Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

[Leo Famulari]

On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
> efraim pushed a commit to branch master
> in repository guix.
> 
> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
> Author: Efraim Flashner <efraim@flashner.co.il>
> Date:   Fri Oct 14 11:28:21 2016 +0300
> 
>     gnu: freeimage: Fix CVE-2016-5684.
>     
>     * gnu/packages/image.scm (freeimage)[source]: Add patch.
>     * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>     * gnu/local.mk (dist_patch_DATA): Register it.
> ---
>  gnu/local.mk                                       |    1 +
>  gnu/packages/image.scm                             |    3 +-
>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 ++++++++++++++++++++
>  3 files changed, 37 insertions(+), 1 deletion(-)

Efraim pointed out on IRC that our freeimage packages bundles many
3rd-party libraries:

$ ls -1 FreeImage/Source
CacheFile.h
DeprecationManager
FreeImage
FreeImage.h
FreeImageIO.h
FreeImageLib
FreeImageToolkit
LibJPEG
LibJXR
LibOpenJPEG
LibPNG
LibRawLite
LibTIFF4
LibWebP
MapIntrospector.h
Metadata
OpenEXR
Plugin.h
Quantizers.h
ToneMapping.h
Utilities.h
ZLib

Debian has a patch to make it use "system" copies of the libraries:

https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid

For now, our freeimage package is probably vulnerable to many publicly
disclosed security bugs.

Who volunteers to try fixing this?

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

[Kei Kebreau]

[-- Attachment #1.1: Type: text/plain, Size: 4304 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
>> efraim pushed a commit to branch master
>> in repository guix.
>> 
>> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> Author: Efraim Flashner <efraim@flashner.co.il>
>> Date:   Fri Oct 14 11:28:21 2016 +0300
>> 
>>     gnu: freeimage: Fix CVE-2016-5684.
>>     
>>     * gnu/packages/image.scm (freeimage)[source]: Add patch.
>>     * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>>     * gnu/local.mk (dist_patch_DATA): Register it.
>> ---
>>  gnu/local.mk                                       |    1 +
>>  gnu/packages/image.scm                             |    3 +-
>>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 ++++++++++++++++++++
>>  3 files changed, 37 insertions(+), 1 deletion(-)
>
> Efraim pointed out on IRC that our freeimage packages bundles many
> 3rd-party libraries:
>
> $ ls -1 FreeImage/Source
> CacheFile.h
> DeprecationManager
> FreeImage
> FreeImage.h
> FreeImageIO.h
> FreeImageLib
> FreeImageToolkit
> LibJPEG
> LibJXR
> LibOpenJPEG
> LibPNG
> LibRawLite
> LibTIFF4
> LibWebP
> MapIntrospector.h
> Metadata
> OpenEXR
> Plugin.h
> Quantizers.h
> ToneMapping.h
> Utilities.h
> ZLib
>
> Debian has a patch to make it use "system" copies of the libraries:
>
> https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>
> For now, our freeimage package is probably vulnerable to many publicly
> disclosed security bugs.
>
> Who volunteers to try fixing this?

The patch is attached. I've removed the bit from Debian that disables JPEG
transformation functions, as seen below. JPEGTransform.cpp (in
Source/FreeImageToolkit) gave me some trouble when I left that part of
the patch alone.

@@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
 	FID_BAYER16x16	= 6		//! Bayer ordered dispersed dot dithering (order 4 dithering matrix)
 };
 
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+   of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
 /** Lossless JPEG transformations
 Constants used in FreeImage_JPEGTransform
 */
@@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
 	FIJPEG_OP_ROTATE_180	= 6,	//! 180-degree rotation
 	FIJPEG_OP_ROTATE_270	= 7		//! 270-degree clockwise (or 90 ccw)
 };
+#endif
 
 /** Tone mapping operators.
 Constants used in FreeImage_ToneMapping.
@@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
 // --------------------------------------------------------------------------
 // JPEG lossless transformation routines
 // --------------------------------------------------------------------------
-
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+   of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom);
@@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
+#endif

[-- Attachment #1.2: 0001-gnu-freeimage-Disable-in-tree-third-party-libraries.patch --]
[-- Type: text/plain, Size: 18258 bytes --]

From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
From: Kei Kebreau <kei@openmailbox.org>
Date: Fri, 14 Oct 2016 18:09:45 -0400
Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.

