016-1577.patch create mode 100644 gnu/packages/patches/jasper-CVE-2016-2089.patch create mode 100644 gnu/packages/patches/jasper-CVE-2016-2116.patch diff --git a/gnu-system.am b/gnu-system.am index f4f1b89d46..4566ecac7d 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -543,7 +543,10 @@ dist_patch_DATA = \ gnu/packages/patches/jasper-CVE-2014-8157.patch \ gnu/packages/patches/jasper-CVE-2014-8158.patch \ gnu/packages/patches/jasper-CVE-2014-9029.patch \ + gnu/packages/patches/jasper-CVE-2016-1577.patch \ gnu/packages/patches/jasper-CVE-2016-1867.patch \ + gnu/packages/patches/jasper-CVE-2016-2089.patch \ + gnu/packages/patches/jasper-CVE-2016-2116.patch \ gnu/packages/patches/jbig2dec-ignore-testtest.patch \ gnu/packages/patches/kmod-module-directory.patch \ gnu/packages/patches/ldc-disable-tests.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 2d2f0f2f4b..4b99fb6767 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2015 Amirouche Boubekki ;;; Copyright © 2014 John Darrington ;;; Copyright © 2016 Leo Famulari +;;; Copyright © 2016 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -736,7 +737,10 @@ convert, manipulate, filter and display a wide variety of image formats.") (search-patch "jasper-CVE-2014-8157.patch") (search-patch "jasper-CVE-2014-8158.patch") (search-patch "jasper-CVE-2014-9029.patch") - (search-patch "jasper-CVE-2016-1867.patch"))))) + (search-patch "jasper-CVE-2016-1577.patch") + (search-patch "jasper-CVE-2016-1867.patch") + (search-patch "jasper-CVE-2016-2089.patch") + (search-patch "jasper-CVE-2016-2116.patch"))))) (build-system gnu-build-system) (native-inputs `(("unzip" ,unzip))) diff --git a/gnu/packages/patches/jasper-CVE-2016-1577.patch b/gnu/packages/patches/jasper-CVE-2016-1577.patch new file mode 100644 index 0000000000..75bbd526af --- /dev/null +++ b/gnu/packages/patches/jasper-CVE-2016-1577.patch @@ -0,0 +1,19 @@ +Description: CVE-2016-1577: Prevent double-free in jas_iccattrval_destroy() +Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12 +Bug-Ubuntu: https://launchpad.net/bugs/1547865 +Bug-Debian: https://bugs.debian.org/816625 +Forwarded: not-needed +Author: Tyler Hicks +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2016-03-05 + +--- a/src/libjasper/base/jas_icc.c ++++ b/src/libjasper/base/jas_icc.c +@@ -300,6 +300,7 @@ jas_iccprof_t *jas_iccprof_load(jas_stre + if (jas_iccprof_setattr(prof, tagtabent->tag, attrval)) + goto error; + jas_iccattrval_destroy(attrval); ++ attrval = 0; + } else { + #if 0 + jas_eprintf("warning: skipping unknown tag type\n"); diff --git a/gnu/packages/patches/jasper-CVE-2016-2089.patch b/gnu/packages/patches/jasper-CVE-2016-2089.patch new file mode 100644 index 0000000000..95d4b61111 --- /dev/null +++ b/gnu/packages/patches/jasper-CVE-2016-2089.patch @@ -0,0 +1,90 @@ +Description: CVE-2016-2089: matrix rows_ NULL pointer dereference in jas_matrix_clip() +Origin: vendor +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1302636 +Bug-Debian: https://bugs.debian.org/812978 +Forwarded: not-needed +Author: Tomas Hoger +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2016-03-05 + +--- a/src/libjasper/base/jas_image.c ++++ b/src/libjasper/base/jas_image.c +@@ -426,6 +426,10 @@ int jas_image_readcmpt(jas_image_t *imag + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + if (jas_matrix_resize(data, height, width)) { + return -1; +@@ -479,6 +483,10 @@ int jas_image_writecmpt(jas_image_t *ima + return -1; + } + ++ if (!data->rows_) { ++ return -1; ++ } ++ + if (jas_matrix_numrows(data) != height || jas_matrix_numcols(data) != width) { + return -1; + } +--- a/src/libjasper/base/jas_seq.c ++++ b/src/libjasper/base/jas_seq.c +@@ -262,6 +262,10 @@ void jas_matrix_divpow2(jas_matrix_t *ma + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -282,6 +286,10 @@ void jas_matrix_clip(jas_matrix_t *matri + jas_seqent_t *data; + int rowstep; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -306,6 +314,10 @@ void jas_matrix_asr(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + assert(n >= 0); + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, +@@ -325,6 +337,10 @@ void jas_matrix_asl(jas_matrix_t *matrix + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { +@@ -367,6 +383,10 @@ void jas_matrix_setall(jas_matrix_t *mat + int rowstep; + jas_seqent_t *data; + ++ if (!matrix->rows_) { ++ return; ++ } ++ + rowstep = jas_matrix_rowstep(matrix); + for (i = matrix->numrows_, rowstart = matrix->rows_[0]; i > 0; --i, + rowstart += rowstep) { diff --git a/gnu/packages/patches/jasper-CVE-2016-2116.patch b/gnu/packages/patches/jasper-CVE-2016-2116.patch new file mode 100644 index 0000000000..cdb616fb6a --- /dev/null +++ b/gnu/packages/patches/jasper-CVE-2016-2116.patch @@ -0,0 +1,19 @@ +Description: CVE-2016-2116: Prevent jas_stream_t memory leak in jas_iccprof_createfrombuf() +Origin: vendor, http://www.openwall.com/lists/oss-security/2016/03/03/12 +Bug-Debian: https://bugs.debian.org/816626 +Forwarded: not-needed +Author: Tyler Hicks +Reviewed-by: Salvatore Bonaccorso +Last-Update: 2016-03-05 + +--- a/src/libjasper/base/jas_icc.c ++++ b/src/libjasper/base/jas_icc.c +@@ -1693,6 +1693,8 @@ jas_iccprof_t *jas_iccprof_createfrombuf + jas_stream_close(in); + return prof; + error: ++ if (in) ++ jas_stream_close(in); + return 0; + } +