From: Kei Kebreau <kei@openmailbox.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: guix-devel@gnu.org
Subject: Re: cairo CVE-2016-9082
Date: Mon, 28 Nov 2016 16:28:45 -0500 [thread overview]
Message-ID: <87h96rl2eq.fsf@openmailbox.org> (raw)
In-Reply-To: <20161128193053.GD2509@macbook42.flashner.co.il> (Efraim Flashner's message of "Mon, 28 Nov 2016 21:30:53 +0200")
[-- Attachment #1: Type: text/plain, Size: 9099 bytes --]
Efraim Flashner <efraim@flashner.co.il> writes:
> The previous patch somehow stopped working for me, and I was getting
> complaints about unbound variable cairo/fixed, so I rewrote the patch to
> have every cairo use the patch separately.
>
>
> --
> Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
> GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted
>
> From 14cdf8d6b0827912fd9bf8ec2a061d6eae3acd79 Mon Sep 17 00:00:00 2001
> From: Efraim Flashner <efraim@flashner.co.il>
> Date: Mon, 28 Nov 2016 19:25:21 +0200
> Subject: [PATCH] gnu: cairo: Fix CVE-2016-9082.
>
> * gnu/packages/gtk.scm (cairo)[replacement]: New field.
> (cairo/fixed): New variable.
> (cairo-xcb)[source]: Use patch.
> [replacement]: Set false.
> * gnu/packages/pdf.scm (poppler)[inputs]: Custom cairo should be
> replaced by a new custom patched cairo.
> * gnu/packages/patches/cairo-CVE-2016-9082.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/gtk.scm | 12 +++
> gnu/packages/patches/cairo-CVE-2016-9082.patch | 121 +++++++++++++++++++++++++
> gnu/packages/pdf.scm | 11 +++
> 4 files changed, 145 insertions(+)
> create mode 100644 gnu/packages/patches/cairo-CVE-2016-9082.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index c50ef25..ea8aa73 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -488,6 +488,7 @@ dist_patch_DATA = \
> %D%/packages/patches/binutils-loongson-workaround.patch \
> %D%/packages/patches/binutils-mips-bash-bug.patch \
> %D%/packages/patches/byobu-writable-status.patch \
> + %D%/packages/patches/cairo-CVE-2016-9082.patch \
> %D%/packages/patches/calibre-drop-unrar.patch \
> %D%/packages/patches/calibre-no-updates-dialog.patch \
> %D%/packages/patches/cdparanoia-fpic.patch \
> diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
> index 17bd9c9..8a258b5 100644
> --- a/gnu/packages/gtk.scm
> +++ b/gnu/packages/gtk.scm
> @@ -100,6 +100,7 @@ tools have full access to view and control running applications.")
> (define-public cairo
> (package
> (name "cairo")
> + (replacement cairo/fixed)
> (version "1.14.6")
> (source (origin
> (method url-fetch)
> @@ -153,6 +154,10 @@ affine transformation (scale, rotation, shear, etc.).")
> (package
> (inherit cairo)
> (name "cairo-xcb")
> + (source (origin
> + (inherit (package-source cairo))
> + (patches (search-patches "cairo-CVE-2016-9082.patch"))))
> + (replacement #f)
> (inputs
> `(("mesa" ,mesa)
> ,@(package-inputs cairo)))
> @@ -162,6 +167,13 @@ affine transformation (scale, rotation, shear, etc.).")
> '("--enable-xlib-xcb" "--enable-gl" "--enable-egl")))
> (synopsis "2D graphics library (with X11 support)")))
>
> +(define cairo/fixed
> + (package
> + (inherit cairo)
> + (source (origin
> + (inherit (package-source cairo))
> + (patches (search-patches "cairo-CVE-2016-9082.patch"))))))
> +
> (define-public harfbuzz
> (package
> (name "harfbuzz")
> diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/patches/cairo-CVE-2016-9082.patch
> new file mode 100644
> index 0000000..1dd57a0
> --- /dev/null
> +++ b/gnu/packages/patches/cairo-CVE-2016-9082.patch
> @@ -0,0 +1,121 @@
> +From: Adrian Johnson <ajohnson@redneon.com>
> +Date: Thu, 20 Oct 2016 21:12:30 +1030
> +Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
> +
> +Image data is often accessed using:
> +
> + image->data + y * image->stride
> +
> +On 64-bit achitectures if the image data is > 4GB, this computation
> +will overflow since both y and stride are 32-bit types.