* gnu/packages/image.scm (freeimage)[source]: Add patch.
* gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk                                       |   1 +
 gnu/packages/image.scm                             |   6 +-
 .../freeimage-disable-vendored-dependencies.patch  | 398 +++++++++++++++++++++
 3 files changed, 404 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/freeimage-disable-vendored-dependencies.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index a9343f0..a151d2b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -526,6 +526,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/fltk-xfont-on-demand.patch		\
   %D%/packages/patches/fontconfig-CVE-2016-5384.patch		\
   %D%/packages/patches/fontforge-svg-modtime.patch		\
+  %D%/packages/patches/freeimage-disable-vendored-dependencies.patch	\
   %D%/packages/patches/freeimage-CVE-2015-0852.patch		\
   %D%/packages/patches/freeimage-CVE-2016-5684.patch		\
   %D%/packages/patches/gawk-fts-test.patch			\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 7455bb8..a2b52d2 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -581,7 +581,8 @@ supplies a generic doubly-linked list and some string functions.")
             (sha256
              (base32
               "12bz57asdcfsz3zr9i9nska0fb6h3z2aizy412qjqkixkginbz7v"))
-            (patches (search-patches "freeimage-CVE-2015-0852.patch"
+            (patches (search-patches "freeimage-disable-vendored-dependencies.patch"
+                                     "freeimage-CVE-2015-0852.patch"
                                      "freeimage-CVE-2016-5684.patch"))))
    (build-system gnu-build-system)
    (arguments
@@ -596,6 +597,9 @@ supplies a generic doubly-linked list and some string functions.")
             #t)))
       #:make-flags '("CC=gcc")
       #:tests? #f)) ; no check target
+   (inputs
+    `(("libwebp" ,libwebp)
+      ("openexr" ,openexr)))
    (native-inputs
     `(("unzip" ,unzip)))
    ;; Fails to build on MIPS due to assembly code in the source.
diff --git a/gnu/packages/patches/freeimage-disable-vendored-dependencies.patch b/gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
new file mode 100644
index 0000000..c466a10
--- /dev/null
+++ b/gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
@@ -0,0 +1,398 @@
+This patch was copied from Debian.
+
+diff --git a/Source/FreeImage.h b/Source/FreeImage.h
+index e2d1c5a..94d817d 100644
+--- a/Source/FreeImage.h
++++ b/Source/FreeImage.h
+@@ -410,7 +410,11 @@ FI_ENUM(FREE_IMAGE_FORMAT) {
+ 	FIF_DDS		= 24,
+ 	FIF_GIF     = 25,
+ 	FIF_HDR		= 26,
+-	FIF_FAXG3	= 27,
++/* Debian: The G3 fax format plugin is deliberately disabled in our build of
++   FreeImage, since it requires usage of the vendored copy of libtiff. */
++#if 0
++ 	FIF_FAXG3	= 27,
++#endif
+ 	FIF_SGI		= 28,
+ 	FIF_EXR		= 29,
+ 	FIF_J2K		= 30,
+
+ // --------------------------------------------------------------------------
+diff --git a/Source/FreeImage/J2KHelper.cpp b/Source/FreeImage/J2KHelper.cpp
+index 1776c3b..538f1c5 100644
+--- a/Source/FreeImage/J2KHelper.cpp
++++ b/Source/FreeImage/J2KHelper.cpp
+@@ -21,7 +21,7 @@
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibOpenJPEG/openjpeg.h"
++#include <openjpeg.h>
+ #include "J2KHelper.h"
+ 
+ // --------------------------------------------------------------------------
+diff --git a/Source/FreeImage/Plugin.cpp b/Source/FreeImage/Plugin.cpp
+index 57ebffd..c883a31 100644
+--- a/Source/FreeImage/Plugin.cpp
++++ b/Source/FreeImage/Plugin.cpp
+@@ -263,7 +263,11 @@ FreeImage_Initialise(BOOL load_local_plugins_only) {
+ 			s_plugins->AddNode(InitDDS);
+ 	        s_plugins->AddNode(InitGIF);
+ 	        s_plugins->AddNode(InitHDR);
++/* The G3 fax format plugin is deliberately disabled in our build of FreeImage
++   since it requires usage of the vendored copy of libtiff. */
++#if 0
+ 			s_plugins->AddNode(InitG3);
++#endif
+ 			s_plugins->AddNode(InitSGI);
+ 			s_plugins->AddNode(InitEXR);
+ 			s_plugins->AddNode(InitJ2K);
+diff --git a/Source/FreeImage/PluginEXR.cpp b/Source/FreeImage/PluginEXR.cpp
+index b286430..9bf3ada 100644
+--- a/Source/FreeImage/PluginEXR.cpp
++++ b/Source/FreeImage/PluginEXR.cpp
+@@ -28,16 +28,16 @@
+ #pragma warning (disable : 4800) // ImfVersion.h - 'const int' : forcing value to bool 'true' or 'false' (performance warning)
+ #endif 
+ 
