1 |
commit: eca676636078bad3c537dae10681c74d5cddcba7 |
2 |
Author: Alexander Tsoy <alexander <AT> tsoy <DOT> me> |
3 |
AuthorDate: Wed Oct 28 01:05:23 2015 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Oct 28 02:12:51 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eca67663 |
7 |
|
8 |
media-libs/libwmf: revbump with security fixes |
9 |
|
10 |
Fixed security issues: |
11 |
|
12 |
CVE-2015-0848: heap overflow when decoding BMP images |
13 |
CVE-2015-4695: heap buffer overread in meta.h |
14 |
CVE-2015-4696: use-after-free flaw in meta.h |
15 |
CVE-2015-4588: heap overflow within the RLE decoding of embedded |
16 |
BMP images |
17 |
|
18 |
Gentoo-Bug: 553818 |
19 |
|
20 |
...ibwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch | 118 +++++++++++++++++++++ |
21 |
.../files/libwmf-0.2.8.4-CVE-2015-4695.patch | 56 ++++++++++ |
22 |
.../files/libwmf-0.2.8.4-CVE-2015-4696.patch | 23 ++++ |
23 |
media-libs/libwmf/libwmf-0.2.8.4-r6.ebuild | 113 ++++++++++++++++++++ |
24 |
4 files changed, 310 insertions(+) |
25 |
|
26 |
diff --git a/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch |
27 |
new file mode 100644 |
28 |
index 0000000..e8ba8db |
29 |
--- /dev/null |
30 |
+++ b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch |
31 |
@@ -0,0 +1,118 @@ |
32 |
+--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100 |
33 |
++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100 |
34 |
+@@ -859,7 +859,7 @@ |
35 |
+ % |
36 |
+ % |
37 |
+ */ |
38 |
+-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) |
39 |
++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) |
40 |
+ { int byte; |
41 |
+ int count; |
42 |
+ int i; |
43 |
+@@ -870,12 +870,14 @@ |
44 |
+ U32 u; |
45 |
+ |
46 |
+ unsigned char* q; |
47 |
++ unsigned char* end; |
48 |
+ |
49 |
+ for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; |
50 |
+ |
51 |
+ byte = 0; |
52 |
+ x = 0; |
53 |
+ q = pixels; |
54 |
++ end = pixels + bmp->width * bmp->height; |
55 |
+ |
56 |
+ for (y = 0; y < bmp->height; ) |
57 |
+ { count = ReadBlobByte (src); |
58 |
+@@ -884,7 +886,10 @@ |
59 |
+ { /* Encoded mode. */ |
60 |
+ byte = ReadBlobByte (src); |
61 |
+ for (i = 0; i < count; i++) |
62 |
+- { if (compression == 1) |
63 |
++ { |
64 |
++ if (q == end) |
65 |
++ return 0; |
66 |
++ if (compression == 1) |
67 |
+ { (*(q++)) = (unsigned char) byte; |
68 |
+ } |
69 |
+ else |
70 |
+@@ -896,13 +901,15 @@ |
71 |
+ else |
72 |
+ { /* Escape mode. */ |
73 |
+ count = ReadBlobByte (src); |
74 |
+- if (count == 0x01) return; |
75 |
++ if (count == 0x01) return 1; |
76 |
+ switch (count) |
77 |
+ { |
78 |
+ case 0x00: |
79 |
+ { /* End of line. */ |
80 |
+ x = 0; |
81 |
+ y++; |
82 |
++ if (y >= bmp->height) |
83 |
++ return 0; |
84 |
+ q = pixels + y * bmp->width; |
85 |
+ break; |
86 |
+ } |
87 |
+@@ -910,13 +917,20 @@ |
88 |
+ { /* Delta mode. */ |
89 |
+ x += ReadBlobByte (src); |
90 |
+ y += ReadBlobByte (src); |
91 |
++ if (y >= bmp->height) |
92 |
++ return 0; |
93 |
++ if (x >= bmp->width) |
94 |
++ return 0; |
95 |
+ q = pixels + y * bmp->width + x; |
96 |
+ break; |
97 |
+ } |
98 |
