unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Building AbiWord without libwmf and removing libwmf from Guix
@ 2017-05-27 17:06 Leo Famulari
  2017-05-27 19:41 ` Mark H Weaver
  0 siblings, 1 reply; 12+ messages in thread
From: Leo Famulari @ 2017-05-27 17:06 UTC (permalink / raw)
  To: guix-devel


[-- Attachment #1.1: Type: text/plain, Size: 758 bytes --]

The last update to libwmf was twelve years ago, in 2005. In the
meantime, a large number of security issues have been discovered in this
library. These bugs are fixed somewhat haphazardly by the distributions.

While working on patching CVE-2016-9011 in libwmf, and backporting fixes
for CVE-2016-{9317,10167,10168} in the ancient bundled libgd, I find
myself wondering if we need this library at all. The patches from this
12 year span of 3rd party fixes begin to conflict with each other...

Libwmf is only used as a "plugin" by AbiWord, and AbiWord can be
configured to build without it.

Otherwise, someone needs to overhaul and update our libwmf patch series.

I've included a WIP patch that includes the fixes. Not all of the new
patches apply.

WDYT?

[-- Attachment #1.2: 0001-WIP-libwmf-Fix-CVE-2016-9011-9317-10167-10168.patch --]
[-- Type: text/plain, Size: 6986 bytes --]

From 7149e16c9e6890fa914b0a49f363439ab5627f3a Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sat, 27 May 2017 12:56:54 -0400
Subject: [PATCH] WIP: libwmf: Fix CVE-2016-{9011,9317,10167,10168}.

XXX: Not all of these patches apply.

* gnu/packages/patches/libwmf-CVE-2016-9011.patch,
gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libwmf)[source]: Use them.
---
 gnu/local.mk                                       |  2 +
 gnu/packages/image.scm                             |  4 +-
 gnu/packages/patches/libwmf-CVE-2016-9011.patch    | 45 ++++++++++++
 .../patches/libwmf-fixes-for-bundled-gd.patch      | 80 ++++++++++++++++++++++
 4 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libwmf-CVE-2016-9011.patch
 create mode 100644 gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index d0117be85..f60b66948 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -781,6 +781,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch	\
   %D%/packages/patches/libwmf-CVE-2015-4695.patch		\
   %D%/packages/patches/libwmf-CVE-2015-4696.patch		\
+  %D%/packages/patches/libwmf-CVE-2016-9011.patch		\
+  %D%/packages/patches/libwmf-fixes-for-bundled-gd.patch	\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
   %D%/packages/patches/libxml2-CVE-2016-4658.patch		\
   %D%/packages/patches/libxml2-CVE-2016-5131.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 86902d568..f33396968 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -421,7 +421,9 @@ collection of tools for doing simple manipulations of TIFF images.")
                          "libwmf-CVE-2009-3546.patch"
                          "libwmf-CVE-2015-0848+CVE-2015-4588.patch"
                          "libwmf-CVE-2015-4695.patch"
-                         "libwmf-CVE-2015-4696.patch"))))
+                         "libwmf-CVE-2015-4696.patch"
+                         "libwmf-CVE-2016-9011.patch"
+                         "libwmf-fixes-for-bundled-gd.patch"))))
 
