From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: [PATCH] gnu: graphite2: Add fixes for CVE-2017-5436 and other bugs Date: Thu, 20 Apr 2017 18:26:32 -0400 Message-ID: <8737d2ogvb.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46177) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d1KY3-0004XQ-Fg for guix-devel@gnu.org; Thu, 20 Apr 2017 18:27:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d1KXv-0007CI-KZ for guix-devel@gnu.org; Thu, 20 Apr 2017 18:27:31 -0400 Received: from world.peace.net ([50.252.239.5]:50947) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d1KXv-0007Bj-Dp for guix-devel@gnu.org; Thu, 20 Apr 2017 18:27:27 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain This adds selected fixes for graphite2 from the upstream repository, including a fix for CVE-2017-5436. I intend to push it soon, after some light testing on my system. Mark --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-graphite2-Add-fixes-for-CVE-2017-5436-and-other-.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH] gnu: graphite2: Add fixes for CVE-2017-5436 and other bugs From=20302e0815aab8ebe889872a260645bf7c886bf147 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 20 Apr 2017 15:10:54 -0400 Subject: [PATCH] gnu: graphite2: Add fixes for CVE-2017-5436 and other bugs. * gnu/packages/fontutils.scm (graphite2)[replacement]: New field. (graphite2/fixed): New variable. * gnu/packages/patches/graphite2-CVE-2017-5436.patch, gnu/packages/patches/graphite2-check-code-point-limit.patch, gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch, gnu/packages/patches/graphite2-non-linear-classes-even-number.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. =2D-- gnu/local.mk | 4 + gnu/packages/fontutils.scm | 22 +++++ gnu/packages/patches/graphite2-CVE-2017-5436.patch | 25 ++++++ .../patches/graphite2-check-code-point-limit.patch | 50 ++++++++++++ .../graphite2-fix-32-bit-wrap-arounds.patch | 93 ++++++++++++++++++= ++++ .../graphite2-non-linear-classes-even-number.patch | 26 ++++++ 6 files changed, 220 insertions(+) create mode 100644 gnu/packages/patches/graphite2-CVE-2017-5436.patch create mode 100644 gnu/packages/patches/graphite2-check-code-point-limit.p= atch create mode 100644 gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.= patch create mode 100644 gnu/packages/patches/graphite2-non-linear-classes-even-= number.patch diff --git a/gnu/local.mk b/gnu/local.mk index 1fe24038d..ec27e8765 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -625,7 +625,11 @@ dist_patch_DATA =3D \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ + %D%/packages/patches/graphite2-CVE-2017-5436.patch \ + %D%/packages/patches/graphite2-check-code-point-limit.patch \ %D%/packages/patches/graphite2-ffloat-store.patch \ + %D%/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch \ + %D%/packages/patches/graphite2-non-linear-classes-even-number.patch \ %D%/packages/patches/grep-timing-sensitive-test.patch \ %D%/packages/patches/grub-CVE-2015-8370.patch \ %D%/packages/patches/grub-gets-undeclared.patch \ diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm index 7e7234960..cc6d1df59 100644 =2D-- a/gnu/packages/fontutils.scm +++ b/gnu/packages/fontutils.scm @@ -376,6 +376,7 @@ applications should be.") (package (name "graphite2") (version "1.3.9") + (replacement graphite2/fixed) (source (origin (method url-fetch) @@ -400,6 +401,27 @@ and returns a sequence of positioned glyphids from the= font.") (license license:lgpl2.1+) (home-page "https://github.com/silnrsi/graphite"))) =20 +(define graphite2/fixed + (package + (inherit graphite2) + (name "graphite2") + (version "1.3.9") + (replacement #f) + (source + (origin + (method url-fetch) + (uri (string-append "https://github.com/silnrsi/graphite/releases/" + "download/" version "/" name "-" version ".tgz"= )) + (patches (search-patches + "graphite2-ffloat-store.patch" + "graphite2-check-code-point-limit.patch" + "graphite2-CVE-2017-5436.patch" + "graphite2-fix-32-bit-wrap-arounds.patch" + "graphite2-non-linear-classes-even-number.patch")) + (sha256 + (base32 + "0rs5h7m340z75kygx8d72cps0q6yvvqa9i788vym7585cfv8a0gc")))))) + (define-public potrace (package (name "potrace") diff --git a/gnu/packages/patches/graphite2-CVE-2017-5436.patch b/gnu/packa= ges/patches/graphite2-CVE-2017-5436.patch new file mode 100644 index 000000000..d7383ec8d =2D-- /dev/null +++ b/gnu/packages/patches/graphite2-CVE-2017-5436.patch @@ -0,0 +1,25 @@ +From 1ce331d5548b98ed8b818532b2556d6f2c7a3b83 Mon Sep 17 00:00:00 2001 +From: Martin Hosken +Date: Thu, 9 Mar 2017 22:04:04 +0000 +Subject: [PATCH] Ensure features have enough space. Fix from Mozilla + +--- + src/FeatureMap.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/FeatureMap.cpp b/src/FeatureMap.cpp +index b8c8405..83bd5f6 100644 +--- a/src/FeatureMap.cpp ++++ b/src/FeatureMap.cpp +@@ -275,7 +275,7 @@ bool FeatureRef::applyValToFeature(uint32 val, Feature= s & pDest) const + else + if (pDest.m_pMap!=3D&m_pFace->theSill().theFeatureMap()) + return false; //incompatible +- pDest.reserve(m_index); ++ pDest.reserve(m_index+1); + pDest[m_index] &=3D ~m_mask; + pDest[m_index] |=3D (uint32(val) << m_bits); + return true; +--=20 +2.12.2 + diff --git a/gnu/packages/patches/graphite2-check-code-point-limit.patch b/= gnu/packages/patches/graphite2-check-code-point-limit.patch new file mode 100644 index 000000000..a9b6caf53 =2D-- /dev/null +++ b/gnu/packages/patches/graphite2-check-code-point-limit.patch @@ -0,0 +1,50 @@ +From 348c11e4571b534efdbd58a575bbea979c880b2f Mon Sep 17 00:00:00 2001 +From: Tim Eves +Date: Wed, 1 Mar 2017 14:23:46 +0700 +Subject: [PATCH] Fix decoding of USV greater than U+110000 + +Add test cases too +--- + src/inc/UtfCodec.h | 4 ++-- + tests/utftest/utftest.cpp | 3 +++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/inc/UtfCodec.h b/src/inc/UtfCodec.h +index 3417bac..9dc760f 100644 +--- a/src/inc/UtfCodec.h ++++ b/src/inc/UtfCodec.h +@@ -124,7 +124,7 @@ struct _utf_codec<8> + private: + static const int8 sz_lut[16]; + static const byte mask_lut[5]; +- ++ static const uchar_t limit =3D 0x110000; +=20 + public: + typedef uint8 codeunit_t; +@@ -157,7 +157,7 @@ public: + case 0: l =3D -1; return 0xFFFD; + } +=20 +- if (l !=3D seq_sz || toolong) ++ if (l !=3D seq_sz || toolong || u >=3D limit) + { + l =3D -l; + return 0xFFFD; +diff --git a/tests/utftest/utftest.cpp b/tests/utftest/utftest.cpp +index 21cb188..a23553a 100644 +--- a/tests/utftest/utftest.cpp ++++ b/tests/utftest/utftest.cpp +@@ -8,6 +8,9 @@ struct test8 + unsigned char str[12]; + }; + struct test8 tests8[] =3D { ++ { 0, 0, {0xF4, 0x90, 0x80, 0x80, 0, 0, 0, 0, 0, 0, = 0, 0} }, // bad(4) [U+110000] ++ { 0, 0, {0xC0, 0x80, 0, 0, 0, 0, 0, 0, 0, 0, = 0, 0} }, // bad(4) [U+110000] ++ { 0, 0, {0xA0, 0, 0, 0, 0, 0, 0, 0, 0, 0, = 0, 0} }, // bad(4) [U+110000]=20=20=20=20 + { 4, -1, {0x7F, 0xDF, 0xBF, 0xEF, 0xBF, 0xBF, 0xF4, 0x8F, 0xBF, 0xBF,= 0, 0} }, // U+7F, U+7FF, U+FFFF, U+10FFF + { 2, 3, {0x7F, 0xDF, 0xBF, 0xF0, 