* Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
[not found] ` <20161014104405.901E322012A@vcs.savannah.gnu.org>
@ 2016-10-14 17:48 ` Leo Famulari
2016-10-15 0:09 ` Kei Kebreau
0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-10-14 17:48 UTC (permalink / raw)
To: guix-devel
On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
> efraim pushed a commit to branch master
> in repository guix.
>
> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
> Author: Efraim Flashner <efraim@flashner.co.il>
> Date: Fri Oct 14 11:28:21 2016 +0300
>
> gnu: freeimage: Fix CVE-2016-5684.
>
> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/image.scm | 3 +-
> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 ++++++++++++++++++++
> 3 files changed, 37 insertions(+), 1 deletion(-)
Efraim pointed out on IRC that our freeimage packages bundles many
3rd-party libraries:
$ ls -1 FreeImage/Source
CacheFile.h
DeprecationManager
FreeImage
FreeImage.h
FreeImageIO.h
FreeImageLib
FreeImageToolkit
LibJPEG
LibJXR
LibOpenJPEG
LibPNG
LibRawLite
LibTIFF4
LibWebP
MapIntrospector.h
Metadata
OpenEXR
Plugin.h
Quantizers.h
ToneMapping.h
Utilities.h
ZLib
Debian has a patch to make it use "system" copies of the libraries:
https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
For now, our freeimage package is probably vulnerable to many publicly
disclosed security bugs.
Who volunteers to try fixing this?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
2016-10-14 17:48 ` Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.] Leo Famulari
@ 2016-10-15 0:09 ` Kei Kebreau
2016-10-15 18:03 ` Efraim Flashner
0 siblings, 1 reply; 6+ messages in thread
From: Kei Kebreau @ 2016-10-15 0:09 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 4304 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
>> efraim pushed a commit to branch master
>> in repository guix.
>>
>> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> Author: Efraim Flashner <efraim@flashner.co.il>
>> Date: Fri Oct 14 11:28:21 2016 +0300
>>
>> gnu: freeimage: Fix CVE-2016-5684.
>>
>> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> ---
>> gnu/local.mk | 1 +
>> gnu/packages/image.scm | 3 +-
>> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 ++++++++++++++++++++
>> 3 files changed, 37 insertions(+), 1 deletion(-)
>
> Efraim pointed out on IRC that our freeimage packages bundles many
> 3rd-party libraries:
>
> $ ls -1 FreeImage/Source
> CacheFile.h
> DeprecationManager
> FreeImage
> FreeImage.h
> FreeImageIO.h
> FreeImageLib
> FreeImageToolkit
> LibJPEG
> LibJXR
> LibOpenJPEG
> LibPNG
> LibRawLite
> LibTIFF4
> LibWebP
> MapIntrospector.h
> Metadata
> OpenEXR
> Plugin.h
> Quantizers.h
> ToneMapping.h
> Utilities.h
> ZLib
>
> Debian has a patch to make it use "system" copies of the libraries:
>
> https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>
> For now, our freeimage package is probably vulnerable to many publicly
> disclosed security bugs.
>
> Who volunteers to try fixing this?
The patch is attached. I've removed the bit from Debian that disables JPEG
transformation functions, as seen below. JPEGTransform.cpp (in
Source/FreeImageToolkit) gave me some trouble when I left that part of
the patch alone.
@@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot dithering (order 4 dithering matrix)
};
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+ of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
/** Lossless JPEG transformations
Constants used in FreeImage_JPEGTransform
*/
@@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
FIJPEG_OP_ROTATE_180 = 6, //! 180-degree rotation
FIJPEG_OP_ROTATE_270 = 7 //! 270-degree clockwise (or 90 ccw)
};
+#endif
/** Tone mapping operators.
Constants used in FreeImage_ToneMapping.
@@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
// --------------------------------------------------------------------------
// JPEG lossless transformation routines
// --------------------------------------------------------------------------
-
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+ of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom);
@@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
+#endif
[-- Attachment #1.2: 0001-gnu-freeimage-Disable-in-tree-third-party-libraries.patch --]
[-- Type: text/plain, Size: 18258 bytes --]
From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Fri, 14 Oct 2016 18:09:45 -0400
Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
* gnu/packages/image.scm (freeimage)[source]: Add patch.
* gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
gnu/local.mk | 1 +
gnu/packages/image.scm | 6 +-
.../freeimage-disable-vendored-dependencies.patch | 398 +++++++++++++++++++++
3 files changed, 404 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a9343f0..a151d2b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -526,6 +526,7 @@ dist_patch_DATA = \
%D%/packages/patches/fltk-xfont-on-demand.patch \
%D%/packages/patches/fontconfig-CVE-2016-5384.patch \
%D%/packages/patches/fontforge-svg-modtime.patch \
+ %D%/packages/patches/freeimage-disable-vendored-dependencies.patch \
%D%/packages/patches/freeimage-CVE-2015-0852.patch \
%D%/packages/patches/freeimage-CVE-2016-5684.patch \
%D%/packages/patches/gawk-fts-test.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 7455bb8..a2b52d2 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -581,7 +581,8 @@ supplies a generic doubly-linked list and some string functions.")