+ default: |
99 |
+ { /* Absolute mode. */ |
100 |
+ for (i = 0; i < count; i++) |
101 |
+- { if (compression == 1) |
102 |
++ { |
103 |
++ if (q == end) |
104 |
++ return 0; |
105 |
++ if (compression == 1) |
106 |
+ { (*(q++)) = ReadBlobByte (src); |
107 |
+ } |
108 |
+ else |
109 |
+@@ -943,7 +957,7 @@ |
110 |
+ byte = ReadBlobByte (src); /* end of line */ |
111 |
+ byte = ReadBlobByte (src); |
112 |
+ |
113 |
+- return; |
114 |
++ return 1; |
115 |
+ } |
116 |
+ |
117 |
+ /* |
118 |
+@@ -1143,8 +1157,18 @@ |
119 |
+ } |
120 |
+ } |
121 |
+ else |
122 |
+- { /* Convert run-length encoded raster pixels. */ |
123 |
+- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); |
124 |
++ { |
125 |
++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ |
126 |
++ { |
127 |
++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) |
128 |
++ { WMF_ERROR (API,"corrupt bmp"); |
129 |
++ API->err = wmf_E_BadFormat; |
130 |
++ } |
131 |
++ } |
132 |
++ else |
133 |
++ { WMF_ERROR (API,"Unexpected pixel depth"); |
134 |
++ API->err = wmf_E_BadFormat; |
135 |
++ } |
136 |
+ } |
137 |
+ |
138 |
+ if (ERR (API)) |
139 |
+--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100 |
140 |
++++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100 |
141 |
+@@ -48,7 +48,7 @@ |
142 |
+ static unsigned short ReadBlobLSBShort (BMPSource*); |
143 |
+ static unsigned long ReadBlobLSBLong (BMPSource*); |
144 |
+ static long TellBlob (BMPSource*); |
145 |
+-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); |
146 |
++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); |
147 |
+ static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); |
148 |
+ static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); |
149 |
+ static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int); |
150 |
|
151 |
diff --git a/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4695.patch b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4695.patch |
152 |
new file mode 100644 |
153 |
index 0000000..b6d499d |
154 |
--- /dev/null |
155 |
+++ b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4695.patch |
156 |
@@ -0,0 +1,56 @@ |
157 |
+--- libwmf-0.2.8.4/src/player/meta.h |
158 |
++++ libwmf-0.2.8.4/src/player/meta.h |
159 |
+@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API, |
160 |
+ objects = P->objects; |
161 |
+ |
162 |
+ i = 0; |
163 |
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; |
164 |
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; |
165 |
+ |
166 |
+ if (i == NUM_OBJECTS (API)) |
167 |
+ { WMF_ERROR (API,"Object out of range!"); |
168 |
+@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w |
169 |
+ objects = P->objects; |
170 |
+ |
171 |
+ i = 0; |
172 |
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; |
173 |
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; |
174 |
+ |
175 |
+ if (i == NUM_OBJECTS (API)) |
176 |
+ { WMF_ERROR (API,"Object out of range!"); |
177 |
+@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API, |
178 |
+ objects = P->objects; |
179 |
+ |
180 |
+ i = 0; |
181 |
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; |