0x8F, 0xBF, 0xBF, 0xF4, 0x8F, 0xBF,= 0xBF, 0} }, // U+7F, U+7FF, long(U+FFFF), U+10FFF + { 1, 1, {0x7F, 0xE0, 0x9F, 0xBF, 0xEF, 0xBF, 0xBF, 0xF4, 0x8F, 0xBF,= 0xBF, 0} }, // U+7F, long(U+7FF), U+FFFF, U+10FFF +--=20 +2.12.2 + diff --git a/gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch b= /gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch new file mode 100644 index 000000000..57d4ce2c6 =2D-- /dev/null +++ b/gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch @@ -0,0 +1,93 @@ +This patch incorporates the following 6 consecutive commits from the upstr= eam +graphite2 repository: + +75b83cd..: Martin Hosken 2017-03-28 Fix 32-bit wrap arounds +1f97e36..: Martin Hosken 2017-03-28 balance comparisons in decompressor +9493785..: Martin Hosken 2017-03-29 Speculative rounding fix +09af043..: Tim Eves 2017-03-31 Move a MINMATCH to rhs of a comparisio +28cc60d..: Tim Eves 2017-03-31 Deal with similar wrap around in liter= al_len +8afc7d0..: Martin Hosken 2017-04-03 Fix 32-bit rollover in decompressor, a= gain + +This diff was generated by the following command: + + git diff 1ce331d5548b98ed..8afc7d0081959866 + + +diff --git a/src/Decompressor.cpp b/src/Decompressor.cpp +index 084570f..56d531f 100644 +--- a/src/Decompressor.cpp ++++ b/src/Decompressor.cpp +@@ -51,7 +51,7 @@ bool read_sequence(u8 const * &src, u8 const * const end= , u8 const * &literal, u + literal =3D src; + src +=3D literal_len; +=20=20=20=20=20 +- if (src > end - 2) ++ if (src > end - 2 || src < literal) + return false; +=20=20=20=20=20 + match_dist =3D *src++; +@@ -85,7 +85,7 @@ int lz4::decompress(void const *in, size_t in_size, void= *out, size_t out_size) + { + // Copy in literal. At this point the last full sequence must= be at + // least MINMATCH + 5 from the end of the output buffer. +- if (dst + align(literal_len) > dst_end - (MINMATCH+5)) ++ if (align(literal_len) > unsigned(dst_end - dst - (MINMATCH+5= )) || dst_end - dst < MINMATCH + 5) + return -1; + dst =3D overrun_copy(dst, literal, literal_len); + } +@@ -94,7 +94,8 @@ int lz4::decompress(void const *in, size_t in_size, void= *out, size_t out_size) + // decoded output. + u8 const * const pcpy =3D dst - match_dist; + if (pcpy < static_cast(out) +- || dst + match_len + MINMATCH > dst_end - 5) ++ || match_len > unsigned(dst_end - dst - (MINMATCH+5)) ++ || dst_end - dst < MINMATCH + 5) + return -1; + if (dst > pcpy+sizeof(unsigned long)=20 + && dst + align(match_len + MINMATCH) <=3D dst_end) +@@ -103,8 +104,8 @@ int lz4::decompress(void const *in, size_t in_size, vo= id *out, size_t out_size) + dst =3D safe_copy(dst, pcpy, match_len + MINMATCH); + } +=20=20=20=20=20 +- if (literal + literal_len > src_end +- || dst + literal_len > dst_end) ++ if (literal_len > src_end - literal ++ || literal_len > dst_end - dst) + return -1; + dst =3D fast_copy(dst, literal, literal_len); +=20=20=20=20=20 +diff --git a/src/Pass.cpp b/src/Pass.cpp +index a4bac2e..683143c 100644 +--- a/src/Pass.cpp ++++ b/src/Pass.cpp +@@ -171,7 +171,7 @@ bool Pass::readPass(const byte * const pass_start, siz= e_t pass_length, size_t su + const uint16 * const o_actions =3D reinterpret_cast(p= ); + be::skip(p, m_numRules + 1); + const byte * const states =3D p; +- if (e.test(p + 2u*m_numTransition*m_numColumns >=3D pass_end, E_BADPA= SSLENGTH)) return face.error(e); ++ if (e.test(2u*m_numTransition*m_numColumns >=3D (unsigned)(pass_end -= p), E_BADPASSLENGTH)) return face.error(e); + be::skip(p, m_numTransition*m_numColumns); + be::skip(p); + if (e.test(p !