(sha256
(base32
"12bz57asdcfsz3zr9i9nska0fb6h3z2aizy412qjqkixkginbz7v"))
- (patches (search-patches "freeimage-CVE-2015-0852.patch"
+ (patches (search-patches "freeimage-disable-vendored-dependencies.patch"
+ "freeimage-CVE-2015-0852.patch"
"freeimage-CVE-2016-5684.patch"))))
(build-system gnu-build-system)
(arguments
@@ -596,6 +597,9 @@ supplies a generic doubly-linked list and some string functions.")
#t)))
#:make-flags '("CC=gcc")
#:tests? #f)) ; no check target
+ (inputs
+ `(("libwebp" ,libwebp)
+ ("openexr" ,openexr)))
(native-inputs
`(("unzip" ,unzip)))
;; Fails to build on MIPS due to assembly code in the source.
diff --git a/gnu/packages/patches/freeimage-disable-vendored-dependencies.patch b/gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
new file mode 100644
index 0000000..c466a10
--- /dev/null
+++ b/gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
@@ -0,0 +1,398 @@
+This patch was copied from Debian.
+
+diff --git a/Source/FreeImage.h b/Source/FreeImage.h
+index e2d1c5a..94d817d 100644
+--- a/Source/FreeImage.h
++++ b/Source/FreeImage.h
+@@ -410,7 +410,11 @@ FI_ENUM(FREE_IMAGE_FORMAT) {
+ FIF_DDS = 24,
+ FIF_GIF = 25,
+ FIF_HDR = 26,
+- FIF_FAXG3 = 27,
++/* Debian: The G3 fax format plugin is deliberately disabled in our build of
++ FreeImage, since it requires usage of the vendored copy of libtiff. */
++#if 0
++ FIF_FAXG3 = 27,
++#endif
+ FIF_SGI = 28,
+ FIF_EXR = 29,
+ FIF_J2K = 30,
+
+ // --------------------------------------------------------------------------
+diff --git a/Source/FreeImage/J2KHelper.cpp b/Source/FreeImage/J2KHelper.cpp
+index 1776c3b..538f1c5 100644
+--- a/Source/FreeImage/J2KHelper.cpp
++++ b/Source/FreeImage/J2KHelper.cpp
+@@ -21,7 +21,7 @@
+
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibOpenJPEG/openjpeg.h"
++#include <openjpeg.h>
+ #include "J2KHelper.h"
+
+ // --------------------------------------------------------------------------
+diff --git a/Source/FreeImage/Plugin.cpp b/Source/FreeImage/Plugin.cpp
+index 57ebffd..c883a31 100644
+--- a/Source/FreeImage/Plugin.cpp
++++ b/Source/FreeImage/Plugin.cpp
+@@ -263,7 +263,11 @@ FreeImage_Initialise(BOOL load_local_plugins_only) {
+ s_plugins->AddNode(InitDDS);
+ s_plugins->AddNode(InitGIF);
+ s_plugins->AddNode(InitHDR);
++/* The G3 fax format plugin is deliberately disabled in our build of FreeImage
++ since it requires usage of the vendored copy of libtiff. */
++#if 0
+ s_plugins->AddNode(InitG3);
++#endif
+ s_plugins->AddNode(InitSGI);
+ s_plugins->AddNode(InitEXR);
+ s_plugins->AddNode(InitJ2K);
+diff --git a/Source/FreeImage/PluginEXR.cpp b/Source/FreeImage/PluginEXR.cpp
+index b286430..9bf3ada 100644
+--- a/Source/FreeImage/PluginEXR.cpp
++++ b/Source/FreeImage/PluginEXR.cpp
+@@ -28,16 +28,16 @@
+ #pragma warning (disable : 4800) // ImfVersion.h - 'const int' : forcing value to bool 'true' or 'false' (performance warning)
+ #endif
+
+-#include "../OpenEXR/IlmImf/ImfIO.h"
+-#include "../OpenEXR/Iex/Iex.h"
+-#include "../OpenEXR/IlmImf/ImfOutputFile.h"
+-#include "../OpenEXR/IlmImf/ImfInputFile.h"
+-#include "../OpenEXR/IlmImf/ImfRgbaFile.h"
+-#include "../OpenEXR/IlmImf/ImfChannelList.h"
+-#include "../OpenEXR/IlmImf/ImfRgba.h"
+-#include "../OpenEXR/IlmImf/ImfArray.h"
+-#include "../OpenEXR/IlmImf/ImfPreviewImage.h"
+-#include "../OpenEXR/Half/half.h"
++#include <OpenEXR/ImfIO.h>
++#include <OpenEXR/Iex.h>
++#include <OpenEXR/ImfOutputFile.h>
++#include <OpenEXR/ImfInputFile.h>
++#include <OpenEXR/ImfRgbaFile.h>
++#include <OpenEXR/ImfChannelList.h>
++#include <OpenEXR/ImfRgba.h>
++#include <OpenEXR/ImfArray.h>
++#include <OpenEXR/ImfPreviewImage.h>
++#include <OpenEXR/half.h>
+
+
+ // ==========================================================
+diff --git a/Source/FreeImage/PluginJ2K.cpp b/Source/FreeImage/PluginJ2K.cpp
