From: Efraim Flashner <efraim@flashner.co.il>
To: Kei Kebreau <kei@openmailbox.org>
Cc: guix-devel@gnu.org
Subject: Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Date: Sat, 15 Oct 2016 21:03:35 +0300 [thread overview]
Message-ID: <20161015180335.GC14171@macbook42.flashner.co.il> (raw)
In-Reply-To: <87mvi6xyl7.fsf@openmailbox.org>
[-- Attachment #1: Type: text/plain, Size: 6181 bytes --]
On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
> >> efraim pushed a commit to branch master
> >> in repository guix.
> >>
> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
> >> Author: Efraim Flashner <efraim@flashner.co.il>
> >> Date: Fri Oct 14 11:28:21 2016 +0300
> >>
> >> gnu: freeimage: Fix CVE-2016-5684.
> >>
> >> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
> >> * gnu/local.mk (dist_patch_DATA): Register it.
> >> ---
> >> gnu/local.mk | 1 +
> >> gnu/packages/image.scm | 3 +-
> >> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 ++++++++++++++++++++
> >> 3 files changed, 37 insertions(+), 1 deletion(-)
> >
> > Efraim pointed out on IRC that our freeimage packages bundles many
> > 3rd-party libraries:
> >
> > $ ls -1 FreeImage/Source
> > CacheFile.h
> > DeprecationManager
> > FreeImage
> > FreeImage.h
> > FreeImageIO.h
> > FreeImageLib
> > FreeImageToolkit
> > LibJPEG
> > LibJXR
> > LibOpenJPEG
> > LibPNG
> > LibRawLite
> > LibTIFF4
> > LibWebP
> > MapIntrospector.h
> > Metadata
> > OpenEXR
> > Plugin.h
> > Quantizers.h
> > ToneMapping.h
> > Utilities.h
> > ZLib
> >
> > Debian has a patch to make it use "system" copies of the libraries:
> >
> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
> >
> > For now, our freeimage package is probably vulnerable to many publicly
> > disclosed security bugs.
> >
> > Who volunteers to try fixing this?
>
> The patch is attached. I've removed the bit from Debian that disables JPEG
> transformation functions, as seen below. JPEGTransform.cpp (in
> Source/FreeImageToolkit) gave me some trouble when I left that part of
> the patch alone.
>
> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
> FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot dithering (order 4 dithering matrix)
> };
>
> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
> + of FreeImage, since they require usage of the vendored copy of libjpeg. */
> +#if 0
> /** Lossless JPEG transformations
> Constants used in FreeImage_JPEGTransform
> */
> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
> FIJPEG_OP_ROTATE_180 = 6, //! 180-degree rotation
> FIJPEG_OP_ROTATE_270 = 7 //! 270-degree clockwise (or 90 ccw)
> };
> +#endif
>
> /** Tone mapping operators.
> Constants used in FreeImage_ToneMapping.
> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
> // --------------------------------------------------------------------------
> // JPEG lossless transformation routines
> // --------------------------------------------------------------------------
> -
> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
> + of FreeImage, since they require usage of the vendored copy of libjpeg. */
> +#if 0
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom);
> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
> +#endif
> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Fri, 14 Oct 2016 18:09:45 -0400
> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
>
> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/image.scm | 6 +-
> .../freeimage-disable-vendored-dependencies.patch | 398 +++++++++++++++++++++
> 3 files changed, 404 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
I was looking at it and I thought it was going to be much more than 400
lines in the end.
Did we also need the other patch?
https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
On one hand we could carry a modified version of Debian's patch, on the
other hand some of these look like they could be a series of substitute*
commands. I started looking through the patch and thinking how to
convert them from "../path/to/header.h" to <header.h> and realizing I
myself wouldn't want to do that, so that could easily be an option for
another time :).
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
next prev parent reply other threads:[~2016-10-15 18:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20161014104404.22087.86582@vcs.savannah.gnu.org>
[not found] ` <20161014104405.901E322012A@vcs.savannah.gnu.org>
2016-10-14 17:48 ` Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.] Leo Famulari
2016-10-15 0:09 ` Kei Kebreau
2016-10-15 18:03 ` Efraim Flashner [this message]
2016-10-15 18:57 ` Kei Kebreau
2016-10-15 19:50 ` Leo Famulari
2016-10-16 2:30 ` Kei Kebreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161015180335.GC14171@macbook42.flashner.co.il \
--to=efraim@flashner.co.il \
--cc=guix-devel@gnu.org \
--cc=kei@openmailbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).