182 |
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; |
183 |
+ |
184 |
+ if (i == NUM_OBJECTS (API)) |
185 |
+ { WMF_ERROR (API,"Object out of range!"); |
186 |
+@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP |
187 |
+ objects = P->objects; |
188 |
+ |
189 |
+ i = 0; |
190 |
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; |
191 |
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; |
192 |
+ |
193 |
+ if (i == NUM_OBJECTS (API)) |
194 |
+ { WMF_ERROR (API,"Object out of range!"); |
195 |
+@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API |
196 |
+ objects = P->objects; |
197 |
+ |
198 |
+ i = 0; |
199 |
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; |
200 |
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; |
201 |
+ |
202 |
+ if (i == NUM_OBJECTS (API)) |
203 |
+ { WMF_ERROR (API,"Object out of range!"); |
204 |
+@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI* |
205 |
+ objects = P->objects; |
206 |
+ |
207 |
+ i = 0; |
208 |
+- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; |
209 |
++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; |
210 |
+ |
211 |
+ if (i == NUM_OBJECTS (API)) |
212 |
+ { WMF_ERROR (API,"Object out of range!"); |
213 |
|
214 |
diff --git a/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4696.patch b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4696.patch |
215 |
new file mode 100644 |
216 |
index 0000000..3312841 |
217 |
--- /dev/null |
218 |
+++ b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4696.patch |
219 |
@@ -0,0 +1,23 @@ |
220 |
+--- libwmf-0.2.8.4/src/player/meta.h |
221 |
++++ libwmf-0.2.8.4/src/player/meta.h |
222 |
+@@ -2585,6 +2585,8 @@ |
223 |
+ polyrect.BR[i] = clip->rects[i].BR; |
224 |
+ } |
225 |
+ |
226 |
++ if (FR->region_clip) FR->region_clip (API,&polyrect); |
227 |
++ |
228 |
+ wmf_free (API,polyrect.TL); |
229 |
+ wmf_free (API,polyrect.BR); |
230 |
+ } |
231 |
+@@ -2593,9 +2595,10 @@ |
232 |
+ polyrect.BR = 0; |
233 |
+ |
234 |
+ polyrect.count = 0; |
235 |
++ |
236 |
++ if (FR->region_clip) FR->region_clip (API,&polyrect); |
237 |
+ } |
238 |
+ |
239 |
+- if (FR->region_clip) FR->region_clip (API,&polyrect); |
240 |
+ |
241 |
+ return (changed); |
242 |
+ } |
243 |
|
244 |
diff --git a/media-libs/libwmf/libwmf-0.2.8.4-r6.ebuild b/media-libs/libwmf/libwmf-0.2.8.4-r6.ebuild |
245 |
new file mode 100644 |
246 |
index 0000000..b304973 |
247 |
--- /dev/null |
248 |
+++ b/media-libs/libwmf/libwmf-0.2.8.4-r6.ebuild |
249 |
@@ -0,0 +1,113 @@ |
250 |
+# Copyright 1999-2015 Gentoo Foundation |
251 |
+# Distributed under the terms of the GNU General Public License v2 |
252 |
+# $Id$ |
253 |
+ |
254 |
+EAPI=5 |
255 |
+ |
256 |
+AUTOTOOLS_AUTORECONF=true |
257 |
+ |
258 |
+inherit autotools-utils gnome2-utils |
259 |
+ |
260 |
+#The configure script finds the 5.50 ghostscript Fontmap file while run. |
261 |
+#This will probably work, especially since the real one (6.50) in this case |
262 |
+#is empty. However beware in case there is any trouble |
263 |
+ |
264 |
+DESCRIPTION="library for converting WMF files" |