+index b8bcfc8..621a903 100644
+--- a/Source/FreeImage/PluginJ2K.cpp
++++ b/Source/FreeImage/PluginJ2K.cpp
+@@ -21,7 +21,7 @@
+
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibOpenJPEG/openjpeg.h"
++#include <openjpeg.h>
+ #include "J2KHelper.h"
+
+ // ==========================================================
+diff --git a/Source/FreeImage/PluginJP2.cpp b/Source/FreeImage/PluginJP2.cpp
+index 742fe2c..c57f626 100644
+--- a/Source/FreeImage/PluginJP2.cpp
++++ b/Source/FreeImage/PluginJP2.cpp
+@@ -21,7 +21,7 @@
+
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibOpenJPEG/openjpeg.h"
++#include <openjpeg.h>
+ #include "J2KHelper.h"
+
+ // ==========================================================
+diff --git a/Source/FreeImage/PluginJPEG.cpp b/Source/FreeImage/PluginJPEG.cpp
+index 573989c..aaeefa4 100644
+--- a/Source/FreeImage/PluginJPEG.cpp
++++ b/Source/FreeImage/PluginJPEG.cpp
+@@ -35,9 +35,9 @@ extern "C" {
+ #undef FAR
+ #include <setjmp.h>
+
+-#include "../LibJPEG/jinclude.h"
+-#include "../LibJPEG/jpeglib.h"
+-#include "../LibJPEG/jerror.h"
++#include <stdio.h>
++#include <jpeglib.h>
++#include <jerror.h>
+ }
+
+ #include "FreeImage.h"
+diff --git a/Source/FreeImage/PluginJXR.cpp b/Source/FreeImage/PluginJXR.cpp
+index 0e14e09..3e9fb87 100644
+--- a/Source/FreeImage/PluginJXR.cpp
++++ b/Source/FreeImage/PluginJXR.cpp
+@@ -23,7 +23,7 @@
+ #include "Utilities.h"
+ #include "../Metadata/FreeImageTag.h"
+
+-#include "../LibJXR/jxrgluelib/JXRGlue.h"
++#include <JXRGlue.h>
+
+ // ==========================================================
+ // Plugin Interface
+diff --git a/Source/FreeImage/PluginPNG.cpp b/Source/FreeImage/PluginPNG.cpp
+index ba2ef17..c3c5cd6 100644
+--- a/Source/FreeImage/PluginPNG.cpp
++++ b/Source/FreeImage/PluginPNG.cpp
+@@ -40,8 +40,8 @@
+
+ // ----------------------------------------------------------
+
+-#include "../ZLib/zlib.h"
+-#include "../LibPNG/png.h"
++#include <zlib.h>
++#include <png.h>
+
+ // ----------------------------------------------------------
+
+diff --git a/Source/FreeImage/PluginRAW.cpp b/Source/FreeImage/PluginRAW.cpp
+index e9bd5bf..c7f8758 100644
+--- a/Source/FreeImage/PluginRAW.cpp
++++ b/Source/FreeImage/PluginRAW.cpp
+@@ -19,7 +19,7 @@
+ // Use at your own risk!
+ // ==========================================================
+
+-#include "../LibRawLite/libraw/libraw.h"
++#include <libraw/libraw.h>
+
+ #include "FreeImage.h"
+ #include "Utilities.h"
+diff --git a/Source/FreeImage/PluginTIFF.cpp b/Source/FreeImage/PluginTIFF.cpp
+index 1b45453..3f723d4 100644
+--- a/Source/FreeImage/PluginTIFF.cpp
++++ b/Source/FreeImage/PluginTIFF.cpp
+@@ -37,9 +37,9 @@
+
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibTIFF4/tiffiop.h"
++#include <tiffio.h>
+ #include "../Metadata/FreeImageTag.h"
+-#include "../OpenEXR/Half/half.h"
++#include <OpenEXR/half.h>
+
+ #include "FreeImageIO.h"
+ #include "PSDParser.h"
+diff --git a/Source/FreeImage/PluginWebP.cpp b/Source/FreeImage/PluginWebP.cpp
+index 9fb0b69..31837d4 100644
+--- a/Source/FreeImage/PluginWebP.cpp
++++ b/Source/FreeImage/PluginWebP.cpp
+@@ -24,10 +24,10 @@
+
+ #include "../Metadata/FreeImageTag.h"
+
+-#include "../LibWebP/src/webp/decode.h"
+-#include "../LibWebP/src/webp/encode.h"
+-#include "../LibWebP/src/enc/vp8enci.h"
+-#include "../LibWebP/src/webp/mux.h"
++#include <webp/decode.h>
++#include <webp/encode.h>
++// #include "../LibWebP/src/enc/vp8enci.h"
++#include <webp/mux.h>
+
+ // ==========================================================
+ // Plugin Interface
+diff --git a/Source/FreeImage/ZLibInterface.cpp b/Source/FreeImage/ZLibInterface.cpp
+index 3ab6d32..1a90904 100644
+--- a/Source/FreeImage/ZLibInterface.cpp
++++ b/Source/FreeImage/ZLibInterface.cpp
+@@ -19,10 +19,9 @@
+ // Use at your own risk!