     (build-system gnu-build-system)
     (inputs
diff --git a/gnu/packages/patches/libwmf-CVE-2016-9011.patch b/gnu/packages/patches/libwmf-CVE-2016-9011.patch
new file mode 100644
index 000000000..a74120c15
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2016-9011.patch
@@ -0,0 +1,45 @@
+Fix CVE-2016-9011:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011
+https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c/
+
+Patch copied from Fedora:
+
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=9a43f910abce9940f07843e7186646ad46b686d6
+
+--- libwmf-0.2.8.4/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -139,8 +139,31 @@
+ 		WMF_DEBUG (API,"bailing...");
+ 		return (API->err);
+ 	}
+-	
+- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++
++	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
++	if (nMaxRecordSize)
++	{
++		//before allocating memory do a sanity check on size by seeking
++		//to claimed end to see if its possible. We're constrained here
++		//by the api and existing implementations to not simply seeking
++		//to SEEK_END. So use what we have to skip to the last byte and
++		//try and read it.
++		const long nPos = WMF_TELL (API);
++		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++		if (ERR (API))
++		{	WMF_DEBUG (API,"bailing...");
++			return (API->err);
++		}
++		int byte = WMF_READ (API);
++		if (byte == (-1))
++		{	WMF_ERROR (API,"Unexpected EOF!");
++		       	API->err = wmf_E_EOF;
++		       	return (API->err);
++		}
++		WMF_SEEK (API, nPos);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
diff --git a/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
new file mode 100644
index 000000000..92a3f7cdb
--- /dev/null
+++ b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
@@ -0,0 +1,80 @@
+Fix CVE-2016-{9317,10167,10168} in bundled libgd:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
+
+Patches copied from Fedora:
+
+CVE-2016-9317:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d851798416d005977d9409babf710c050124cfda
+CVE-2016-10167:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=b439c6f363d3f9c7b22e7f3b2211d423abd7d612
+CVE-2016-10168:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d8c724ed484d01f3535bd1f317d6c5aa6d33aa80
+
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -65,6 +65,18 @@
+ {
+   int i;
+   gdImagePtr im;
++
++  if (overflow2(sx, sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof (unsigned char *), sy)) {
++    return NULL;
++  }
++  if (overflow2(sizeof (unsigned char), sx)) {
++    return NULL;
++  }
++
+   im = (gdImage *) gdMalloc (sizeof (gdImage));
+   memset (im, 0, sizeof (gdImage));
+   /* Row-major ever since gd 1.3 */
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -362,10 +362,9 @@
+ 			{
+ 			  if (!gdGetInt (&im->tpixels[y][x], in))
+ 			    {
+-			      /*printf("EOF while reading\n"); */
+-			      /*gdImageDestroy(im); */
+-			      /*return 0; */
+-			      im->tpixels[y][x] = 0;
++                               fprintf(stderr, "gd2: EOF while reading\n");
++                               gdImageDestroy(im);
++                               return NULL;
+ 			    }
+ 			}
+ 		      else
+@@ -373,10 +372,9 @@
+ 			  int ch;
+ 			  if (!gdGetByte (&ch, in))
+ 			    {
+-			      /*printf("EOF while reading\n"); */
+-			      /*gdImageDestroy(im); */
+-			      /*return 0; */
+-			      ch = 0;
++                              fprintf(stderr, "gd2: EOF while reading\n");
++                              gdImageDestroy(im);
++                              return NULL;
+ 			    }
+ 			  im->pixels[y][x] = ch;
+ 			}
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -145,6 +145,11 @@
+ 
+   if ((*fmt) == GD2_FMT_COMPRESSED)
+     {
++      if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++              GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++              goto fail1;
++      }
++
+       nc = (*ncx) * (*ncy);
+       GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+       sidx = sizeof (t_chunk_info) * nc;
-- 
2.13.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2017-06-25  3:37 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-27 17:06 Building AbiWord without libwmf and removing libwmf from Guix Leo Famulari
2017-05-27 19:41 ` Mark H Weaver
2017-05-27 21:13   ` Ricardo Wurmus
2017-05-28 13:06     ` Hartmut Goebel
2017-05-28 18:44       ` Leo Famulari
2017-05-28 20:57         ` Ludovic Courtès
2017-06-23 22:30           ` Leo Famulari
2017-06-24  8:12           ` ng0
2017-06-24  8:02     ` ng0
2017-06-24 16:21       ` Leo Famulari
2017-06-24 22:52         ` Mark H Weaver
2017-06-25  3:37           ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).