Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Michał Górny" <mgorny@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: media-libs/libwmf/, media-libs/libwmf/files/
Date: Wed, 28 Oct 2015 07:27:00
Message-Id: 1445998371.eca676636078bad3c537dae10681c74d5cddcba7.mgorny@gentoo
1 commit: eca676636078bad3c537dae10681c74d5cddcba7
2 Author: Alexander Tsoy <alexander <AT> tsoy <DOT> me>
3 AuthorDate: Wed Oct 28 01:05:23 2015 +0000
4 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
5 CommitDate: Wed Oct 28 02:12:51 2015 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eca67663
7
8 media-libs/libwmf: revbump with security fixes
9
10 Fixed security issues:
11
12 CVE-2015-0848: heap overflow when decoding BMP images
13 CVE-2015-4695: heap buffer overread in meta.h
14 CVE-2015-4696: use-after-free flaw in meta.h
15 CVE-2015-4588: heap overflow within the RLE decoding of embedded
16 BMP images
17
18 Gentoo-Bug: 553818
19
20 ...ibwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch | 118 +++++++++++++++++++++
21 .../files/libwmf-0.2.8.4-CVE-2015-4695.patch | 56 ++++++++++
22 .../files/libwmf-0.2.8.4-CVE-2015-4696.patch | 23 ++++
23 media-libs/libwmf/libwmf-0.2.8.4-r6.ebuild | 113 ++++++++++++++++++++
24 4 files changed, 310 insertions(+)
25
26 diff --git a/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
27 new file mode 100644
28 index 0000000..e8ba8db
29 --- /dev/null
30 +++ b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-0848+CVE-2015-4588.patch
31 @@ -0,0 +1,118 @@
32 +--- libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:24.591876404 +0100
33 ++++ libwmf-0.2.8.4/src/ipa/ipa/bmp.h 2015-06-08 14:46:35.345993247 +0100
34 +@@ -859,7 +859,7 @@
35 + %
36 + %
37 + */
38 +-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
39 ++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels)
40 + { int byte;
41 + int count;
42 + int i;
43 +@@ -870,12 +870,14 @@
44 + U32 u;
45 +
46 + unsigned char* q;
47 ++ unsigned char* end;
48 +
49 + for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0;
50 +
51 + byte = 0;
52 + x = 0;
53 + q = pixels;
54 ++ end = pixels + bmp->width * bmp->height;
55 +
56 + for (y = 0; y < bmp->height; )
57 + { count = ReadBlobByte (src);
58 +@@ -884,7 +886,10 @@
59 + { /* Encoded mode. */
60 + byte = ReadBlobByte (src);
61 + for (i = 0; i < count; i++)
62 +- { if (compression == 1)
63 ++ {
64 ++ if (q == end)
65 ++ return 0;
66 ++ if (compression == 1)
67 + { (*(q++)) = (unsigned char) byte;
68 + }
69 + else
70 +@@ -896,13 +901,15 @@
71 + else
72 + { /* Escape mode. */
73 + count = ReadBlobByte (src);
74 +- if (count == 0x01) return;
75 ++ if (count == 0x01) return 1;
76 + switch (count)
77 + {
78 + case 0x00:
79 + { /* End of line. */
80 + x = 0;
81 + y++;
82 ++ if (y >= bmp->height)
83 ++ return 0;
84 + q = pixels + y * bmp->width;
85 + break;
86 + }
87 +@@ -910,13 +917,20 @@
88 + { /* Delta mode. */
89 + x += ReadBlobByte (src);
90 + y += ReadBlobByte (src);
91 ++ if (y >= bmp->height)
92 ++ return 0;
93 ++ if (x >= bmp->width)
94 ++ return 0;
95 + q = pixels + y * bmp->width + x;
96 + break;
97 + }
98 + default:
99 + { /* Absolute mode. */
100 + for (i = 0; i < count; i++)
101 +- { if (compression == 1)
102 ++ {
103 ++ if (q == end)
104 ++ return 0;
105 ++ if (compression == 1)
106 + { (*(q++)) = ReadBlobByte (src);
107 + }
108 + else
109 +@@ -943,7 +957,7 @@
110 + byte = ReadBlobByte (src); /* end of line */
111 + byte = ReadBlobByte (src);
112 +
113 +- return;
114 ++ return 1;
115 + }
116 +
117 + /*
118 +@@ -1143,8 +1157,18 @@
119 + }
120 + }
121 + else
122 +- { /* Convert run-length encoded raster pixels. */
123 +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image);
124 ++ {
125 ++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */
126 ++ {
127 ++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image))
128 ++ { WMF_ERROR (API,"corrupt bmp");
129 ++ API->err = wmf_E_BadFormat;
130 ++ }
131 ++ }
132 ++ else
133 ++ { WMF_ERROR (API,"Unexpected pixel depth");
134 ++ API->err = wmf_E_BadFormat;
135 ++ }
136 + }
137 +
138 + if (ERR (API))
139 +--- libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:24.590876393 +0100
140 ++++ libwmf-0.2.8.4/src/ipa/ipa.h 2015-06-08 14:46:35.345993247 +0100