+ // ==========================================================
+
+-#include "../ZLib/zlib.h"
++#include <zlib.h>
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../ZLib/zutil.h" /* must be the last header because of error C3163 in VS2008 (_vsnprintf defined in stdio.h) */
+
+ /**
+ Compresses a source buffer into a target buffer, using the ZLib library.
+@@ -115,7 +114,7 @@ FreeImage_ZLibGZip(BYTE *target, DWORD target_size, BYTE *source, DWORD source_s
+ return 0;
+ case Z_OK: {
+ // patch header, setup crc and length (stolen from mod_trace_output)
+- BYTE *p = target + 8; *p++ = 2; *p = OS_CODE; // xflags, os_code
++ BYTE *p = target + 8; *p++ = 2; *p = 0x03; // xflags, os_code (unix)
+ crc = crc32(crc, source, source_size);
+ memcpy(target + 4 + dest_len, &crc, 4);
+ memcpy(target + 8 + dest_len, &source_size, 4);
+diff --git a/Source/Metadata/XTIFF.cpp b/Source/Metadata/XTIFF.cpp
+index d5be902..c1519ca 100644
+--- a/Source/Metadata/XTIFF.cpp
++++ b/Source/Metadata/XTIFF.cpp
+@@ -29,13 +29,18 @@
+ #pragma warning (disable : 4786) // identifier was truncated to 'number' characters
+ #endif
+
+-#include "../LibTIFF4/tiffiop.h"
++#include <tiffio.h>
+
+ #include "FreeImage.h"
+ #include "Utilities.h"
+ #include "FreeImageTag.h"
+ #include "FIRational.h"
+
++extern "C"
++{
++ int _TIFFDataSize(TIFFDataType type);
++}
++
+ // ----------------------------------------------------------
+ // Extended TIFF Directory GEO Tag Support
+ // ----------------------------------------------------------
+@@ -224,6 +229,33 @@ tiff_write_geotiff_profile(TIFF *tif, FIBITMAP *dib) {
+ // TIFF EXIF tag reading & writing
+ // ----------------------------------------------------------
+
++static uint32 exif_tag_ids[] = {
++ EXIFTAG_EXPOSURETIME, EXIFTAG_FNUMBER, EXIFTAG_EXPOSUREPROGRAM,
++ EXIFTAG_SPECTRALSENSITIVITY, EXIFTAG_ISOSPEEDRATINGS, EXIFTAG_OECF,
++ EXIFTAG_EXIFVERSION, EXIFTAG_DATETIMEORIGINAL, EXIFTAG_DATETIMEDIGITIZED,
++ EXIFTAG_COMPONENTSCONFIGURATION, EXIFTAG_COMPRESSEDBITSPERPIXEL,
++ EXIFTAG_SHUTTERSPEEDVALUE, EXIFTAG_APERTUREVALUE,
++ EXIFTAG_BRIGHTNESSVALUE, EXIFTAG_EXPOSUREBIASVALUE,
++ EXIFTAG_MAXAPERTUREVALUE, EXIFTAG_SUBJECTDISTANCE, EXIFTAG_METERINGMODE,
++ EXIFTAG_LIGHTSOURCE, EXIFTAG_FLASH, EXIFTAG_FOCALLENGTH,
++ EXIFTAG_SUBJECTAREA, EXIFTAG_MAKERNOTE, EXIFTAG_USERCOMMENT,
++ EXIFTAG_SUBSECTIME, EXIFTAG_SUBSECTIMEORIGINAL,
++ EXIFTAG_SUBSECTIMEDIGITIZED, EXIFTAG_FLASHPIXVERSION, EXIFTAG_COLORSPACE,
++ EXIFTAG_PIXELXDIMENSION, EXIFTAG_PIXELYDIMENSION,
++ EXIFTAG_RELATEDSOUNDFILE, EXIFTAG_FLASHENERGY,
++ EXIFTAG_SPATIALFREQUENCYRESPONSE, EXIFTAG_FOCALPLANEXRESOLUTION,
++ EXIFTAG_FOCALPLANEYRESOLUTION, EXIFTAG_FOCALPLANERESOLUTIONUNIT,
++ EXIFTAG_SUBJECTLOCATION, EXIFTAG_EXPOSUREINDEX, EXIFTAG_SENSINGMETHOD,
++ EXIFTAG_FILESOURCE, EXIFTAG_SCENETYPE, EXIFTAG_CFAPATTERN,
++ EXIFTAG_CUSTOMRENDERED, EXIFTAG_EXPOSUREMODE, EXIFTAG_WHITEBALANCE,
++ EXIFTAG_DIGITALZOOMRATIO, EXIFTAG_FOCALLENGTHIN35MMFILM,
++ EXIFTAG_SCENECAPTURETYPE, EXIFTAG_GAINCONTROL, EXIFTAG_CONTRAST,
++ EXIFTAG_SATURATION, EXIFTAG_SHARPNESS, EXIFTAG_DEVICESETTINGDESCRIPTION,
++ EXIFTAG_SUBJECTDISTANCERANGE, EXIFTAG_GAINCONTROL, EXIFTAG_GAINCONTROL,
++ EXIFTAG_IMAGEUNIQUEID
++};
++static int nExifTags = sizeof(exif_tag_ids) / sizeof(exif_tag_ids[0]);