+-#include "../OpenEXR/IlmImf/ImfIO.h"
+-#include "../OpenEXR/Iex/Iex.h"
+-#include "../OpenEXR/IlmImf/ImfOutputFile.h"
+-#include "../OpenEXR/IlmImf/ImfInputFile.h"
+-#include "../OpenEXR/IlmImf/ImfRgbaFile.h"
+-#include "../OpenEXR/IlmImf/ImfChannelList.h"
+-#include "../OpenEXR/IlmImf/ImfRgba.h"
+-#include "../OpenEXR/IlmImf/ImfArray.h"
+-#include "../OpenEXR/IlmImf/ImfPreviewImage.h"
+-#include "../OpenEXR/Half/half.h"
++#include <OpenEXR/ImfIO.h>
++#include <OpenEXR/Iex.h>
++#include <OpenEXR/ImfOutputFile.h>
++#include <OpenEXR/ImfInputFile.h>
++#include <OpenEXR/ImfRgbaFile.h>
++#include <OpenEXR/ImfChannelList.h>
++#include <OpenEXR/ImfRgba.h>
++#include <OpenEXR/ImfArray.h>
++#include <OpenEXR/ImfPreviewImage.h>
++#include <OpenEXR/half.h>
+ 
+ 
+ // ==========================================================
+diff --git a/Source/FreeImage/PluginJ2K.cpp b/Source/FreeImage/PluginJ2K.cpp
+index b8bcfc8..621a903 100644
+--- a/Source/FreeImage/PluginJ2K.cpp
++++ b/Source/FreeImage/PluginJ2K.cpp
+@@ -21,7 +21,7 @@
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibOpenJPEG/openjpeg.h"
++#include <openjpeg.h>
+ #include "J2KHelper.h"
+ 
+ // ==========================================================
+diff --git a/Source/FreeImage/PluginJP2.cpp b/Source/FreeImage/PluginJP2.cpp
+index 742fe2c..c57f626 100644
+--- a/Source/FreeImage/PluginJP2.cpp
++++ b/Source/FreeImage/PluginJP2.cpp
+@@ -21,7 +21,7 @@
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibOpenJPEG/openjpeg.h"
++#include <openjpeg.h>
+ #include "J2KHelper.h"
+ 
+ // ==========================================================
+diff --git a/Source/FreeImage/PluginJPEG.cpp b/Source/FreeImage/PluginJPEG.cpp
+index 573989c..aaeefa4 100644
+--- a/Source/FreeImage/PluginJPEG.cpp
++++ b/Source/FreeImage/PluginJPEG.cpp
+@@ -35,9 +35,9 @@ extern "C" {
+ #undef FAR
+ #include <setjmp.h>
+ 
+-#include "../LibJPEG/jinclude.h"
+-#include "../LibJPEG/jpeglib.h"
+-#include "../LibJPEG/jerror.h"
++#include <stdio.h>
++#include <jpeglib.h>
++#include <jerror.h>
+ }
+ 
+ #include "FreeImage.h"
+diff --git a/Source/FreeImage/PluginJXR.cpp b/Source/FreeImage/PluginJXR.cpp
+index 0e14e09..3e9fb87 100644
+--- a/Source/FreeImage/PluginJXR.cpp
++++ b/Source/FreeImage/PluginJXR.cpp
+@@ -23,7 +23,7 @@
+ #include "Utilities.h"
+ #include "../Metadata/FreeImageTag.h"
+ 
+-#include "../LibJXR/jxrgluelib/JXRGlue.h"
++#include <JXRGlue.h>
+ 
+ // ==========================================================
+ // Plugin Interface
+diff --git a/Source/FreeImage/PluginPNG.cpp b/Source/FreeImage/PluginPNG.cpp
+index ba2ef17..c3c5cd6 100644
+--- a/Source/FreeImage/PluginPNG.cpp
++++ b/Source/FreeImage/PluginPNG.cpp
+@@ -40,8 +40,8 @@
+ 
+ // ----------------------------------------------------------
+ 
+-#include "../ZLib/zlib.h"
+-#include "../LibPNG/png.h"
++#include <zlib.h>
++#include <png.h>
+ 
+ // ----------------------------------------------------------
+ 
+diff --git a/Source/FreeImage/PluginRAW.cpp b/Source/FreeImage/PluginRAW.cpp
+index e9bd5bf..c7f8758 100644
+--- a/Source/FreeImage/PluginRAW.cpp
++++ b/Source/FreeImage/PluginRAW.cpp
+@@ -19,7 +19,7 @@
+ // Use at your own risk!
+ // ==========================================================
+ 
+-#include "../LibRawLite/libraw/libraw.h"
++#include <libraw/libraw.h>
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+diff --git a/Source/FreeImage/PluginTIFF.cpp b/Source/FreeImage/PluginTIFF.cpp
+index 1b45453..3f723d4 100644
+--- a/Source/FreeImage/PluginTIFF.cpp
++++ b/Source/FreeImage/PluginTIFF.cpp
+@@ -37,9 +37,9 @@
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../LibTIFF4/tiffiop.h"
++#include <tiffio.h>
+ #include "../Metadata/FreeImageTag.h"
+-#include "../OpenEXR/Half/half.h"
++#include <OpenEXR/half.h>
+ 
+ #include "FreeImageIO.h"
+ #include "PSDParser.h"
+diff --git a/Source/FreeImage/PluginWebP.cpp b/Source/FreeImage/PluginWebP.cpp
+index 9fb0b69..31837d4 100644
+--- a/Source/FreeImage/PluginWebP.cpp
++++ b/Source/FreeImage/PluginWebP.cpp
+@@ -24,10 +24,10 @@
+ 
+ #include "../Metadata/FreeImageTag.h"
+ 
+-#include "../LibWebP/src/webp/decode.h"
+-#include "../LibWebP/src/webp/encode.h"
+-#include "../LibWebP/src/enc/vp8enci.h"
+-#include "../LibWebP/src/webp/mux.h"
++#include <webp/decode.h>
++#include <webp/encode.h>
++// #include "../LibWebP/src/enc/vp8enci.h"
++#include <webp/mux.h>