141 +@@ -48,7 +48,7 @@
142 + static unsigned short ReadBlobLSBShort (BMPSource*);
143 + static unsigned long ReadBlobLSBLong (BMPSource*);
144 + static long TellBlob (BMPSource*);
145 +-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
146 ++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*);
147 + static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*);
148 + static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int);
149 + static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
150
151 diff --git a/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4695.patch b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4695.patch
152 new file mode 100644
153 index 0000000..b6d499d
154 --- /dev/null
155 +++ b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4695.patch
156 @@ -0,0 +1,56 @@
157 +--- libwmf-0.2.8.4/src/player/meta.h
158 ++++ libwmf-0.2.8.4/src/player/meta.h
159 +@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API,
160 + objects = P->objects;
161 +
162 + i = 0;
163 +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
164 ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
165 +
166 + if (i == NUM_OBJECTS (API))
167 + { WMF_ERROR (API,"Object out of range!");
168 +@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w
169 + objects = P->objects;
170 +
171 + i = 0;
172 +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
173 ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
174 +
175 + if (i == NUM_OBJECTS (API))
176 + { WMF_ERROR (API,"Object out of range!");
177 +@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API,
178 + objects = P->objects;
179 +
180 + i = 0;
181 +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
182 ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
183 +
184 + if (i == NUM_OBJECTS (API))
185 + { WMF_ERROR (API,"Object out of range!");
186 +@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP
187 + objects = P->objects;
188 +
189 + i = 0;
190 +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
191 ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
192 +
193 + if (i == NUM_OBJECTS (API))
194 + { WMF_ERROR (API,"Object out of range!");
195 +@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API
196 + objects = P->objects;
197 +
198 + i = 0;
199 +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
200 ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
201 +
202 + if (i == NUM_OBJECTS (API))
203 + { WMF_ERROR (API,"Object out of range!");
204 +@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI*
205 + objects = P->objects;
206 +
207 + i = 0;
208 +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++;
209 ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++;
210 +
211 + if (i == NUM_OBJECTS (API))
212 + { WMF_ERROR (API,"Object out of range!");
213
214 diff --git a/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4696.patch b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4696.patch
215 new file mode 100644
216 index 0000000..3312841
217 --- /dev/null
218 +++ b/media-libs/libwmf/files/libwmf-0.2.8.4-CVE-2015-4696.patch
219 @@ -0,0 +1,23 @@
220 +--- libwmf-0.2.8.4/src/player/meta.h
221 ++++ libwmf-0.2.8.4/src/player/meta.h
222 +@@ -2585,6 +2585,8 @@
223 + polyrect.BR[i] = clip->rects[i].BR;
224 + }
225 +
226 ++ if (FR->region_clip) FR->region_clip (API,&polyrect);
227 ++
228 + wmf_free (API,polyrect.TL);
229 + wmf_free (API,polyrect.BR);
230 + }
231 +@@ -2593,9 +2595,10 @@
232 + polyrect.BR = 0;
233 +
234 + polyrect.count = 0;
235 ++
236 ++ if (FR->region_clip) FR->region_clip (API,&polyrect);
237 + }
238 +
239 +- if (FR->region_clip) FR->region_clip (API,&polyrect);
240 +
241 + return (changed);
242 + }
243
244 diff --git a/media-libs/libwmf/libwmf-0.2.8.4-r6.ebuild b/media-libs/libwmf/libwmf-0.2.8.4-r6.ebuild
245 new file mode 100644
246 index 0000000..b304973
247 --- /dev/null
248 +++ b/media-libs/libwmf/libwmf-0.2.8.4-r6.ebuild
249 @@ -0,0 +1,113 @@
250 +# Copyright 1999-2015 Gentoo Foundation
251 +# Distributed under the terms of the GNU General Public License v2
252 +# $Id$
253 +
254 +EAPI=5
255 +
256 +AUTOTOOLS_AUTORECONF=true
257 +
258 +inherit autotools-utils gnome2-utils
259 +
260 +#The configure script finds the 5.50 ghostscript Fontmap file while run.