++
+ /**
+ Read a single Exif tag
+
+@@ -575,43 +607,10 @@ tiff_read_exif_tags(TIFF *tif, TagLib::MDMODEL md_model, FIBITMAP *dib) {
+
+ // loop over all Core Directory Tags
+ // ### uses private data, but there is no other way
++ // -> Fedora: Best we can do without private headers is to hard-code a list of known EXIF tags and read those
+ if(md_model == TagLib::EXIF_MAIN) {
+- const TIFFDirectory *td = &tif->tif_dir;
+-
+- uint32 lastTag = 0; //<- used to prevent reading some tags twice (as stored in tif_fieldinfo)
+-
+- for (int fi = 0, nfi = (int)tif->tif_nfields; nfi > 0; nfi--, fi++) {
+- const TIFFField *fld = tif->tif_fields[fi];
+-
+- const uint32 tag_id = TIFFFieldTag(fld);
+-
+- if(tag_id == lastTag) {
+- continue;
+- }
+-
+- // test if tag value is set
+- // (lifted directly from LibTiff _TIFFWriteDirectory)
+-
+- if( fld->field_bit == FIELD_CUSTOM ) {
+- int is_set = FALSE;
+-
+- for(int ci = 0; ci < td->td_customValueCount; ci++ ) {
+- is_set |= (td->td_customValues[ci].info == fld);
+- }
+-
+- if( !is_set ) {
+- continue;
+- }
+-
+- } else if(!TIFFFieldSet(tif, fld->field_bit)) {
+- continue;
+- }
+-
+- // process *all* other tags (some will be ignored)
+-
+- tiff_read_exif_tag(tif, tag_id, dib, md_model);
+-
+- lastTag = tag_id;
++ for (int i = 0; i < nExifTags; ++i) {
++ tiff_read_exif_tag(tif, exif_tag_ids[i], dib, md_model);
+ }
+
+ }
+@@ -723,10 +722,9 @@ tiff_write_exif_tags(TIFF *tif, TagLib::MDMODEL md_model, FIBITMAP *dib) {
+
+ TagLib& tag_lib = TagLib::instance();
+
+- for (int fi = 0, nfi = (int)tif->tif_nfields; nfi > 0; nfi--, fi++) {
+- const TIFFField *fld = tif->tif_fields[fi];
+-
+- const uint32 tag_id = TIFFFieldTag(fld);
++ for (int fi = 0, nfi = nExifTags; nfi > 0; nfi--, fi++) {
++ const uint32 tag_id = exif_tag_ids[fi];
++ const TIFFField *fld = TIFFFieldWithTag(tif, tag_id);
+
+ if(skip_write_field(tif, tag_id)) {
+ // skip tags that are already handled by the LibTIFF writing process
+diff --git a/genfipsrclist.sh b/genfipsrclist.sh
+index 41f946d..33b3877 100644
+--- a/genfipsrclist.sh
++++ b/genfipsrclist.sh
+@@ -1,18 +1,13 @@
+ #!/bin/sh
+
+-DIRLIST=". Source Source/Metadata Source/FreeImageToolkit Source/LibJPEG Source/LibPNG Source/LibTIFF4 Source/ZLib Source/LibOpenJPEG Source/OpenEXR Source/OpenEXR/Half Source/OpenEXR/Iex Source/OpenEXR/IlmImf Source/OpenEXR/IlmThread Source/OpenEXR/Imath Source/OpenEXR/IexMath Source/LibRawLite Source/LibRawLite/dcraw Source/LibRawLite/internal Source/LibRawLite/libraw Source/LibRawLite/src Source/LibWebP Source/LibJXR Source/LibJXR/common/include Source/LibJXR/image/sys Source/LibJXR/jxrgluelib Wrapper/FreeImagePlus"
++DIRLIST="Wrapper/FreeImagePlus"
+
+
+ echo "VER_MAJOR = 3" > fipMakefile.srcs
+ echo "VER_MINOR = 17.0" >> fipMakefile.srcs
+
+ echo -n "SRCS = " >> fipMakefile.srcs
+-for DIR in $DIRLIST; do
+- VCPRJS=`echo $DIR/*.2008.vcproj`
+- if [ "$VCPRJS" != "$DIR/*.2008.vcproj" ]; then
+- egrep 'RelativePath=.*\.(c|cpp)' $DIR/*.2008.vcproj | cut -d'"' -f2 | tr '\\' '/' | awk '{print "'$DIR'/"$0}' | tr '\r\n' ' ' | tr -s ' ' >> fipMakefile.srcs
+- fi
+-done
++find Wrapper/FreeImagePlus/src -name '*.cpp' -print | LC_ALL=C sort | xargs echo -n >> fipMakefile.srcs
+ echo >> fipMakefile.srcs
+
