From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: Building AbiWord without libwmf and removing libwmf from Guix
Date: Sat, 27 May 2017 13:06:00 -0400 [thread overview]
Message-ID: <20170527170600.GA16269@jasmine> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 758 bytes --]
The last update to libwmf was twelve years ago, in 2005. In the
meantime, a large number of security issues have been discovered in this
library. These bugs are fixed somewhat haphazardly by the distributions.
While working on patching CVE-2016-9011 in libwmf, and backporting fixes
for CVE-2016-{9317,10167,10168} in the ancient bundled libgd, I find
myself wondering if we need this library at all. The patches from this
12 year span of 3rd party fixes begin to conflict with each other...
Libwmf is only used as a "plugin" by AbiWord, and AbiWord can be
configured to build without it.
Otherwise, someone needs to overhaul and update our libwmf patch series.
I've included a WIP patch that includes the fixes. Not all of the new
patches apply.
WDYT?
[-- Attachment #1.2: 0001-WIP-libwmf-Fix-CVE-2016-9011-9317-10167-10168.patch --]
[-- Type: text/plain, Size: 6986 bytes --]
From 7149e16c9e6890fa914b0a49f363439ab5627f3a Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sat, 27 May 2017 12:56:54 -0400
Subject: [PATCH] WIP: libwmf: Fix CVE-2016-{9011,9317,10167,10168}.
XXX: Not all of these patches apply.
* gnu/packages/patches/libwmf-CVE-2016-9011.patch,
gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libwmf)[source]: Use them.
---
gnu/local.mk | 2 +
gnu/packages/image.scm | 4 +-
gnu/packages/patches/libwmf-CVE-2016-9011.patch | 45 ++++++++++++
.../patches/libwmf-fixes-for-bundled-gd.patch | 80 ++++++++++++++++++++++
4 files changed, 130 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libwmf-CVE-2016-9011.patch
create mode 100644 gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index d0117be85..f60b66948 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -781,6 +781,8 @@ dist_patch_DATA = \
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
+ %D%/packages/patches/libwmf-CVE-2016-9011.patch \
+ %D%/packages/patches/libwmf-fixes-for-bundled-gd.patch \
%D%/packages/patches/libxcb-python-3.5-compat.patch \
%D%/packages/patches/libxml2-CVE-2016-4658.patch \
%D%/packages/patches/libxml2-CVE-2016-5131.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 86902d568..f33396968 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -421,7 +421,9 @@ collection of tools for doing simple manipulations of TIFF images.")
"libwmf-CVE-2009-3546.patch"
"libwmf-CVE-2015-0848+CVE-2015-4588.patch"
"libwmf-CVE-2015-4695.patch"
- "libwmf-CVE-2015-4696.patch"))))
+ "libwmf-CVE-2015-4696.patch"
+ "libwmf-CVE-2016-9011.patch"
+ "libwmf-fixes-for-bundled-gd.patch"))))
(build-system gnu-build-system)
(inputs
diff --git a/gnu/packages/patches/libwmf-CVE-2016-9011.patch b/gnu/packages/patches/libwmf-CVE-2016-9011.patch
new file mode 100644
index 000000000..a74120c15
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2016-9011.patch
@@ -0,0 +1,45 @@
+Fix CVE-2016-9011:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011
+https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c/
+
+Patch copied from Fedora:
+
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=9a43f910abce9940f07843e7186646ad46b686d6
+
+--- libwmf-0.2.8.4/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -139,8 +139,31 @@
+ WMF_DEBUG (API,"bailing...");
+ return (API->err);
+ }
+-
+- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++
++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
++ if (nMaxRecordSize)
++ {
++ //before allocating memory do a sanity check on size by seeking
++ //to claimed end to see if its possible. We're constrained here
++ //by the api and existing implementations to not simply seeking
++ //to SEEK_END. So use what we have to skip to the last byte and
++ //try and read it.
++ const long nPos = WMF_TELL (API);
++ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++ if (ERR (API))
++ { WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++ int byte = WMF_READ (API);
++ if (byte == (-1))
++ { WMF_ERROR (API,"Unexpected EOF!");
++ API->err = wmf_E_EOF;
++ return (API->err);
++ }
++ WMF_SEEK (API, nPos);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
diff --git a/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
new file mode 100644
index 000000000..92a3f7cdb
--- /dev/null
+++ b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
@@ -0,0 +1,80 @@
+Fix CVE-2016-{9317,10167,10168} in bundled libgd:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
+
+Patches copied from Fedora:
+
+CVE-2016-9317:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d851798416d005977d9409babf710c050124cfda
+CVE-2016-10167:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=b439c6f363d3f9c7b22e7f3b2211d423abd7d612
+CVE-2016-10168:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d8c724ed484d01f3535bd1f317d6c5aa6d33aa80
+
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -65,6 +65,18 @@
+ {
+ int i;
+ gdImagePtr im;
++
++ if (overflow2(sx, sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof (unsigned char *), sy)) {
++ return NULL;
++ }
++ if (overflow2(sizeof (unsigned char), sx)) {
++ return NULL;
++ }
++
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ memset (im, 0, sizeof (gdImage));
+ /* Row-major ever since gd 1.3 */
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -362,10 +362,9 @@
+ {
+ if (!gdGetInt (&im->tpixels[y][x], in))
+ {
+- /*printf("EOF while reading\n"); */
+- /*gdImageDestroy(im); */
+- /*return 0; */
+- im->tpixels[y][x] = 0;
++ fprintf(stderr, "gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ }
+ else
+@@ -373,10 +372,9 @@
+ int ch;
+ if (!gdGetByte (&ch, in))
+ {
+- /*printf("EOF while reading\n"); */
+- /*gdImageDestroy(im); */
+- /*return 0; */
+- ch = 0;
++ fprintf(stderr, "gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ im->pixels[y][x] = ch;
+ }
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -145,6 +145,11 @@
+
+ if ((*fmt) == GD2_FMT_COMPRESSED)
+ {
++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++ goto fail1;
++ }
++
+ nc = (*ncx) * (*ncy);
+ GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ sidx = sizeof (t_chunk_info) * nc;
--
2.13.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2017-05-27 17:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-27 17:06 Leo Famulari [this message]
2017-05-27 19:41 ` Building AbiWord without libwmf and removing libwmf from Guix Mark H Weaver
2017-05-27 21:13 ` Ricardo Wurmus
2017-05-28 13:06 ` Hartmut Goebel
2017-05-28 18:44 ` Leo Famulari
2017-05-28 20:57 ` Ludovic Courtès
2017-06-23 22:30 ` Leo Famulari
2017-06-24 8:12 ` ng0
2017-06-24 8:02 ` ng0
2017-06-24 16:21 ` Leo Famulari
2017-06-24 22:52 ` Mark H Weaver
2017-06-25 3:37 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170527170600.GA16269@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).