+ 
+ // ==========================================================
+ // Plugin Interface
+diff --git a/Source/FreeImage/ZLibInterface.cpp b/Source/FreeImage/ZLibInterface.cpp
+index 3ab6d32..1a90904 100644
+--- a/Source/FreeImage/ZLibInterface.cpp
++++ b/Source/FreeImage/ZLibInterface.cpp
+@@ -19,10 +19,9 @@
+ // Use at your own risk!
+ // ==========================================================
+ 
+-#include "../ZLib/zlib.h"
++#include <zlib.h>
+ #include "FreeImage.h"
+ #include "Utilities.h"
+-#include "../ZLib/zutil.h"	/* must be the last header because of error C3163 in VS2008 (_vsnprintf defined in stdio.h) */
+ 
+ /**
+ Compresses a source buffer into a target buffer, using the ZLib library. 
+@@ -115,7 +114,7 @@ FreeImage_ZLibGZip(BYTE *target, DWORD target_size, BYTE *source, DWORD source_s
+ 			return 0;
+         case Z_OK: {
+             // patch header, setup crc and length (stolen from mod_trace_output)
+-            BYTE *p = target + 8; *p++ = 2; *p = OS_CODE; // xflags, os_code
++            BYTE *p = target + 8; *p++ = 2; *p = 0x03; // xflags, os_code (unix)
+  	        crc = crc32(crc, source, source_size);
+ 	        memcpy(target + 4 + dest_len, &crc, 4);
+ 	        memcpy(target + 8 + dest_len, &source_size, 4);
+diff --git a/Source/Metadata/XTIFF.cpp b/Source/Metadata/XTIFF.cpp
+index d5be902..c1519ca 100644
+--- a/Source/Metadata/XTIFF.cpp
++++ b/Source/Metadata/XTIFF.cpp
+@@ -29,13 +29,18 @@
+ #pragma warning (disable : 4786) // identifier was truncated to 'number' characters
+ #endif
+ 
+-#include "../LibTIFF4/tiffiop.h"
++#include <tiffio.h>
+ 
+ #include "FreeImage.h"
+ #include "Utilities.h"
+ #include "FreeImageTag.h"
+ #include "FIRational.h"
+ 
++extern "C"
++{
++    int _TIFFDataSize(TIFFDataType type);
++}
++
+ // ----------------------------------------------------------
+ //   Extended TIFF Directory GEO Tag Support
+ // ----------------------------------------------------------
+@@ -224,6 +229,33 @@ tiff_write_geotiff_profile(TIFF *tif, FIBITMAP *dib) {
+ //   TIFF EXIF tag reading & writing
+ // ----------------------------------------------------------
+ 
++static uint32 exif_tag_ids[] = {
++  EXIFTAG_EXPOSURETIME, EXIFTAG_FNUMBER, EXIFTAG_EXPOSUREPROGRAM,
++  EXIFTAG_SPECTRALSENSITIVITY, EXIFTAG_ISOSPEEDRATINGS, EXIFTAG_OECF,
++  EXIFTAG_EXIFVERSION, EXIFTAG_DATETIMEORIGINAL, EXIFTAG_DATETIMEDIGITIZED,
++  EXIFTAG_COMPONENTSCONFIGURATION, EXIFTAG_COMPRESSEDBITSPERPIXEL,
++  EXIFTAG_SHUTTERSPEEDVALUE, EXIFTAG_APERTUREVALUE,
++  EXIFTAG_BRIGHTNESSVALUE, EXIFTAG_EXPOSUREBIASVALUE,
++  EXIFTAG_MAXAPERTUREVALUE, EXIFTAG_SUBJECTDISTANCE, EXIFTAG_METERINGMODE,
++  EXIFTAG_LIGHTSOURCE, EXIFTAG_FLASH, EXIFTAG_FOCALLENGTH,
++  EXIFTAG_SUBJECTAREA, EXIFTAG_MAKERNOTE, EXIFTAG_USERCOMMENT,
++  EXIFTAG_SUBSECTIME, EXIFTAG_SUBSECTIMEORIGINAL,
++  EXIFTAG_SUBSECTIMEDIGITIZED, EXIFTAG_FLASHPIXVERSION, EXIFTAG_COLORSPACE,
++  EXIFTAG_PIXELXDIMENSION, EXIFTAG_PIXELYDIMENSION,
++  EXIFTAG_RELATEDSOUNDFILE, EXIFTAG_FLASHENERGY,
++  EXIFTAG_SPATIALFREQUENCYRESPONSE, EXIFTAG_FOCALPLANEXRESOLUTION,
++  EXIFTAG_FOCALPLANEYRESOLUTION, EXIFTAG_FOCALPLANERESOLUTIONUNIT,
++  EXIFTAG_SUBJECTLOCATION, EXIFTAG_EXPOSUREINDEX, EXIFTAG_SENSINGMETHOD,
++  EXIFTAG_FILESOURCE, EXIFTAG_SCENETYPE, EXIFTAG_CFAPATTERN,
++  EXIFTAG_CUSTOMRENDERED, EXIFTAG_EXPOSUREMODE, EXIFTAG_WHITEBALANCE,
++  EXIFTAG_DIGITALZOOMRATIO, EXIFTAG_FOCALLENGTHIN35MMFILM,
++  EXIFTAG_SCENECAPTURETYPE, EXIFTAG_GAINCONTROL, EXIFTAG_CONTRAST,
++  EXIFTAG_SATURATION, EXIFTAG_SHARPNESS, EXIFTAG_DEVICESETTINGDESCRIPTION,
++  EXIFTAG_SUBJECTDISTANCERANGE, EXIFTAG_GAINCONTROL, EXIFTAG_GAINCONTROL,
++  EXIFTAG_IMAGEUNIQUEID
++};
++static int nExifTags = sizeof(exif_tag_ids) / sizeof(exif_tag_ids[0]);
++
+ /**
+ Read a single Exif tag
+ 
+@@ -575,43 +607,10 @@ tiff_read_exif_tags(TIFF *tif, TagLib::MDMODEL md_model, FIBITMAP *dib) {
+ 
+ 	// loop over all Core Directory Tags
+ 	// ### uses private data, but there is no other way
++	// -> Fedora: Best we can do without private headers is to hard-code a list of known EXIF tags and read those
+ 	if(md_model == TagLib::EXIF_MAIN) {
+-		const TIFFDirectory *td = &tif->tif_dir;
+-
+-		uint32 lastTag = 0;	//<- used to prevent reading some tags twice (as stored in tif_fieldinfo)
+-
+-		for (int fi = 0, nfi = (int)tif->tif_nfields; nfi > 0; nfi--, fi++) {