265 |
+HOMEPAGE="http://wvware.sourceforge.net/" |
266 |
+SRC_URI="mirror://sourceforge/wvware/${P}.tar.gz" |
267 |
+ |
268 |
+LICENSE="GPL-2" |
269 |
+SLOT="0" |
270 |
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~x64-solaris" |
271 |
+IUSE="X debug doc expat xml" |
272 |
+ |
273 |
+RDEPEND=" |
274 |
+ app-text/ghostscript-gpl |
275 |
+ media-fonts/urw-fonts |
276 |
+ media-libs/freetype:2= |
277 |
+ >=media-libs/libpng-1.4:0= |
278 |
+ sys-libs/zlib |
279 |
+ x11-libs/gdk-pixbuf:2[X?] |
280 |
+ virtual/jpeg:0= |
281 |
+ xml? ( |
282 |
+ expat? ( dev-libs/expat ) |
283 |
+ !expat? ( dev-libs/libxml2 ) |
284 |
+ ) |
285 |
+ X? ( x11-libs/libX11 ) |
286 |
+" |
287 |
+DEPEND="${RDEPEND} |
288 |
+ virtual/pkgconfig |
289 |
+ X? ( |
290 |
+ x11-libs/libXt |
291 |
+ x11-libs/libXpm |
292 |
+ )" |
293 |
+# plotutils are not really supported yet, so looks like that's it |
294 |
+ |
295 |
+REQUIRED_USE="expat? ( xml )" |
296 |
+ |
297 |
+DOCS=( README AUTHORS CREDITS ChangeLog NEWS TODO ) |
298 |
+ |
299 |
+PATCHES=( |
300 |
+ "${FILESDIR}"/${P}-intoverflow.patch |
301 |
+ "${FILESDIR}"/${P}-build.patch |
302 |
+ "${FILESDIR}"/${P}-pngfix.patch |
303 |
+ "${FILESDIR}"/${P}-libpng-1.5.patch |
304 |
+ "${FILESDIR}"/${P}-use-system-fonts.patch |
305 |
+ "${FILESDIR}"/${P}-gdk-pixbuf.patch |
306 |
+ "${FILESDIR}"/${P}-CVE-2015-0848+CVE-2015-4588.patch |
307 |
+ "${FILESDIR}"/${P}-CVE-2015-4695.patch |
308 |
+ "${FILESDIR}"/${P}-CVE-2015-4696.patch |
309 |
+ ) |
310 |
+ |
311 |
+AUTOTOOLS_PRUNE_LIBTOOL_FILES='modules' |
312 |
+ |
313 |
+src_prepare() { |
314 |
+ if ! use doc ; then |
315 |
+ sed -e 's:doc::' -i Makefile.am || die |
316 |
+ fi |
317 |
+ sed -i 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/g' configure.ac || die |
318 |
+ |
319 |
+ autotools-utils_src_prepare |
320 |
+} |
321 |
+ |
322 |
+src_configure() { |
323 |
+ local myeconfargs=() |
324 |
+ # NOTE: The gd that is included is gd-2.0.0. Even with --with-sys-gd, that gd is built |
325 |
+ # and included in libwmf. Since nothing in-tree seems to use media-libs/libwmf[gd], |
326 |
+ # we're explicitly disabling gd use w.r.t. bug 268161 |
327 |
+ if use expat; then |
328 |
+ myeconfargs+=( --without-libxml2 ) |
329 |
+ else |
330 |
+ myeconfargs+=( $(use_with xml libxml2) ) |
331 |
+ fi |
332 |
+ |
333 |
+ myeconfargs+=( |
334 |
+ --disable-static |
335 |
+ $(use_enable debug) |
336 |
+ $(use_with X x) |
337 |
+ $(use_with expat) |
338 |
+ --disable-gd |
339 |
+ --with-sys-gd |
340 |
+ --with-gsfontdir="${EPREFIX}"/usr/share/ghostscript/fonts |
341 |
+ --with-fontdir="${EPREFIX}"/usr/share/fonts/urw-fonts/ |
342 |
+ --with-docdir="${EPREFIX}"/usr/share/doc/${PF} |
343 |
+ ) |
344 |
+ autotools-utils_src_configure |
345 |
+} |
346 |
+ |
347 |
+src_install() { |
348 |
+ MAKEOPTS+=" -j1" |
349 |
+ autotools-utils_src_install |
350 |
+} |
351 |
+ |
352 |
+pkg_preinst() { |
353 |
+ gnome2_gdk_pixbuf_savelist |
354 |
+} |
355 |
+ |
356 |
+pkg_postinst() { |
357 |
+ gnome2_gdk_pixbuf_update |
358 |
+} |
359 |
+ |
360 |
+pkg_postrm() { |
361 |
+ gnome2_gdk_pixbuf_update |
362 |
+} |