+ echo -n "INCLUDE =" >> fipMakefile.srcs
+diff --git a/gensrclist.sh b/gensrclist.sh
+index dbfb98d..3e4747d 100644
+--- a/gensrclist.sh
++++ b/gensrclist.sh
+@@ -1,21 +1,16 @@
+ #!/bin/sh
+
+-DIRLIST=". Source Source/Metadata Source/FreeImageToolkit Source/LibJPEG Source/LibPNG Source/LibTIFF4 Source/ZLib Source/LibOpenJPEG Source/OpenEXR Source/OpenEXR/Half Source/OpenEXR/Iex Source/OpenEXR/IlmImf Source/OpenEXR/IlmThread Source/OpenEXR/Imath Source/OpenEXR/IexMath Source/LibRawLite Source/LibRawLite/dcraw Source/LibRawLite/internal Source/LibRawLite/libraw Source/LibRawLite/src Source/LibWebP Source/LibJXR Source/LibJXR/common/include Source/LibJXR/image/sys Source/LibJXR/jxrgluelib"
++DIRLIST=`find Source -type d | LC_ALL=C sort`
+
+ echo "VER_MAJOR = 3" > Makefile.srcs
+ echo "VER_MINOR = 17.0" >> Makefile.srcs
+
+ echo -n "SRCS = " >> Makefile.srcs
+-for DIR in $DIRLIST; do
+- VCPRJS=`echo $DIR/*.2008.vcproj`
+- if [ "$VCPRJS" != "$DIR/*.2008.vcproj" ]; then
+- egrep 'RelativePath=.*\.(c|cpp)' $DIR/*.2008.vcproj | cut -d'"' -f2 | tr '\\' '/' | awk '{print "'$DIR'/"$0}' | tr '\r\n' ' ' | tr -s ' ' >> Makefile.srcs
+- fi
+-done
++find Source -name '*.c' -or -name '*.cpp' -not -name 'PluginG3.cpp' -not -name 'JPEGTransform.cpp' | LC_ALL=C sort | xargs echo -n >> Makefile.srcs
+ echo >> Makefile.srcs
+
+ echo -n "INCLS = " >> Makefile.srcs
+-find . -name "*.h" -print | xargs echo >> Makefile.srcs
++find Source -name '*.h' | LC_ALL=C sort | xargs echo -n >> Makefile.srcs
+ echo >> Makefile.srcs
+
+ echo -n "INCLUDE =" >> Makefile.srcs
--
2.10.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
2016-10-15 0:09 ` Kei Kebreau
@ 2016-10-15 18:03 ` Efraim Flashner
2016-10-15 18:57 ` Kei Kebreau
0 siblings, 1 reply; 6+ messages in thread
From: Efraim Flashner @ 2016-10-15 18:03 UTC (permalink / raw)
To: Kei Kebreau; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 6181 bytes --]
On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
> >> efraim pushed a commit to branch master
> >> in repository guix.
> >>
> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
> >> Author: Efraim Flashner <efraim@flashner.co.il>
> >> Date: Fri Oct 14 11:28:21 2016 +0300
> >>
> >> gnu: freeimage: Fix CVE-2016-5684.
> >>
> >> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
> >> * gnu/local.mk (dist_patch_DATA): Register it.
> >> ---
> >> gnu/local.mk | 1 +
> >> gnu/packages/image.scm | 3 +-
> >> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 ++++++++++++++++++++
> >> 3 files changed, 37 insertions(+), 1 deletion(-)
> >
> > Efraim pointed out on IRC that our freeimage packages bundles many
> > 3rd-party libraries:
> >
> > $ ls -1 FreeImage/Source
> > CacheFile.h
> > DeprecationManager
> > FreeImage
> > FreeImage.h
> > FreeImageIO.h
> > FreeImageLib
> > FreeImageToolkit
> > LibJPEG
> > LibJXR
> > LibOpenJPEG
> > LibPNG
> > LibRawLite
> > LibTIFF4
> > LibWebP
> > MapIntrospector.h
> > Metadata
> > OpenEXR
> > Plugin.h
> > Quantizers.h
> > ToneMapping.h
> > Utilities.h
> > ZLib
> >
> > Debian has a patch to make it use "system" copies of the libraries:
> >
> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
> >
> > For now, our freeimage package is probably vulnerable to many publicly
> > disclosed security bugs.