> +
> +https://bugs.freedesktop.org/show_bug.cgi?id=98165
> +---
> + boilerplate/cairo-boilerplate.c | 4 +++-
> + src/cairo-image-compositor.c | 4 ++--
> + src/cairo-image-surface-private.h | 2 +-
> + src/cairo-mesh-pattern-rasterizer.c | 2 +-
> + src/cairo-png.c | 2 +-
> + src/cairo-script-surface.c | 3 ++-
> + 6 files changed, 10 insertions(+), 7 deletions(-)
> +
> +diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerplate.c
> +index 7fdbf79..4804dea 100644
> +--- a/boilerplate/cairo-boilerplate.c
> ++++ b/boilerplate/cairo-boilerplate.c
> +@@ -42,6 +42,7 @@
> + #undef CAIRO_VERSION_H
> + #include "../cairo-version.h"
> +
> ++#include <stddef.h>
> + #include <stdlib.h>
> + #include <ctype.h>
> + #include <assert.h>
> +@@ -976,7 +977,8 @@ cairo_surface_t *
> + cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
> + {
> + char format;
> +- int width, height, stride;
> ++ int width, height;
> ++ ptrdiff_t stride;
> + int x, y;
> + unsigned char *data;
> + cairo_surface_t *image = NULL;
> +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c
> +index 48072f8..3ca0006 100644
> +--- a/src/cairo-image-compositor.c
> ++++ b/src/cairo-image-compositor.c
> +@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer {
> + pixman_image_t *src, *mask;
> + union {
> + struct fill {
> +- int stride;
> ++ ptrdiff_t stride;
> + uint8_t *data;
> + uint32_t pixel;
> + } fill;
> +@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer {
> + struct finish {
> + cairo_rectangle_int_t extents;
> + int src_x, src_y;
> +- int stride;
> ++ ptrdiff_t stride;
> + uint8_t *data;
> + } mask;
> + } u;
> +diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface-private.h
> +index 8ca694c..7e78d61 100644
> +--- a/src/cairo-image-surface-private.h
> ++++ b/src/cairo-image-surface-private.h
> +@@ -71,7 +71,7 @@ struct _cairo_image_surface {
> +
> + int width;
> + int height;
> +- int stride;
> ++ ptrdiff_t stride;
> + int depth;
> +
> + unsigned owns_data : 1;
> +diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c
> +index 1b63ca8..e7f0db6 100644
> +--- a/src/cairo-mesh-pattern-rasterizer.c
> ++++ b/src/cairo-mesh-pattern-rasterizer.c
> +@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride,
> + tg += tg >> 16;
> + tb += tb >> 16;
> +
> +- *((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
> ++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) |
> + ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
> + }
> + }
> +diff --git a/src/cairo-png.c b/src/cairo-png.c
> +index 562b743..aa8c227 100644
> +--- a/src/cairo-png.c
> ++++ b/src/cairo-png.c
> +@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure)
> + }
> +
> + for (i = 0; i < png_height; i++)
> +- row_pointers[i] = &data[i * stride];
> ++ row_pointers[i] = &data[i * (ptrdiff_t)stride];
> +
> + png_read_image (png, row_pointers);
> + png_read_end (png, info);
> +diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c
> +index ea0117d..91e4baa 100644
> +--- a/src/cairo-script-surface.c
> ++++ b/src/cairo-script-surface.c
> +@@ -1202,7 +1202,8 @@ static cairo_status_t
> + _write_image_surface (cairo_output_stream_t *output,
> + const cairo_image_surface_t *image)
> + {
> +- int stride, row, width;
> ++ int row, width;
> ++ ptrdiff_t stride;
> + uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
> + uint8_t *rowdata;
> + uint8_t *data;
> +--
> +2.1.4
> +
> diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
> index 39f4d02..6442f08 100644
> --- a/gnu/packages/pdf.scm
> +++ b/gnu/packages/pdf.scm
> @@ -95,6 +95,17 @@
> ;; To build poppler-glib (as needed by Evince), we need Cairo and
> ;; GLib. But of course, that Cairo must not depend on Poppler.
> ("cairo" ,(package (inherit cairo)
> + (replacement
> + (package
> + (inherit cairo)
> + (replacement #f)
> + (source
> + (origin
> + (inherit (package-source cairo))
> + (patches (search-patches
> + "cairo-CVE-2016-9082.patch"))))
> + (inputs (alist-delete "poppler"
> + (package-inputs cairo)))))
> (inputs (alist-delete "poppler"
> (package-inputs cairo)))))
> ("glib" ,glib)))
This patch LGTM.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2016-11-28 21:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-28 18:52 cairo CVE-2016-9082 Efraim Flashner
2016-11-28 19:30 ` Efraim Flashner
2016-11-28 21:28 ` Kei Kebreau [this message]
2016-11-29 3:06 ` Leo Famulari
2016-11-29 7:44 ` Efraim Flashner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87h96rl2eq.fsf@openmailbox.org \
--to=kei@openmailbox.org \
--cc=efraim@flashner.co.il \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).