+-			const TIFFField *fld = tif->tif_fields[fi];
+-
+-			const uint32 tag_id = TIFFFieldTag(fld);
+-
+-			if(tag_id == lastTag) {
+-				continue;
+-			}
+-
+-			// test if tag value is set
+-			// (lifted directly from LibTiff _TIFFWriteDirectory)
+-
+-			if( fld->field_bit == FIELD_CUSTOM ) {
+-				int is_set = FALSE;
+-
+-				for(int ci = 0; ci < td->td_customValueCount; ci++ ) {
+-					is_set |= (td->td_customValues[ci].info == fld);
+-				}
+-
+-				if( !is_set ) {
+-					continue;
+-				}
+-
+-			} else if(!TIFFFieldSet(tif, fld->field_bit)) {
+-				continue;
+-			}
+-
+-			// process *all* other tags (some will be ignored)
+-
+-			tiff_read_exif_tag(tif, tag_id, dib, md_model);
+-
+-			lastTag = tag_id;
++		for (int i = 0; i < nExifTags; ++i) {
++			tiff_read_exif_tag(tif, exif_tag_ids[i], dib, md_model);
+ 		}
+ 
+ 	}
+@@ -723,10 +722,9 @@ tiff_write_exif_tags(TIFF *tif, TagLib::MDMODEL md_model, FIBITMAP *dib) {
+ 	
+ 	TagLib& tag_lib = TagLib::instance();
+ 	
+-	for (int fi = 0, nfi = (int)tif->tif_nfields; nfi > 0; nfi--, fi++) {
+-		const TIFFField *fld = tif->tif_fields[fi];
+-		
+-		const uint32 tag_id = TIFFFieldTag(fld);
++	for (int fi = 0, nfi = nExifTags; nfi > 0; nfi--, fi++) {
++		const uint32 tag_id = exif_tag_ids[fi];
++		const TIFFField *fld = TIFFFieldWithTag(tif, tag_id);
+ 
+ 		if(skip_write_field(tif, tag_id)) {
+ 			// skip tags that are already handled by the LibTIFF writing process
+diff --git a/genfipsrclist.sh b/genfipsrclist.sh
+index 41f946d..33b3877 100644
+--- a/genfipsrclist.sh
++++ b/genfipsrclist.sh
+@@ -1,18 +1,13 @@
+ #!/bin/sh
+ 
+-DIRLIST=". Source Source/Metadata Source/FreeImageToolkit Source/LibJPEG Source/LibPNG Source/LibTIFF4 Source/ZLib Source/LibOpenJPEG Source/OpenEXR Source/OpenEXR/Half Source/OpenEXR/Iex Source/OpenEXR/IlmImf Source/OpenEXR/IlmThread Source/OpenEXR/Imath Source/OpenEXR/IexMath Source/LibRawLite Source/LibRawLite/dcraw Source/LibRawLite/internal Source/LibRawLite/libraw Source/LibRawLite/src Source/LibWebP Source/LibJXR Source/LibJXR/common/include Source/LibJXR/image/sys Source/LibJXR/jxrgluelib Wrapper/FreeImagePlus"
++DIRLIST="Wrapper/FreeImagePlus"
+ 
+ 
+ echo "VER_MAJOR = 3" > fipMakefile.srcs
+ echo "VER_MINOR = 17.0" >> fipMakefile.srcs
+ 
+ echo -n "SRCS = " >> fipMakefile.srcs
+-for DIR in $DIRLIST; do
+-	VCPRJS=`echo $DIR/*.2008.vcproj`
+-	if [ "$VCPRJS" != "$DIR/*.2008.vcproj" ]; then
+-		egrep 'RelativePath=.*\.(c|cpp)' $DIR/*.2008.vcproj | cut -d'"' -f2 | tr '\\' '/' | awk '{print "'$DIR'/"$0}' | tr '\r\n' '  ' | tr -s ' ' >> fipMakefile.srcs
+-	fi
+-done
++find Wrapper/FreeImagePlus/src -name '*.cpp' -print | LC_ALL=C sort | xargs echo -n >> fipMakefile.srcs
+ echo >> fipMakefile.srcs
+ 
+ echo -n "INCLUDE =" >> fipMakefile.srcs
+diff --git a/gensrclist.sh b/gensrclist.sh
+index dbfb98d..3e4747d 100644
+--- a/gensrclist.sh
++++ b/gensrclist.sh
+@@ -1,21 +1,16 @@
+ #!/bin/sh
+ 
+-DIRLIST=". Source Source/Metadata Source/FreeImageToolkit Source/LibJPEG Source/LibPNG Source/LibTIFF4 Source/ZLib Source/LibOpenJPEG Source/OpenEXR Source/OpenEXR/Half Source/OpenEXR/Iex Source/OpenEXR/IlmImf Source/OpenEXR/IlmThread Source/OpenEXR/Imath Source/OpenEXR/IexMath Source/LibRawLite Source/LibRawLite/dcraw Source/LibRawLite/internal Source/LibRawLite/libraw Source/LibRawLite/src Source/LibWebP Source/LibJXR Source/LibJXR/common/include Source/LibJXR/image/sys Source/LibJXR/jxrgluelib"
++DIRLIST=`find Source -type d | LC_ALL=C sort`
+ 
+ echo "VER_MAJOR = 3" > Makefile.srcs
+ echo "VER_MINOR = 17.0" >> Makefile.srcs
+ 
+ echo -n "SRCS = " >> Makefile.srcs
+-for DIR in $DIRLIST; do
+-	VCPRJS=`echo $DIR/*.2008.vcproj`
+-	if [ "$VCPRJS" != "$DIR/*.2008.vcproj" ]; then
+-		egrep 'RelativePath=.*\.(c|cpp)' $DIR/*.2008.vcproj | cut -d'"' -f2 | tr '\\' '/' | awk '{print "'$DIR'/"$0}' | tr '\r\n' '  ' | tr -s ' ' >> Makefile.srcs
+-	fi
+-done
++find Source -name '*.c' -or -name '*.cpp' -not -name 'PluginG3.cpp' -not -name 'JPEGTransform.cpp' | LC_ALL=C sort | xargs echo -n >> Makefile.srcs
+ echo >> Makefile.srcs
+ 
+ echo -n "INCLS = " >> Makefile.srcs
+-find . -name "*.h" -print | xargs echo >> Makefile.srcs
++find Source -name '*.h' | LC_ALL=C sort | xargs echo -n >> Makefile.srcs
+ echo >> Makefile.srcs
+ 
+ echo -n "INCLUDE =" >> Makefile.srcs
-- 
2.10.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 6181 bytes --]

