From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: cairo CVE-2016-9082 Date: Mon, 28 Nov 2016 20:52:11 +0200 Message-ID: <20161128185211.GC2509@macbook42.flashner.co.il> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="n/aVsWSeQ4JHkrmm" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43414) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cBR2L-0004xQ-EK for guix-devel@gnu.org; Mon, 28 Nov 2016 13:52:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cBR2G-0002zv-Mb for guix-devel@gnu.org; Mon, 28 Nov 2016 13:52:21 -0500 Received: from flashner.co.il ([178.62.234.194]:57167) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cBR2G-0002zr-B4 for guix-devel@gnu.org; Mon, 28 Nov 2016 13:52:16 -0500 Received: from localhost (85.64.232.168.dynamic.barak-online.net [85.64.232.168]) by flashner.co.il (Postfix) with ESMTPSA id 148D8402F5 for ; Mon, 28 Nov 2016 18:52:14 +0000 (UTC) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --n/aVsWSeQ4JHkrmm Content-Type: multipart/mixed; boundary="H8ygTp4AXg6deix2" Content-Disposition: inline --H8ygTp4AXg6deix2 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This patch was a bit on the harder side. We already have the cairo->poppler->cairo cyclical dependency, so both cairos need to be patched, the one in gtk.scm and the custom cairo in poppler. Also made sure to grab cairo-xcb in the process. cairo-xcb needs 'replacement #f' or else 'guix build cairo-xcb' returns cairo, and I threw it in for the custom cairo in poppler after assuming it would give a similar problem. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --H8ygTp4AXg6deix2 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-cairo-Fix-CVE-2016-9082.patch" Content-Transfer-Encoding: quoted-printable =46rom 49b593914bbcf0b177bd88f118adcedfdc400fa4 Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Mon, 28 Nov 2016 19:25:21 +0200 Subject: [PATCH] gnu: cairo: Fix CVE-2016-9082. * gnu/packages/gtk.scm (cairo)[replacement]: New field. (cairo/fixed): New variable. (cairo-xcb)[inherit]: Inherit from cairo/fixed. [replacement]: Set false. * gnu/packages/pdf.scm (poppler)[inputs]: Custom cairo should be replaced by a new custom cairo, inheriting from cairo/fixed. * gnu/packages/patches/cairo-CVE-2016-9082.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/gtk.scm | 11 ++- gnu/packages/patches/cairo-CVE-2016-9082.patch | 121 +++++++++++++++++++++= ++++ gnu/packages/pdf.scm | 5 + 4 files changed, 137 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/cairo-CVE-2016-9082.patch diff --git a/gnu/local.mk b/gnu/local.mk index c50ef25..ea8aa73 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -488,6 +488,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/binutils-mips-bash-bug.patch \ %D%/packages/patches/byobu-writable-status.patch \ + %D%/packages/patches/cairo-CVE-2016-9082.patch \ %D%/packages/patches/calibre-drop-unrar.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/cdparanoia-fpic.patch \ diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 17bd9c9..b3102d0 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -100,6 +100,7 @@ tools have full access to view and control running appl= ications.") (define-public cairo (package (name "cairo") + (replacement cairo/fixed) (version "1.14.6") (source (origin (method url-fetch) @@ -151,7 +152,8 @@ affine transformation (scale, rotation, shear, etc.).") =20 (define-public cairo-xcb (package - (inherit cairo) + (inherit cairo/fixed) + (replacement #f) (name "cairo-xcb") (inputs `(("mesa" ,mesa) @@ -162,6 +164,13 @@ affine transformation (scale, rotation, shear, etc.).") '("--enable-xlib-xcb" "--enable-gl" "--enable-egl"))) (synopsis "2D graphics library (with X11 support)"))) =20 +(define cairo/fixed + (package + (inherit cairo) + (source (origin + (inherit (package-source cairo)) + (patches (search-patches "cairo-CVE-2016-9082.patch")))))) + (define-public harfbuzz (package (name "harfbuzz") diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/= patches/cairo-CVE-2016-9082.patch new file mode 100644 index 0000000..1dd57a0 --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2016-9082.patch @@ -0,0 +1,121 @@ +From: Adrian Johnson +Date: Thu, 20 Oct 2016 21:12:30 +1030 +Subject: [PATCH] image: prevent invalid ptr access for > 4GB images + +Image data is often accessed using: + + image->data + y * image->stride + +On 64-bit achitectures if the image data is > 4GB, this computation +will overflow since both y and stride are 32-bit