wok-current rev 24695
advancecomp: CVE-2019-8383 & CVE-2019-9210
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Sun Mar 13 15:13:28 2022 +0000 (2022-03-13) |
| parents | 52649f27a0da |
| children | ce6b8763dcf8 |
| files | abiword/receipt advancecomp/receipt advancecomp/stuff/CVE-2019-8383.patch advancecomp/stuff/CVE-2019-9210.patch babl/receipt gegl/receipt gimp/receipt |
line diff
1.1 --- a/abiword/receipt Sun Mar 13 12:06:14 2022 +0000 1.2 +++ b/abiword/receipt Sun Mar 13 15:13:28 2022 +0000 1.3 @@ -25,10 +25,9 @@ 1.4 current_version() 1.5 { 1.6 wget -O - http://www.abisource.com/downloads/abiword/ 2>/dev/null | \ 1.7 - sed "/latest/d;/\[DIR/!d;s|.*href=.\\([0-9\.]*\\)/.*|http://www.abisource.com/downloads/abiword/\\1/source/|" | sort -Vr | sed q > /tmp/url$$ 1.8 - cat /tmp/url$$ | xargs wget -O - 2>/dev/null | \ 1.9 + sed "/latest/d;/\[DIR/!d;s|.*href=.\\([0-9\.]*\\)/.*|http://www.abisource.com/downloads/abiword/\\1/source/|" | \ 1.10 + sort -Vr | sed q | xargs wget -O - 2>/dev/null | \ 1.11 sed "/latest/d;/$PACKAGE-/!d;/tar/!d;s|.*$PACKAGE-\\(.*\\).tar.*\".*|\\1|" | sort -Vr | sed q 1.12 - rm -f /tmp/url$$ 1.13 } 1.14 1.15 # Rules to configure and make the package.
2.1 --- a/advancecomp/receipt Sun Mar 13 12:06:14 2022 +0000 2.2 +++ b/advancecomp/receipt Sun Mar 13 15:13:28 2022 +0000 2.3 @@ -23,7 +23,9 @@ 2.4 # Rules to configure and make the package. 2.5 compile_rules() 2.6 { 2.7 - patch -p1 -i $stuff/advancecomp.patch 2.8 + for patch in $stuff/*.patch ; do 2.9 + patch -p1 -i $patch 2.10 + done 2.11 2.12 ./autogen.sh && 2.13 ./configure $CONFIGURE_ARGS && make && make install
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/advancecomp/stuff/CVE-2019-8383.patch Sun Mar 13 15:13:28 2022 +0000 3.3 @@ -0,0 +1,44 @@ 3.4 +commit 78a56b21340157775be2462a19276b4d31d2bd01 3.5 +Author: Andrea Mazzoleni <amadvance@gmail.com> 3.6 +Date: Fri Jan 4 20:49:25 2019 +0100 3.7 + 3.8 + Fix a buffer overflow caused by invalid images 3.9 + 3.10 +diff --git a/lib/png.c b/lib/png.c 3.11 +index 0939a5a..cbf140b 100644 3.12 +--- a/lib/png.c 3.13 ++++ b/lib/png.c 3.14 +@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr( 3.15 + unsigned pixel; 3.16 + unsigned width; 3.17 + unsigned width_align; 3.18 ++ unsigned scanline; 3.19 + unsigned height; 3.20 + unsigned depth; 3.21 + int r; 3.22 +@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr( 3.23 + goto err_ptr; 3.24 + } 3.25 + 3.26 +- *dat_size = height * (width_align * pixel + 1); 3.27 ++ /* check for overflow */ 3.28 ++ if (pixel == 0 || width_align >= UINT_MAX / pixel) { 3.29 ++ error_set("Invalid image size"); 3.30 ++ goto err_ptr; 3.31 ++ } 3.32 ++ 3.33 ++ scanline = width_align * pixel + 1; 3.34 ++ 3.35 ++ /* check for overflow */ 3.36 ++ if (scanline == 0 || height >= UINT_MAX / scanline) { 3.37 ++ error_set("Invalid image size"); 3.38 ++ goto err_ptr; 3.39 ++ } 3.40 ++ 3.41 ++ *dat_size = height * scanline; 3.42 + *dat_ptr = malloc(*dat_size); 3.43 +- *pix_scanline = width_align * pixel + 1; 3.44 ++ *pix_scanline = scanline; 3.45 + *pix_ptr = *dat_ptr + 1; 3.46 + 3.47 + z.zalloc = 0;