On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
> >> efraim pushed a commit to branch master
> >> in repository guix.
> >> 
> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
> >> Author: Efraim Flashner <efraim@flashner.co.il>
> >> Date:   Fri Oct 14 11:28:21 2016 +0300
> >> 
> >>     gnu: freeimage: Fix CVE-2016-5684.
> >>     
> >>     * gnu/packages/image.scm (freeimage)[source]: Add patch.
> >>     * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
> >>     * gnu/local.mk (dist_patch_DATA): Register it.
> >> ---
> >>  gnu/local.mk                                       |    1 +
> >>  gnu/packages/image.scm                             |    3 +-
> >>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 ++++++++++++++++++++
> >>  3 files changed, 37 insertions(+), 1 deletion(-)
> >
> > Efraim pointed out on IRC that our freeimage packages bundles many
> > 3rd-party libraries:
> >
> > $ ls -1 FreeImage/Source
> > CacheFile.h
> > DeprecationManager
> > FreeImage
> > FreeImage.h
> > FreeImageIO.h
> > FreeImageLib
> > FreeImageToolkit
> > LibJPEG
> > LibJXR
> > LibOpenJPEG
> > LibPNG
> > LibRawLite
> > LibTIFF4
> > LibWebP
> > MapIntrospector.h
> > Metadata
> > OpenEXR
> > Plugin.h
> > Quantizers.h
> > ToneMapping.h
> > Utilities.h
> > ZLib
> >
> > Debian has a patch to make it use "system" copies of the libraries:
> >
> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
> >
> > For now, our freeimage package is probably vulnerable to many publicly
> > disclosed security bugs.
> >
> > Who volunteers to try fixing this?
> 
> The patch is attached. I've removed the bit from Debian that disables JPEG
> transformation functions, as seen below. JPEGTransform.cpp (in
> Source/FreeImageToolkit) gave me some trouble when I left that part of
> the patch alone.
> 
> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
>  	FID_BAYER16x16	= 6		//! Bayer ordered dispersed dot dithering (order 4 dithering matrix)
>  };
>  
> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
> +   of FreeImage, since they require usage of the vendored copy of libjpeg. */
> +#if 0
>  /** Lossless JPEG transformations
>  Constants used in FreeImage_JPEGTransform
>  */
> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
>  	FIJPEG_OP_ROTATE_180	= 6,	//! 180-degree rotation
>  	FIJPEG_OP_ROTATE_270	= 7		//! 270-degree clockwise (or 90 ccw)
>  };
> +#endif
>  
>  /** Tone mapping operators.
>  Constants used in FreeImage_ToneMapping.
> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
>  // --------------------------------------------------------------------------
>  // JPEG lossless transformation routines
>  // --------------------------------------------------------------------------
> -
> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
> +   of FreeImage, since they require usage of the vendored copy of libjpeg. */
> +#if 0
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom);
> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
> +#endif

> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
> From: Kei Kebreau <kei@openmailbox.org>
> Date: Fri, 14 Oct 2016 18:09:45 -0400
> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
> 
> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
>  gnu/local.mk                                       |   1 +
>  gnu/packages/image.scm                             |   6 +-
>  .../freeimage-disable-vendored-dependencies.patch  | 398 +++++++++++++++++++++
>  3 files changed, 404 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/freeimage-disable-vendored-dependencies.patch

I was looking at it and I thought it was going to be much more than 400
lines in the end.

Did we also need the other patch?
https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/

On one hand we could carry a modified version of Debian's patch, on the
other hand some of these look like they could be a series of substitute*
commands. I started looking through the patch and thinking how to
convert them from "../path/to/header.h" to <header.h> and realizing I
myself wouldn't want to do that, so that could easily be an option for
another time :).




-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

[Kei Kebreau]

[-- Attachment #1: Type: text/plain, Size: 6226 bytes --]

Efraim Flashner <efraim@flashner.co.il> writes:

> On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> 
>> > On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
>> >> efraim pushed a commit to branch master
>> >> in repository guix.
>> >> 
>> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> >> Author: Efraim Flashner <efraim@flashner.co.il>
>> >> Date:   Fri Oct 14 11:28:21 2016 +0300
>> >> 
>> >>     gnu: freeimage: Fix CVE-2016-5684.
>> >>     
>> >>     * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> >>     * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>> >>     * gnu/local.mk (dist_patch_DATA): Register it.
>> >> ---
>> >>  gnu/local.mk                                       |    1 +
>> >>  gnu/packages/image.scm                             |    3 +-
>> >>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 ++++++++++++++++++++
>> >>  3 files changed, 37 insertions(+), 1 deletion(-)
>> >
>> > Efraim pointed out on IRC that our freeimage packages bundles many
>> > 3rd-party libraries:
>> >
>> > $ ls -1 FreeImage/Source
>> > CacheFile.h
>> > DeprecationManager
>> > FreeImage
>> > FreeImage.h
>> > FreeImageIO.h
>> > FreeImageLib
>> > FreeImageToolkit
>> > LibJPEG
>> > LibJXR
>> > LibOpenJPEG
>> > LibPNG
>> > LibRawLite
>> > LibTIFF4
>> > LibWebP
>> > MapIntrospector.h
>> > Metadata
>> > OpenEXR
>> > Plugin.h
>> > Quantizers.h
>> > ToneMapping.h
>> > Utilities.h
>> > ZLib
>> >
>> > Debian has a patch to make it use "system" copies of the libraries:
>> >
>> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>> >
>> > For now, our freeimage package is probably vulnerable to many publicly
>> > disclosed security bugs.
>> >
>> > Who volunteers to try fixing this?
>> 
>> The patch is attached. I've removed the bit from Debian that disables JPEG
>> transformation functions, as seen below. JPEGTransform.cpp (in
>> Source/FreeImageToolkit) gave me some trouble when I left that part of
>> the patch alone.
>> 
>> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
>>  	FID_BAYER16x16	= 6		//! Bayer ordered dispersed dot dithering (order 4 dithering matrix)
>>  };
>>  
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
>> +   of FreeImage, since they require usage of the vendored copy of libjpeg. */
>> +#if 0
>>  /** Lossless JPEG transformations
>>  Constants used in FreeImage_JPEGTransform
>>  */
>> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
>>  	FIJPEG_OP_ROTATE_180	= 6,	//! 180-degree rotation
>>  	FIJPEG_OP_ROTATE_270	= 7		//! 270-degree clockwise (or 90 ccw)
>>  };
>> +#endif
>>  
>>  /** Tone mapping operators.
>>  Constants used in FreeImage_ToneMapping.
>> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
>>  // --------------------------------------------------------------------------
>>  // JPEG lossless transformation routines
>>  // --------------------------------------------------------------------------
>> -
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our build
>> +   of FreeImage, since they require usage of the vendored copy of libjpeg. */
>> +#if 0
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom);
>> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>> +#endif
>
>> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei@openmailbox.org>
>> Date: Fri, 14 Oct 2016 18:09:45 -0400
>> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
>> 
>> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> ---
>>  gnu/local.mk                                       |   1 +
>>  gnu/packages/image.scm                             |   6 +-
>>  .../freeimage-disable-vendored-dependencies.patch  | 398 +++++++++++++++++++++
>>  3 files changed, 404 insertions(+), 1 deletion(-)
>>  create mode 100644 gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
>
> I was looking at it and I thought it was going to be much more than 400
> lines in the end.
>
> Did we also need the other patch?
> https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
>
> On one hand we could carry a modified version of Debian's patch, on the
> other hand some of these look like they could be a series of substitute*
> commands. I started looking through the patch and thinking how to
> convert them from "../path/to/header.h" to <header.h> and realizing I
> myself wouldn't want to do that, so that could easily be an option for
> another time :).