=3D pcCode, E_BADPASSCCODEPTR)) return face.error(e); +@@ -192,7 +192,7 @@ bool Pass::readPass(const byte * const pass_start, siz= e_t pass_length, size_t su + m_cPConstraint =3D vm::Machine::Code(true, pcCode, pcCode + pass_= constraint_len,=20 + precontext[0], be::peek(sort_ke= ys), *m_silf, face, PASS_TYPE_UNKNOWN); + if (e.test(!m_cPConstraint, E_OUTOFMEM) +- || e.test(!m_cPConstraint, m_cPConstraint.status() + E_CO= DEFAILURE)) ++ || e.test(m_cPConstraint.status() !=3D Code::loaded, m_cP= Constraint.status() + E_CODEFAILURE)) + return face.error(e); + face.error_context(face.error_context() - 1); + } +diff --git a/src/Silf.cpp b/src/Silf.cpp +index 72a22cd..d661992 100644 +--- a/src/Silf.cpp ++++ b/src/Silf.cpp +@@ -191,7 +191,7 @@ bool Silf::readGraphite(const byte * const silf_start,= size_t lSilf, Face& face, +=20 + const size_t clen =3D readClassMap(p, passes_start - p, version, e); + m_passes =3D new Pass[m_numPasses]; +- if (e || e.test(p + clen > passes_start, E_BADPASSESSTART) ++ if (e || e.test(clen > unsigned(passes_start - p), E_BADPASSESSTART) + || e.test(!m_passes, E_OUTOFMEM)) + { releaseBuffers(); return face.error(e); } +=20 diff --git a/gnu/packages/patches/graphite2-non-linear-classes-even-number.= patch b/gnu/packages/patches/graphite2-non-linear-classes-even-number.patch new file mode 100644 index 000000000..2bb1c9f94 =2D-- /dev/null +++ b/gnu/packages/patches/graphite2-non-linear-classes-even-number.patch @@ -0,0 +1,26 @@ +From 0646e4ee471183994f78a759269f0505617711f3 Mon Sep 17 00:00:00 2001 +From: Martin Hosken +Date: Tue, 18 Apr 2017 13:17:14 +0100 +Subject: [PATCH] Ensure non linear classes have even number of elements + +--- + src/Silf.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/Silf.cpp b/src/Silf.cpp +index d661992..9f2f954 100644 +--- a/src/Silf.cpp ++++ b/src/Silf.cpp +@@ -293,7 +293,8 @@ size_t Silf::readClassMap(const byte *p, size_t data_l= en, uint32 version, Error + if (e.test(*o + 4 > max_off, E_HIGHCLASSOFFSET) = // LookupClass doesn't stretch over max_off + || e.test(lookup[0] =3D=3D 0 = // A LookupClass with no looks is a suspicious thing ... + || lookup[0] * 2 + *o + 4 > max_off = // numIDs lookup pairs fits within (start of LookupClass' lookup= s array, max_off] +- || lookup[3] + lookup[1] !=3D lookup[0], E_BADCLASSLO= OKUPINFO)) // rangeShift: numIDs - searchRange ++ || lookup[3] + lookup[1] !=3D lookup[0], E_BADCLASSLO= OKUPINFO) // rangeShift: numIDs - searchRange ++ || e.test(((o[1] - *o) & 1) !=3D 0, ERROROFFSET)) = // glyphs are in pairs so difference must be even. + return ERROROFFSET; + } +=20 +--=20 +2.12.2 + =2D-=20 2.12.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE2RkJZc4DGZ6vKLO+fO8phHVixRYFAlj5NacACgkQfO8phHVi xRZeWg//aMcAkAAEQyQRq5hv1ETfCmeEwurUm5AaKKETrraYuZj5vI18dsFDytxC qeYtbqW2TDEqAsfWs5mRvHUvQ4QjzCal4PaP01S4BQ7Ggj8U+4x5r0EoONZ1JTWk jxsncTWOPpPPcRmxT3Vu57T2iTuI7jfVlBtdxR+QrTXyhdk/2BI0r6SioyvotXUD 58CN4G5LkAWzH1OniuvSeMuiX9Fl37IpUafKcVCsWWFl3KM5jSGiQd84NAKI6D6U wZc+4hXNgiVnPnhGrNgptYUqQHAmc7n90SwE/a2EJorNQXPKJ3opO6fAsE+pHK5P 08/8InxoafgtFtNRpyMuIOe17gmqQdExI6535mg2Wg/ZkdSs312tir6VlxMbj8Rp loE5xks4ONLSj83CXBkp2uunoZjRkMbxMYa1RuuNO3azm70StltF7R/FAkjYNS7i k+L4M8WYkdU5Ljm/IhmsWpqncapB2vTE3qHjAjo6iV3I4yYb6GcVXZs/B9C+1uHs TOVdi7NwOlxiJZFLkR2GNUxrAbecEJ/zZv9SkAPvc7IfV2W3W5OYZE5cgRG4+4Tf xKUcnRM6WOkUx3CSiY7UXhYJY3AmXxl7WL3UsKCeh8L2OR2xv94WinOzDLIFT7wX cBETfILgLkJyFiR9eTOVrQcy/izxvYEE3LWwWLsmZTWLOz6eCrs= =nzzN -----END PGP SIGNATURE----- --==-=-=--