From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: cairo CVE-2016-9082 Date: Mon, 28 Nov 2016 21:30:53 +0200 Message-ID: <20161128193053.GD2509@macbook42.flashner.co.il> References: <20161128185211.GC2509@macbook42.flashner.co.il> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Zi0sgQQBxRFxMTsj" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53148) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cBRfC-0002U3-OU for guix-devel@gnu.org; Mon, 28 Nov 2016 14:32:32 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cBRf9-0001Pq-6M for guix-devel@gnu.org; Mon, 28 Nov 2016 14:32:30 -0500 Received: from flashner.co.il ([178.62.234.194]:59693) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cBRf8-0001PJ-Re for guix-devel@gnu.org; Mon, 28 Nov 2016 14:32:27 -0500 Received: from localhost (85.64.232.168.dynamic.barak-online.net [85.64.232.168]) by flashner.co.il (Postfix) with ESMTPSA id DB9FD400D1 for ; Mon, 28 Nov 2016 19:32:25 +0000 (UTC) Content-Disposition: inline In-Reply-To: <20161128185211.GC2509@macbook42.flashner.co.il> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --Zi0sgQQBxRFxMTsj Content-Type: multipart/mixed; boundary="WK3l2KTTmXPVedZ6" Content-Disposition: inline --WK3l2KTTmXPVedZ6 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The previous patch somehow stopped working for me, and I was getting complaints about unbound variable cairo/fixed, so I rewrote the patch to have every cairo use the patch separately. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --WK3l2KTTmXPVedZ6 Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-gnu-cairo-Fix-CVE-2016-9082.patch" Content-Transfer-Encoding: quoted-printable =46rom 14cdf8d6b0827912fd9bf8ec2a061d6eae3acd79 Mon Sep 17 00:00:00 2001 =46rom: Efraim Flashner Date: Mon, 28 Nov 2016 19:25:21 +0200 Subject: [PATCH] gnu: cairo: Fix CVE-2016-9082. * gnu/packages/gtk.scm (cairo)[replacement]: New field. (cairo/fixed): New variable. (cairo-xcb)[source]: Use patch. [replacement]: Set false. * gnu/packages/pdf.scm (poppler)[inputs]: Custom cairo should be replaced by a new custom patched cairo. * gnu/packages/patches/cairo-CVE-2016-9082.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. --- gnu/local.mk | 1 + gnu/packages/gtk.scm | 12 +++ gnu/packages/patches/cairo-CVE-2016-9082.patch | 121 +++++++++++++++++++++= ++++ gnu/packages/pdf.scm | 11 +++ 4 files changed, 145 insertions(+) create mode 100644 gnu/packages/patches/cairo-CVE-2016-9082.patch diff --git a/gnu/local.mk b/gnu/local.mk index c50ef25..ea8aa73 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -488,6 +488,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/binutils-loongson-workaround.patch \ %D%/packages/patches/binutils-mips-bash-bug.patch \ %D%/packages/patches/byobu-writable-status.patch \ + %D%/packages/patches/cairo-CVE-2016-9082.patch \ %D%/packages/patches/calibre-drop-unrar.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/cdparanoia-fpic.patch \ diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 17bd9c9..8a258b5 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -100,6 +100,7 @@ tools have full access to view and control running appl= ications.") (define-public cairo (package (name "cairo") + (replacement cairo/fixed) (version "1.14.6") (source (origin (method url-fetch) @@ -153,6 +154,10 @@ affine transformation (scale, rotation, shear, etc.).") (package (inherit cairo) (name "cairo-xcb") + (source (origin + (inherit (package-source cairo)) + (patches (search-patches "cairo-CVE-2016-9082.patch")))) + (replacement #f) (inputs `(("mesa" ,mesa) ,@(package-inputs cairo))) @@ -162,6 +167,13 @@ affine transformation (scale, rotation, shear, etc.).") '("--enable-xlib-xcb" "--enable-gl" "--enable-egl"))) (synopsis "2D graphics library (with X11 support)"))) =20 +(define cairo/fixed + (package + (inherit cairo) + (source (origin + (inherit (package-source cairo)) + (patches (search-patches "cairo-CVE-2016-9082.patch")))))) + (define-public harfbuzz (package (name "harfbuzz") diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/= patches/cairo-CVE-2016-9082.patch new file mode 100644 index 0000000..1dd57a0 --- /dev/null +++ b/gnu/packages/patches/cairo-CVE-2016-9082.patch @@ -0,0 +1,121 @@ +From: Adrian Johnson +Date: Thu, 20 Oct 2016 21:12:30 +1030 +Subject: [PATCH] image: prevent invalid ptr access for > 4GB images + +Image data is often accessed using: + + image->data + y * image->stride + +On 64-bit achitectures if the image data is > 4GB, this computation +will overflow since both y and stride are 32-bit types. + +https://bugs.freedesktop.org/show_bug.cgi?id=3D98165 +--- + boilerplate/cairo-boilerplate.c | 4 +++- + src/cairo-image-compositor.c | 4 ++-- + src/cairo-image-surface-private.h | 2 +- + src/cairo-mesh-pattern-rasterizer.c | 2 +- + src/cairo-png.c | 2 +- + src/cairo-script-surface.c | 3 ++- + 6 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerpla= te.c +index 7fdbf79..4804dea 100644 +--- a/boilerplate/cairo-boilerplate.c ++++ b/boilerplate/cairo-boilerplate.c +@@ -42,6 +42,7 @@ + #undef CAIRO_VERSION_H + #include "../cairo-version.h" +=20 ++#include + #include + #include + #include +@@ -976,7 +977,8 @@ cairo_surface_t * + cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file) + { + char format; +- int width, height, stride; ++ int width, height; ++ ptrdiff_t stride; + int x, y; + unsigned char *data; + cairo_surface_t *image =3D NULL; +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 48072f8..3ca0006 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer { + pixman_image_t *src, *mask; + union { + struct fill { +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + uint32_t pixel; + } fill; +@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer { + struct finish { + cairo_rectangle_int_t extents; + int src_x, src_y; +- int stride; ++ ptrdiff_t stride; + uint8_t *data; + } mask; + } u; +diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-p= rivate.h +index 8ca694c..7e78d61 100644 +--- a/src/cairo-image-surface-private.h ++++ b/src/cairo-image-surface-private.h +@@ -71,7 +71,7 @@ struct _cairo_image_surface { +=20 + int width; + int height; +- int stride; ++ ptrdiff_t stride; + int depth; +=20 + unsigned owns_data : 1; +diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-= rasterizer.c +index 1b63ca8..e7f0db6 100644 +--- a/src/cairo-mesh-pattern-rasterizer.c ++++ b/src/cairo-mesh-pattern-rasterizer.c +@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height= , int stride, + tg +=3D tg >> 16; + tb +=3D tb >> 16; +=20 +- *((uint32_t*) (data + y*stride + 4*x)) =3D ((ta << 16) & 0xff000000) | ++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) =3D ((ta << 16) & 0xff= 000000) | + ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24); + } + } +diff --git a/src/cairo-png.c b/src/cairo-png.c +index 562b743..aa8c227 100644 +--- a/src/cairo-png.c ++++ b/src/cairo-png.c +@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure) + } +=20 + for (i =3D 0; i < png_height; i++) +- row_pointers[i] =3D &data[i * stride]; ++ row_pointers[i] =3D &data[i * (ptrdiff_t)stride]; +=20 + png_read_image (png, row_pointers); + png_read_end (png, info); +diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c +index ea0117d..91e4baa 100644 +--- a/src/cairo-script-surface.c ++++ b/src/cairo-script-surface.c +@@ -1202,7 +1202,8 @@ static cairo_status_t + _write_image_surface (cairo_output_stream_t *output, + const cairo_image_surface_t *image) + { +- int stride, row, width; ++ int row, width; ++ ptrdiff_t stride; + uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE]; + uint8_t *rowdata; + uint8_t *data; +--=20 +2.1.4 + diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm index 39f4d02..6442f08 100644 --- a/gnu/packages/pdf.scm +++ b/gnu/packages/pdf.scm @@ -95,6 +95,17 @@ ;; To build poppler-glib (as needed by Evince), we need Cairo= and ;; GLib. But of course, that Cairo must not depend on Popple= r. ("cairo" ,(package (inherit cairo) + (replacement + (package + (inherit cairo) + (replacement #f) + (source + (origin + (inherit (package-source cairo)) + (patches (search-patches + "cairo-CVE-2016-9082.patch")))) + (inputs (alist-delete "poppler" + (package-inputs cairo))= ))) (inputs (alist-delete "poppler" (package-inputs cairo))))) ("glib" ,glib))) --=20 2.10.2 --WK3l2KTTmXPVedZ6-- --Zi0sgQQBxRFxMTsj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEkVdB/rIvpOM7bo+N9MHTkX6s7pMFAlg8hesACgkQ9MHTkX6s 7pOo4Q//VEkp4PsZqfM3y/SJZvOm6ZvSDQuYLNtdXMSU/5qA+C9xdLpVViPD/TiI Y7qXTKVCKgJ1oQuaOtCJG94I4Gsh38JyRH8Kaat/pz/hOQuDbAy3lwppaOQHeOdn fFvZbe8fPtles7imEM6VzqexHTiqJWuv8x9hGlXdIBMg5TYgM1LDOQOTlM9UvLIl Ucl9wIv5DeJhQ6mfNUQJEsmfbO3MZs0k4DHVhXxwjrnD32jfGTm6XSvnjWLXKK13 Ij4ENjqGLWlNbevwMOP4JYkTR4wI+ZWsT70dzyTmFuUFQSxXe3UFuja7KHp+QVCl Qvmwcu41kBoXQFpUXUXhrvj5BxxD4olhPzQkx1sVOM96PBUJRk0Ctno7PwclpBQy FMR23vEj6sFlQ4QhcVgCyCeqD3Y7cFjUC+Dzv11AFW+16w2hNnLb8bBBz0FZfQ5V sPubsacA4vRH7jrC7jbP0VxkwC468MOooa05Sv94/M+SRASGVjpyk0J9bOVeWs4a vvmIgOLw+J40X9O7n9NnPTFGw/iOp0m0eKMIlboBPSobkPkjpOeYagEC04avmI9S Y9JKc6FUO+/7l7oRRvkcBgVktS++fYWKSLrWzRFhWNnUZVckac2S2LMyn9Wyjj73 5DPHOLclwWRG+nOvrpsM1fSmYfY4kQuqU3IDsa6kCHrMZyQVXQg= =VmH4 -----END PGP SIGNATURE----- --Zi0sgQQBxRFxMTsj--