261 +#This will probably work, especially since the real one (6.50) in this case
262 +#is empty. However beware in case there is any trouble
263 +
264 +DESCRIPTION="library for converting WMF files"
265 +HOMEPAGE="http://wvware.sourceforge.net/"
266 +SRC_URI="mirror://sourceforge/wvware/${P}.tar.gz"
267 +
268 +LICENSE="GPL-2"
269 +SLOT="0"
270 +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~x64-solaris"
271 +IUSE="X debug doc expat xml"
272 +
273 +RDEPEND="
274 + app-text/ghostscript-gpl
275 + media-fonts/urw-fonts
276 + media-libs/freetype:2=
277 + >=media-libs/libpng-1.4:0=
278 + sys-libs/zlib
279 + x11-libs/gdk-pixbuf:2[X?]
280 + virtual/jpeg:0=
281 + xml? (
282 + expat? ( dev-libs/expat )
283 + !expat? ( dev-libs/libxml2 )
284 + )
285 + X? ( x11-libs/libX11 )
286 +"
287 +DEPEND="${RDEPEND}
288 + virtual/pkgconfig
289 + X? (
290 + x11-libs/libXt
291 + x11-libs/libXpm
292 + )"
293 +# plotutils are not really supported yet, so looks like that's it
294 +
295 +REQUIRED_USE="expat? ( xml )"
296 +
297 +DOCS=( README AUTHORS CREDITS ChangeLog NEWS TODO )
298 +
299 +PATCHES=(
300 + "${FILESDIR}"/${P}-intoverflow.patch
301 + "${FILESDIR}"/${P}-build.patch
302 + "${FILESDIR}"/${P}-pngfix.patch
303 + "${FILESDIR}"/${P}-libpng-1.5.patch
304 + "${FILESDIR}"/${P}-use-system-fonts.patch
305 + "${FILESDIR}"/${P}-gdk-pixbuf.patch
306 + "${FILESDIR}"/${P}-CVE-2015-0848+CVE-2015-4588.patch
307 + "${FILESDIR}"/${P}-CVE-2015-4695.patch
308 + "${FILESDIR}"/${P}-CVE-2015-4696.patch
309 + )
310 +
311 +AUTOTOOLS_PRUNE_LIBTOOL_FILES='modules'
312 +
313 +src_prepare() {
314 + if ! use doc ; then
315 + sed -e 's:doc::' -i Makefile.am || die
316 + fi
317 + sed -i 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/g' configure.ac || die
318 +
319 + autotools-utils_src_prepare
320 +}
321 +
322 +src_configure() {
323 + local myeconfargs=()
324 + # NOTE: The gd that is included is gd-2.0.0. Even with --with-sys-gd, that gd is built
325 + # and included in libwmf. Since nothing in-tree seems to use media-libs/libwmf[gd],
326 + # we're explicitly disabling gd use w.r.t. bug 268161
327 + if use expat; then
328 + myeconfargs+=( --without-libxml2 )
329 + else
330 + myeconfargs+=( $(use_with xml libxml2) )
331 + fi
332 +
333 + myeconfargs+=(
334 + --disable-static
335 + $(use_enable debug)
336 + $(use_with X x)
337 + $(use_with expat)
338 + --disable-gd
339 + --with-sys-gd
340 + --with-gsfontdir="${EPREFIX}"/usr/share/ghostscript/fonts
341 + --with-fontdir="${EPREFIX}"/usr/share/fonts/urw-fonts/
342 + --with-docdir="${EPREFIX}"/usr/share/doc/${PF}
343 + )
344 + autotools-utils_src_configure
345 +}
346 +
347 +src_install() {
348 + MAKEOPTS+=" -j1"
349 + autotools-utils_src_install
350 +}
351 +
352 +pkg_preinst() {
353 + gnome2_gdk_pixbuf_savelist
354 +}
355 +
356 +pkg_postinst() {
357 + gnome2_gdk_pixbuf_update
358 +}
359 +
360 +pkg_postrm() {
361 + gnome2_gdk_pixbuf_update
362 +}
Report Message
Find on MARC Find on Google Groups