unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* cairo CVE-2016-9082
@ 2016-11-28 18:52 Efraim Flashner
  2016-11-28 19:30 ` Efraim Flashner
  0 siblings, 1 reply; 5+ messages in thread
From: Efraim Flashner @ 2016-11-28 18:52 UTC (permalink / raw)
  To: guix-devel


[-- Attachment #1.1: Type: text/plain, Size: 639 bytes --]

This patch was a bit on the harder side. We already have the
cairo->poppler->cairo cyclical dependency, so both cairos need to be
patched, the one in gtk.scm and the custom cairo in poppler. Also made
sure to grab cairo-xcb in the process.

cairo-xcb needs 'replacement #f' or else 'guix build cairo-xcb' returns
cairo, and I threw it in for the custom cairo in poppler after assuming
it would give a similar problem.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #1.2: 0001-gnu-cairo-Fix-CVE-2016-9082.patch --]
[-- Type: text/plain, Size: 7802 bytes --]

From 49b593914bbcf0b177bd88f118adcedfdc400fa4 Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Mon, 28 Nov 2016 19:25:21 +0200
Subject: [PATCH] gnu: cairo: Fix CVE-2016-9082.

* gnu/packages/gtk.scm (cairo)[replacement]: New field.
(cairo/fixed): New variable.
(cairo-xcb)[inherit]: Inherit from cairo/fixed.
[replacement]: Set false.
* gnu/packages/pdf.scm (poppler)[inputs]: Custom cairo should be
replaced by a new custom cairo, inheriting from cairo/fixed.
* gnu/packages/patches/cairo-CVE-2016-9082.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
---
 gnu/local.mk                                   |   1 +
 gnu/packages/gtk.scm                           |  11 ++-
 gnu/packages/patches/cairo-CVE-2016-9082.patch | 121 +++++++++++++++++++++++++
 gnu/packages/pdf.scm                           |   5 +
 4 files changed, 137 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/cairo-CVE-2016-9082.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c50ef25..ea8aa73 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -488,6 +488,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/binutils-loongson-workaround.patch	\
   %D%/packages/patches/binutils-mips-bash-bug.patch		\
   %D%/packages/patches/byobu-writable-status.patch		\
+  %D%/packages/patches/cairo-CVE-2016-9082.patch			\
   %D%/packages/patches/calibre-drop-unrar.patch			\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/cdparanoia-fpic.patch			\
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 17bd9c9..b3102d0 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -100,6 +100,7 @@ tools have full access to view and control running applications.")
 (define-public cairo
   (package
    (name "cairo")
+   (replacement cairo/fixed)
    (version "1.14.6")
    (source (origin
             (method url-fetch)
@@ -151,7 +152,8 @@ affine transformation (scale, rotation, shear, etc.).")
 
 (define-public cairo-xcb
   (package
-    (inherit cairo)
+    (inherit cairo/fixed)
+    (replacement #f)
     (name "cairo-xcb")
     (inputs
      `(("mesa" ,mesa)
@@ -162,6 +164,13 @@ affine transformation (scale, rotation, shear, etc.).")
        '("--enable-xlib-xcb" "--enable-gl" "--enable-egl")))
     (synopsis "2D graphics library (with X11 support)")))
 