Looking at its contents, adding that patch would make a lot of sense. :-)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1720 bytes --]

On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote:
> Efraim Flashner <efraim@flashner.co.il> writes:
> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
> >> Leo Famulari <leo@famulari.name> writes:
> >> > Debian has a patch to make it use "system" copies of the libraries:
> >> >
> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
> >> >
> >> > For now, our freeimage package is probably vulnerable to many publicly
> >> > disclosed security bugs.
> >> >
> >> > Who volunteers to try fixing this?
> >> 
> >> The patch is attached. I've removed the bit from Debian that disables JPEG
> >> transformation functions, as seen below. JPEGTransform.cpp (in
> >> Source/FreeImageToolkit) gave me some trouble when I left that part of
> >> the patch alone.
>
> > I was looking at it and I thought it was going to be much more than 400
> > lines in the end.
> >
> > Did we also need the other patch?
> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
> >
> > On one hand we could carry a modified version of Debian's patch, on the
> > other hand some of these look like they could be a series of substitute*
> > commands. I started looking through the patch and thinking how to
> > convert them from "../path/to/header.h" to <header.h> and realizing I
> > myself wouldn't want to do that, so that could easily be an option for
> > another time :).
> 
> Looking at its contents, adding that patch would make a lot of sense. :-)

Yes, I think we need to use both patches. Will you submit an updated
version of your patch?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

[Kei Kebreau]

[-- Attachment #1: Type: text/plain, Size: 1965 bytes --]

Leo Famulari <leo@famulari.name> writes:

> On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote:
>> Efraim Flashner <efraim@flashner.co.il> writes:
>> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
>> >> Leo Famulari <leo@famulari.name> writes:
>> >> > Debian has a patch to make it use "system" copies of the libraries:
>> >> >
>> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>> >> >
>> >> > For now, our freeimage package is probably vulnerable to many publicly
>> >> > disclosed security bugs.
>> >> >
>> >> > Who volunteers to try fixing this?
>> >> 
>> >> The patch is attached. I've removed the bit from Debian that disables JPEG
>> >> transformation functions, as seen below. JPEGTransform.cpp (in
>> >> Source/FreeImageToolkit) gave me some trouble when I left that part of
>> >> the patch alone.
>>
>> > I was looking at it and I thought it was going to be much more than 400
>> > lines in the end.
>> >
>> > Did we also need the other patch?
>> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
>> >
>> > On one hand we could carry a modified version of Debian's patch, on the
>> > other hand some of these look like they could be a series of substitute*
>> > commands. I started looking through the patch and thinking how to
>> > convert them from "../path/to/header.h" to <header.h> and realizing I
>> > myself wouldn't want to do that, so that could easily be an option for
>> > another time :).
>> 
>> Looking at its contents, adding that patch would make a lot of sense. :-)
>
> Yes, I think we need to use both patches. Will you submit an updated
> version of your patch?

I intend to. The updated patch requires a JPEG XR library to be packaged
(and maybe others), but I am having some trouble getting a source URL
from CodePlex.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]