> >
> > Who volunteers to try fixing this?
>
> The patch is attached. I've removed the bit from Debian that disables JPEG
> transformation functions, as seen below. JPEGTransform.cpp (in
> Source/FreeImageToolkit) gave me some trouble when I left that part of
> the patch alone.
>
> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
> FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot dithering (order 4 dithering matrix)
> };
>
> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
> + of FreeImage, since they require usage of the vendored copy of libjpeg. */
> +#if 0
> /** Lossless JPEG transformations
> Constants used in FreeImage_JPEGTransform
> */
> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
> FIJPEG_OP_ROTATE_180 = 6, //! 180-degree rotation
> FIJPEG_OP_ROTATE_270 = 7 //! 270-degree clockwise (or 90 ccw)
> };
> +#endif
>
> /** Tone mapping operators.
> Constants used in FreeImage_ToneMapping.
> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
> // --------------------------------------------------------------------------
> // JPEG lossless transformation routines
> // --------------------------------------------------------------------------
> -
> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
> + of FreeImage, since they require usage of the vendored copy of libjpeg. */
> +#if 0
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom);
> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
> +#endif
> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Fri, 14 Oct 2016 18:09:45 -0400
> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
>
> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/image.scm | 6 +-
> .../freeimage-disable-vendored-dependencies.patch | 398 +++++++++++++++++++++
> 3 files changed, 404 insertions(+), 1 deletion(-)
> create mode 100644 gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
I was looking at it and I thought it was going to be much more than 400
lines in the end.
Did we also need the other patch?
https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
On one hand we could carry a modified version of Debian's patch, on the
other hand some of these look like they could be a series of substitute*
commands. I started looking through the patch and thinking how to
convert them from "../path/to/header.h" to <header.h> and realizing I
myself wouldn't want to do that, so that could easily be an option for
another time :).
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
2016-10-15 18:03 ` Efraim Flashner
@ 2016-10-15 18:57 ` Kei Kebreau
2016-10-15 19:50 ` Leo Famulari
0 siblings, 1 reply; 6+ messages in thread
From: Kei Kebreau @ 2016-10-15 18:57 UTC (permalink / raw)
To: Efraim Flashner; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 6226 bytes --]
Efraim Flashner <efraim@flashner.co.il> writes:
> On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
>> Leo Famulari <leo@famulari.name> writes:
>>
>> > On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
>> >> efraim pushed a commit to branch master
>> >> in repository guix.
>> >>
>> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> >> Author: Efraim Flashner <efraim@flashner.co.il>
>> >> Date: Fri Oct 14 11:28:21 2016 +0300
>> >>
>> >> gnu: freeimage: Fix CVE-2016-5684.
>> >>
>> >> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>> >> * gnu/local.mk (dist_patch_DATA): Register it.
>> >> ---
>> >> gnu/local.mk | 1 +
>> >> gnu/packages/image.scm | 3 +-
>> >> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 ++++++++++++++++++++
>> >> 3 files changed, 37 insertions(+), 1 deletion(-)
>> >
>> > Efraim pointed out on IRC that our freeimage packages bundles many
>> > 3rd-party libraries:
>> >
>> > $ ls -1 FreeImage/Source
>> > CacheFile.h
>> > DeprecationManager
>> > FreeImage
>> > FreeImage.h
>> > FreeImageIO.h
>> > FreeImageLib
>> > FreeImageToolkit
>> > LibJPEG
>> > LibJXR
>> > LibOpenJPEG
>> > LibPNG
>> > LibRawLite
>> > LibTIFF4
>> > LibWebP
>> > MapIntrospector.h
>> > Metadata
>> > OpenEXR
>> > Plugin.h
>> > Quantizers.h
>> > ToneMapping.h
>> > Utilities.h
>> > ZLib
>> >
>> > Debian has a patch to make it use "system" copies of the libraries:
>> >
>> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>> >
>> > For now, our freeimage package is probably vulnerable to many publicly
>> > disclosed security bugs.
>> >
>> > Who volunteers to try fixing this?
>>
>> The patch is attached. I've removed the bit from Debian that disables JPEG
>> transformation functions, as seen below. JPEGTransform.cpp (in
>> Source/FreeImageToolkit) gave me some trouble when I left that part of
>> the patch alone.
>>
>> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
>> FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot dithering (order 4 dithering matrix)
>> };
>>
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
>> + of FreeImage, since they require usage of the vendored copy of libjpeg. */
>> +#if 0
>> /** Lossless JPEG transformations
>> Constants used in FreeImage_JPEGTransform
>> */
>> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
>> FIJPEG_OP_ROTATE_180 = 6, //! 180-degree rotation
>> FIJPEG_OP_ROTATE_270 = 7 //! 270-degree clockwise (or 90 ccw)
>> };
>> +#endif
>>
>> /** Tone mapping operators.
>> Constants used in FreeImage_ToneMapping.
>> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
>> // --------------------------------------------------------------------------
>> // JPEG lossless transformation routines
>> // --------------------------------------------------------------------------
>> -
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
>> + of FreeImage, since they require usage of the vendored copy of libjpeg. */
>> +#if 0
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom);
>> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>> +#endif
>
>> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei@openmailbox.org>
>> Date: Fri, 14 Oct 2016 18:09:45 -0400
>> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
>>
>> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> ---
>> gnu/local.mk | 1 +
>> gnu/packages/image.scm | 6 +-
>> .../freeimage-disable-vendored-dependencies.patch | 398 +++++++++++++++++++++
>> 3 files changed, 404 insertions(+), 1 deletion(-)
>> create mode 100644 gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
>
> I was looking at it and I thought it was going to be much more than 400
> lines in the end.
>
> Did we also need the other patch?
> https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
>
> On one hand we could carry a modified version of Debian's patch, on the
> other hand some of these look like they could be a series of substitute*
> commands. I started looking through the patch and thinking how to
> convert them from "../path/to/header.h" to <header.h> and realizing I
> myself wouldn't want to do that, so that could easily be an option for
> another time :).
Looking at its contents, adding that patch would make a lot of sense. :-)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
2016-10-15 18:57 ` Kei Kebreau
@ 2016-10-15 19:50 ` Leo Famulari
2016-10-16 2:30 ` Kei Kebreau
0 siblings, 1 reply; 6+ messages in thread
From: Leo Famulari @ 2016-10-15 19:50 UTC (permalink / raw)
To: Kei Kebreau; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1720 bytes --]
On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote:
> Efraim Flashner <efraim@flashner.co.il> writes:
> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
> >> Leo Famulari <leo@famulari.name> writes:
> >> > Debian has a patch to make it use "system" copies of the libraries:
> >> >
> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
> >> >
> >> > For now, our freeimage package is probably vulnerable to many publicly
> >> > disclosed security bugs.
> >> >
> >> > Who volunteers to try fixing this?
> >>
> >> The patch is attached. I've removed the bit from Debian that disables JPEG
> >> transformation functions, as seen below. JPEGTransform.cpp (in
> >> Source/FreeImageToolkit) gave me some trouble when I left that part of
> >> the patch alone.
>
> > I was looking at it and I thought it was going to be much more than 400
> > lines in the end.
> >
> > Did we also need the other patch?
> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
> >
> > On one hand we could carry a modified version of Debian's patch, on the
> > other hand some of these look like they could be a series of substitute*
> > commands. I started looking through the patch and thinking how to
> > convert them from "../path/to/header.h" to <header.h> and realizing I
> > myself wouldn't want to do that, so that could easily be an option for
> > another time :).
>
> Looking at its contents, adding that patch would make a lot of sense. :-)
Yes, I think we need to use both patches. Will you submit an updated
version of your patch?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
2016-10-15 19:50 ` Leo Famulari
@ 2016-10-16 2:30 ` Kei Kebreau
0 siblings, 0 replies; 6+ messages in thread
From: Kei Kebreau @ 2016-10-16 2:30 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1965 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote:
>> Efraim Flashner <efraim@flashner.co.il> writes:
>> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
>> >> Leo Famulari <leo@famulari.name> writes:
>> >> > Debian has a patch to make it use "system" copies of the libraries:
>> >> >
>> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>> >> >
>> >> > For now, our freeimage package is probably vulnerable to many publicly
>> >> > disclosed security bugs.
>> >> >
>> >> > Who volunteers to try fixing this?
>> >>
>> >> The patch is attached. I've removed the bit from Debian that disables JPEG
>> >> transformation functions, as seen below. JPEGTransform.cpp (in
>> >> Source/FreeImageToolkit) gave me some trouble when I left that part of
>> >> the patch alone.
>>
>> > I was looking at it and I thought it was going to be much more than 400
>> > lines in the end.
>> >
>> > Did we also need the other patch?
>> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
>> >
>> > On one hand we could carry a modified version of Debian's patch, on the
>> > other hand some of these look like they could be a series of substitute*
>> > commands. I started looking through the patch and thinking how to
>> > convert them from "../path/to/header.h" to <header.h> and realizing I
>> > myself wouldn't want to do that, so that could easily be an option for
>> > another time :).
>>
>> Looking at its contents, adding that patch would make a lot of sense. :-)
>
> Yes, I think we need to use both patches. Will you submit an updated
> version of your patch?
I intend to. The updated patch requires a JPEG XR library to be packaged
(and maybe others), but I am having some trouble getting a source URL
from CodePlex.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-10-16 2:31 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20161014104404.22087.86582@vcs.savannah.gnu.org>
[not found] ` <20161014104405.901E322012A@vcs.savannah.gnu.org>
2016-10-14 17:48 ` Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.] Leo Famulari
2016-10-15 0:09 ` Kei Kebreau
2016-10-15 18:03 ` Efraim Flashner
2016-10-15 18:57 ` Kei Kebreau
2016-10-15 19:50 ` Leo Famulari
2016-10-16 2:30 ` Kei Kebreau
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).