+(define cairo/fixed
+  (package
+    (inherit cairo)
+    (source (origin
+              (inherit (package-source cairo))
+              (patches (search-patches "cairo-CVE-2016-9082.patch"))))))
+
 (define-public harfbuzz
   (package
    (name "harfbuzz")
diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/patches/cairo-CVE-2016-9082.patch
new file mode 100644
index 0000000..1dd57a0
--- /dev/null
+++ b/gnu/packages/patches/cairo-CVE-2016-9082.patch
@@ -0,0 +1,121 @@
+From: Adrian Johnson <ajohnson@redneon.com>
+Date: Thu, 20 Oct 2016 21:12:30 +1030
+Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
+
+Image data is often accessed using:
+
+  image->data + y * image->stride
+
+On 64-bit achitectures if the image data is > 4GB, this computation
+will overflow since both y and stride are 32-bit types.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=98165
+---
+ boilerplate/cairo-boilerplate.c     | 4 +++-
+ src/cairo-image-compositor.c        | 4 ++--
+ src/cairo-image-surface-private.h   | 2 +-
+ src/cairo-mesh-pattern-rasterizer.c | 2 +-
+ src/cairo-png.c                     | 2 +-
+ src/cairo-script-surface.c          | 3 ++-
+ 6 files changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c
+index 7fdbf79..4804dea 100644
+--- a/boilerplate/cairo-boilerplate.c
++++ b/boilerplate/cairo-boilerplate.c
+@@ -42,6 +42,7 @@
+ #undef CAIRO_VERSION_H
+ #include "../cairo-version.h"
+ 
++#include <stddef.h>
+ #include <stdlib.h>
+ #include <ctype.h>
+ #include <assert.h>
+@@ -976,7 +977,8 @@ cairo_surface_t *
+ cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
+ {
+     char format;
+-    int width, height, stride;
++    int width, height;
++    ptrdiff_t stride;
+     int x, y;
+     unsigned char *data;
+     cairo_surface_t *image = NULL;
+diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
+index 48072f8..3ca0006 100644
+--- a/src/cairo-image-compositor.c
++++ b/src/cairo-image-compositor.c
+@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer {
+     pixman_image_t *src, *mask;
+     union {
+ 	struct fill {
+-	    int stride;
++	    ptrdiff_t stride;
+ 	    uint8_t *data;
+ 	    uint32_t pixel;
+ 	} fill;
+@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer {
+ 	struct finish {
+ 	    cairo_rectangle_int_t extents;
+ 	    int src_x, src_y;
+-	    int stride;
++	    ptrdiff_t stride;
+ 	    uint8_t *data;
+ 	} mask;
+     } u;
+diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h
+index 8ca694c..7e78d61 100644
+--- a/src/cairo-image-surface-private.h
++++ b/src/cairo-image-surface-private.h
+@@ -71,7 +71,7 @@ struct _cairo_image_surface {
+ 
+     int width;
+     int height;
+-    int stride;
++    ptrdiff_t stride;
+     int depth;
+ 
+     unsigned owns_data : 1;
+diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c
+index 1b63ca8..e7f0db6 100644
+--- a/src/cairo-mesh-pattern-rasterizer.c
++++ b/src/cairo-mesh-pattern-rasterizer.c
+@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride,
+ 	tg += tg >> 16;
+ 	tb += tb >> 16;
+ 
+-	*((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
++	*((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) |
+ 	    ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
+     }
+ }
+diff --git a/src/cairo-png.c b/src/cairo-png.c
+index 562b743..aa8c227 100644
+--- a/src/cairo-png.c
++++ b/src/cairo-png.c
+@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure)
+     }
+ 
+     for (i = 0; i < png_height; i++)
+-        row_pointers[i] = &data[i * stride];
++        row_pointers[i] = &data[i * (ptrdiff_t)stride];
+ 
+     png_read_image (png, row_pointers);
+     png_read_end (png, info);
+diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
+index ea0117d..91e4baa 100644
+--- a/src/cairo-script-surface.c
++++ b/src/cairo-script-surface.c
+@@ -1202,7 +1202,8 @@ static cairo_status_t
+ _write_image_surface (cairo_output_stream_t *output,
+ 		      const cairo_image_surface_t *image)
+ {
+-    int stride, row, width;
++    int row, width;
++    ptrdiff_t stride;
+     uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
+     uint8_t *rowdata;
+     uint8_t *data;
+-- 
+2.1.4
+
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 39f4d02..1471665 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -95,6 +95,11 @@
              ;; To build poppler-glib (as needed by Evince), we need Cairo and
              ;; GLib.  But of course, that Cairo must not depend on Poppler.
              ("cairo" ,(package (inherit cairo)
+                         (replacement
+                           (package
+                             (inherit (@@(gnu packages gtk) cairo/fixed))
+                             (replacement #f)
+                             (inputs (alist-delete "poppler" (package-inputs cairo)))))
                          (inputs (alist-delete "poppler"
                                                (package-inputs cairo)))))
              ("glib" ,glib)))
-- 
2.10.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-11-29  7:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-28 18:52 cairo CVE-2016-9082 Efraim Flashner
2016-11-28 19:30 ` Efraim Flashner
2016-11-28 21:28   ` Kei Kebreau
2016-11-29  3:06   ` Leo Famulari
2016-11-29  7:44     ` Efraim Flashner

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).