4.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 4.2 +++ b/advancecomp/stuff/CVE-2019-9210.patch Sun Mar 13 15:13:28 2022 +0000 4.3 @@ -0,0 +1,100 @@ 4.4 +commit 7894a6e684ce68ddff9f4f4919ab8e3911ac8040 4.5 +Author: Andrea Mazzoleni <amadvance@gmail.com> 4.6 +Date: Fri Jan 4 20:49:48 2019 +0100 4.7 + 4.8 + Fix a buffer overflow caused by invalid chunks 4.9 + 4.10 +diff --git a/pngex.cc b/pngex.cc 4.11 +index 55d16f5..3f5b49f 100644 4.12 +--- a/pngex.cc 4.13 ++++ b/pngex.cc 4.14 +@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 4.15 + 4.16 + switch (type) { 4.17 + case ADV_MNG_CN_MHDR : 4.18 ++ if (size < 28) { 4.19 ++ cout << " invalid chunk size"; 4.20 ++ break; 4.21 ++ } 4.22 + cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8); 4.23 + cout << " simplicity:" << be_uint32_read(data+24); 4.24 + cout << "(bit"; 4.25 +@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 4.26 + cout << ")"; 4.27 + break; 4.28 + case ADV_MNG_CN_DHDR : 4.29 ++ if (size < 4) { 4.30 ++ cout << " invalid chunk size"; 4.31 ++ break; 4.32 ++ } 4.33 + cout << " id:" << be_uint16_read(data+0); 4.34 + switch (data[2]) { 4.35 + case 0 : cout << " img:unspecified"; break; 4.36 +@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 4.37 + } 4.38 + break; 4.39 + case ADV_MNG_CN_DEFI : 4.40 ++ if (size < 2) { 4.41 ++ cout << " invalid chunk size"; 4.42 ++ break; 4.43 ++ } 4.44 + cout << " id:" << be_uint16_read(data+0); 4.45 + if (size >= 3) { 4.46 + switch (data[2]) { 4.47 +@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 4.48 + } 4.49 + break; 4.50 + case ADV_MNG_CN_MOVE : 4.51 ++ if (size < 13) { 4.52 ++ cout << " invalid chunk size"; 4.53 ++ break; 4.54 ++ } 4.55 + cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2); 4.56 + switch (data[4]) { 4.57 + case 0 : cout << " type:replace"; break; 4.58 +@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 4.59 + cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9); 4.60 + break; 4.61 + case ADV_MNG_CN_PPLT : 4.62 ++ if (size < 1) { 4.63 ++ cout << " invalid chunk size"; 4.64 ++ break; 4.65 ++ } 4.66 + switch (data[0]) { 4.67 + case 0 : cout << " type:replacement_rgb"; break; 4.68 + case 1 : cout << " type:delta_rgb"; break; 4.69 +@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 4.70 + default : cout << " type:?"; break; 4.71 + } 4.72 + i = 1; 4.73 +- while (i<size) { 4.74 ++ while (i + 1 < size) { 4.75 + unsigned ssize; 4.76 + cout << " " << (unsigned)data[i] << ":" << (unsigned)data[i+1]; 4.77 + if (data[0] == 0 || data[1] == 1) 4.78 +@@ -298,6 +318,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) 4.79 + } 4.80 + break; 4.81 + case ADV_PNG_CN_IHDR : 4.82 ++ if (size < 13) { 4.83 ++ cout << " invalid chunk size"; 4.84 ++ break; 4.85 ++ } 4.86 + cout << " width:" << be_uint32_read(data) << " height:" << be_uint32_read(data + 4); 4.87 + cout << " depth:" << (unsigned)data[8]; 4.88 + cout << " color_type:" << (unsigned)data[9]; 4.89 +diff -up advancecomp-2.1/lib/png.c.me advancecomp-2.1/lib/png.c 4.90 +--- advancecomp-2.1/lib/png.c.me 2019-03-06 21:38:19.099210846 +0100 4.91 ++++ advancecomp-2.1/lib/png.c 2019-03-06 21:38:49.193040592 +0100 4.92 +@@ -655,6 +655,11 @@ adv_error adv_png_read_ihdr( 4.93 + } 4.94 + *pix_pixel = pixel; 4.95 + 4.96 ++ if (width_align < width) { 4.97 ++ error_unsupported_set("Invalid image size"); 4.98 ++ goto err; 4.99 ++ } 4.100 ++ 4.101 + if (data[10] != 0) { /* compression */ 4.102 + error_unsupported_set("Unsupported compression, %d instead of 0", (unsigned)data[10]); 4.103 + goto err;
5.1 --- a/babl/receipt Sun Mar 13 12:06:14 2022 +0000 5.2 +++ b/babl/receipt Sun Mar 13 15:13:28 2022 +0000 5.3 @@ -20,10 +20,9 @@ 5.4 current_version() 5.5 { 5.6 wget -O - https://download.gimp.org/pub/$PACKAGE/ 2>/dev/null | \ 5.7 - sed "/latest/d;/\[DIR/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1|" | sort -Vr | sed q > /tmp/url$$ 5.8 - cat /tmp/url$$ | xargs wget -O - 2>/dev/null | \ 5.9 + sed "/latest/d;/\[DIR/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1|" | \ 5.10 + sort -Vr | sed q | xargs wget -O - 2>/dev/null | \ 5.11 sed "/latest/d;/$PACKAGE-/!d;/tar/!d;s|.*$PACKAGE-\\(.*\\).tar.*\".*|\\1|" | sort -Vr | sed q 5.12 - rm -f /tmp/url$$ 5.13 } 5.14 5.15 # Rules to configure and make the package.
6.1 --- a/gegl/receipt Sun Mar 13 12:06:14 2022 +0000 6.2 +++ b/gegl/receipt Sun Mar 13 15:13:28 2022 +0000 6.3 @@ -19,10 +19,9 @@ 6.4 current_version() 6.5 { 6.6 wget -O - https://download.gimp.org/pub/$PACKAGE/ 2>/dev/null | \ 6.7 - sed "/latest/d;/\[DIR/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1/|" | sort -Vr | sed q > /tmp/url$$ 6.8 - cat /tmp/url$$ | xargs wget -O - 2>/dev/null | \ 6.9 + sed "/latest/d;/\[DIR/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1/|" | \ 6.10 + sort -Vr | sed q | xargs wget -O - 2>/dev/null | \ 6.11 sed "/latest/d;/$PACKAGE-/!d;/tar/!d;s|.*$PACKAGE-\\(.*\\).tar.*\".*|\\1|" | sort -Vr | sed q 6.12 - rm -f /tmp/url$$ 6.13 } 6.14 6.15 # Rules to configure and make the package.
7.1 --- a/gimp/receipt Sun Mar 13 12:06:14 2022 +0000 7.2 +++ b/gimp/receipt Sun Mar 13 15:13:28 2022 +0000 7.3 @@ -22,10 +22,9 @@ 7.4 current_version() 7.5 { 7.6 wget -O - https://download.gimp.org/pub/$PACKAGE/ 2>/dev/null | \ 7.7 - sed "/latest/d;/\[DIR/!d;/v[0-9]/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1|" | sort -Vr | sed q > /tmp/url$$ 7.8 - cat /tmp/url$$ | xargs wget -O - 2>/dev/null | \ 7.9 + sed "/latest/d;/\[DIR/!d;/v[0-9]/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1|" | \ 7.10 + sort -Vr | sed q | xargs wget -O - 2>/dev/null | \ 7.11 sed "/latest/d;/$PACKAGE-/!d;/tar/!d;s|.*$PACKAGE-\\(.*\\).tar.*\".*|\\1|" | sort -Vr | sed q 7.12 - rm -f /tmp/url$$ 7.13 } 7.14 7.15 # Rules to configure and make the package.