types. + +https://bugs.freedesktop.org/show_bug.cgi?id=3D98165 +--- + boilerplate/cairo-boilerplate.c | 4 +++- + src/cairo-image-compositor.c | 4 ++-- + src/cairo-image-surface-private.h | 2 +- + src/cairo-mesh-pattern-rasterizer.c | 2 +- + src/cairo-png.c | 2 +- + src/cairo-script-surface.c | 3 ++- + 6 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerpla= te.c +index 7fdbf79..4804dea 100644 +--- a/boilerplate/cairo-boilerplate.c ++++ b/boilerplate/cairo-boilerplate.c +@@ -42,6 +42,7 @@ + #undef CAIRO_VERSION_H + #include "../cairo-version.h" +=20 ++#include + #include + #include + #include +@@ -976,7 +977,8 @@ cairo_surface_t * + cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file) + { + char format; +- int width, height, stride; ++ int width, height; ++ ptrdiff_t stride; + int x, y; + unsigned char *data; + cairo_surface_t *image =3D NULL; +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 48072f8..3ca0006 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer { + pixman_image_t *src, *mask; + union { + struct fill { +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + uint32_t pixel; + } fill; +@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer { + struct finish { + cairo_rectangle_int_t extents; + int src_x, src_y; +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + } mask; + } u; +diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-p= rivate.h +index 8ca694c..7e78d61 100644 +--- a/src/cairo-image-surface-private.h ++++ b/src/cairo-image-surface-private.h +@@ -71,7 +71,7 @@ struct _cairo_image_surface { +=20 + int width; + int height; +- int stride; ++ ptrdiff_t stride; + int depth; +=20 + unsigned owns_data : 1; +diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-= rasterizer.c +index 1b63ca8..e7f0db6 100644 +--- a/src/cairo-mesh-pattern-rasterizer.c ++++ b/src/cairo-mesh-pattern-rasterizer.c +@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height= , int stride, + tg +=3D tg >> 16; + tb +=3D tb >> 16; +=20 +- *((uint32_t*) (data + y*stride + 4*x)) =3D ((ta << 16) & 0xff000000) | ++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) =3D ((ta << 16) & 0xff= 000000) | + ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24); + } + } +diff --git a/src/cairo-png.c b/src/cairo-png.c +index 562b743..aa8c227 100644 +--- a/src/cairo-png.c ++++ b/src/cairo-png.c +@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure) + } +=20 + for (i =3D 0; i < png_height; i++) +- row_pointers[i] =3D &data[i * stride]; ++ row_pointers[i] =3D &data[i * (ptrdiff_t)stride]; +=20 + png_read_image (png, row_pointers); + png_read_end (png, info); +diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c +index ea0117d..91e4baa 100644 +--- a/src/cairo-script-surface.c ++++ b/src/cairo-script-surface.c +@@ -1202,7 +1202,8 @@ static cairo_status_t + _write_image_surface (cairo_output_stream_t *output, + const cairo_image_surface_t *image) + { +- int stride, row, width; ++ int row, width; ++ ptrdiff_t stride; + uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE]; + uint8_t *rowdata; + uint8_t *data; +--=20 +2.1.4 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 39f4d02..1471665 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -95,6 +95,11 @@ ;; To build poppler-glib (as needed by Evince), we need Cairo= and ;; GLib. But of course, that Cairo must not depend on Popple= r. ("cairo" ,(package (inherit cairo) + (replacement + (package + (inherit (@@(gnu packages gtk) cairo/fixed)) + (replacement #f) + (inputs (alist-delete "poppler" (package-inpu= ts cairo))))) (inputs (alist-delete "poppler" (package-inputs cairo))))) ("glib" ,glib))) --=20 2.10.2 --H8ygTp4AXg6deix2-- --n/aVsWSeQ4JHkrmm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEkVdB/rIvpOM7bo+N9MHTkX6s7pMFAlg8fNoACgkQ9MHTkX6s 7pOS0A//cxKIYoRGxbTJIT6LKJhy+bR24Ghqe4chNY9T7OT+4QbzMb6ItLs48IG2 jaYKw7PMmgVDnzaHkRGBzkoiJtJJu4ilMrZDQbrcBmAJg8ch7WBoyMgf32I+JaJX DrqYcoH7NXWPO0LHoynz5tkYcqdw+S0YekVQ9yDzzkHMveN2KHAB+pRY9RaCZtu5 cJf7up0c3esA9AnIyarAd6jJGNREuDVkgaO4gJS5R1BelmLPHa6xXD45OvpGb4re 3MZi/UiB1GUFUlW8ZSEfuGrRNbMpKwHruUa9D1xoaMOqNiva6eGmRxpfmR57jaHQ 4l2gty1HkLN/IqOSOUpzBeax8xtPD0luwkYpCnzOypfb58zNE1W1h0y1H078nwN0 oqNuIEo1hnt3TKCu9TyzNxIWbX6L4YvMXSqn/ENNzVBRWHqxeVu6RB/m9I+W+Sm0 /JUGko+dETrGIrbrJbXaSif/7oMcOMvXRQO3oaRXOvh/qS0VQP7VSYrX0qWfrF6g nTu4J6m27VqTMhZA1slRfJbC2EAA+RrFos0/UrvWkpYPe/bUVSFvIwaQYVwkNnqI nnLdxgcf3UTZPraHaTMraolirQ+WpRw7JGp4AzNoKqFTQv98GQMHVNyotCvXRp6L uDzt4aNjIzn1KRA/uWO4dAjYHKhqiZKQ26y7CRrmug8MM/zu7mM= =SbeF -----END PGP SIGNATURE----- --n/aVsWSeQ4JHkrmm--