From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: Re: cairo CVE-2016-9082 Date: Mon, 28 Nov 2016 16:28:45 -0500 Message-ID: <87h96rl2eq.fsf@openmailbox.org> References: <20161128185211.GC2509@macbook42.flashner.co.il> <20161128193053.GD2509@macbook42.flashner.co.il> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59803) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cBTU4-0004aR-2d for guix-devel@gnu.org; Mon, 28 Nov 2016 16:29:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cBTU0-0003qn-6e for guix-devel@gnu.org; Mon, 28 Nov 2016 16:29:08 -0500 Received: from smtp26.openmailbox.org ([62.4.1.60]:46142 helo=smtp11.openmailbox.org) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cBTTz-0003qU-P3 for guix-devel@gnu.org; Mon, 28 Nov 2016 16:29:04 -0500 In-Reply-To: <20161128193053.GD2509@macbook42.flashner.co.il> (Efraim Flashner's message of "Mon, 28 Nov 2016 21:30:53 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Efraim Flashner Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Efraim Flashner writes: > The previous patch somehow stopped working for me, and I was getting > complaints about unbound variable cairo/fixed, so I rewrote the patch to > have every cairo use the patch separately. > > > --=20 > Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7= =9D =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 > GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 > Confidentiality cannot be guaranteed on emails sent or received unencrypt= ed > > From 14cdf8d6b0827912fd9bf8ec2a061d6eae3acd79 Mon Sep 17 00:00:00 2001 > From: Efraim Flashner > Date: Mon, 28 Nov 2016 19:25:21 +0200 > Subject: [PATCH] gnu: cairo: Fix CVE-2016-9082. > > * gnu/packages/gtk.scm (cairo)[replacement]: New field. > (cairo/fixed): New variable. > (cairo-xcb)[source]: Use patch. > [replacement]: Set false. > * gnu/packages/pdf.scm (poppler)[inputs]: Custom cairo should be > replaced by a new custom patched cairo. > * gnu/packages/patches/cairo-CVE-2016-9082.patch: New file. > * gnu/local.mk (dist_patch_DATA): Register it. > --- > gnu/local.mk | 1 + > gnu/packages/gtk.scm | 12 +++ > gnu/packages/patches/cairo-CVE-2016-9082.patch | 121 +++++++++++++++++++= ++++++ > gnu/packages/pdf.scm | 11 +++ > 4 files changed, 145 insertions(+) > create mode 100644 gnu/packages/patches/cairo-CVE-2016-9082.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index c50ef25..ea8aa73 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -488,6 +488,7 @@ dist_patch_DATA =3D \ > %D%/packages/patches/binutils-loongson-workaround.patch \ > %D%/packages/patches/binutils-mips-bash-bug.patch \ > %D%/packages/patches/byobu-writable-status.patch \ > + %D%/packages/patches/cairo-CVE-2016-9082.patch \ > %D%/packages/patches/calibre-drop-unrar.patch \ > %D%/packages/patches/calibre-no-updates-dialog.patch \ > %D%/packages/patches/cdparanoia-fpic.patch \ > diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm > index 17bd9c9..8a258b5 100644 > --- a/gnu/packages/gtk.scm > +++ b/gnu/packages/gtk.scm > @@ -100,6 +100,7 @@ tools have full access to view and control running ap= plications.") > (define-public cairo > (package > (name "cairo") > + (replacement cairo/fixed) > (version "1.14.6") > (source (origin > (method url-fetch) > @@ -153,6 +154,10 @@ affine transformation (scale, rotation, shear, etc.)= .") > (package > (inherit cairo) > (name "cairo-xcb") > + (source (origin > + (inherit (package-source cairo)) > + (patches (search-patches "cairo-CVE-2016-9082.patch")))) > + (replacement #f) > (inputs > `(("mesa" ,mesa) > ,@(package-inputs cairo))) > @@ -162,6 +167,13 @@ affine transformation (scale, rotation, shear, etc.)= .") > '("--enable-xlib-xcb" "--enable-gl" "--enable-egl"))) > (synopsis "2D graphics library (with X11 support)"))) >=20=20 > +(define cairo/fixed > + (package > + (inherit cairo) > + (source (origin > + (inherit (package-source cairo)) > + (patches (search-patches "cairo-CVE-2016-9082.patch")))))) > + > (define-public harfbuzz > (package > (name "harfbuzz") > diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/package= s/patches/cairo-CVE-2016-9082.patch > new file mode 100644 > index 0000000..1dd57a0 > --- /dev/null > +++ b/gnu/packages/patches/cairo-CVE-2016-9082.patch > @@ -0,0 +1,121 @@ > +From: Adrian Johnson > +Date: Thu, 20 Oct 2016 21:12:30 +1030 > +Subject: [PATCH] image: prevent invalid ptr access for > 4GB images > + > +Image data is often accessed using: > + > + image->data + y * image->stride > + > +On 64-bit achitectures if the image data is > 4GB, this computation > +will overflow since both y and stride are 32-bit types. > + > +https://bugs.freedesktop.org/show_bug.cgi?id=3D98165 > +--- > + boilerplate/cairo-boilerplate.c | 4 +++- > + src/cairo-image-compositor.c | 4 ++-- > + src/cairo-image-surface-private.h | 2 +- > + src/cairo-mesh-pattern-rasterizer.c | 2 +- > + src/cairo-png.c | 2 +- > + src/cairo-script-surface.c | 3 ++- > + 6 files changed, 10 insertions(+), 7 deletions(-) > + > +diff --git a/boilerplate/cairo-boilerplate.c b/boilerplate/cairo-boilerp= late.c > +index 7fdbf79..4804dea 100644 > +--- a/boilerplate/cairo-boilerplate.c > ++++ b/boilerplate/cairo-boilerplate.c > +@@ -42,6 +42,7 @@ > + #undef CAIRO_VERSION_H > + #include "../cairo-version.h" > +=20 > ++#include > + #include > + #include > + #include > +@@ -976,7 +977,8 @@ cairo_surface_t * > + cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file) > + { > + char format; > +- int width, height, stride; > ++ int width, height; > ++ ptrdiff_t stride; > + int x, y; > + unsigned char *data; > + cairo_surface_t *image =3D NULL; > +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c > +index 48072f8..3ca0006 100644 > +--- a/src/cairo-image-compositor.c > ++++ b/src/cairo-image-compositor.c > +@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_renderer { > + pixman_image_t *src, *mask; > + union { > + struct fill { > +- int stride; > ++ ptrdiff_t stride; > + uint8_t *data; > + uint32_t pixel; > + } fill; > +@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_renderer { > + struct finish { > + cairo_rectangle_int_t extents; > + int src_x, src_y; > +- int stride; > ++ ptrdiff_t stride; > + uint8_t *data; > + } mask; > + } u; > +diff --git a/src/cairo-image-surface-private.h b/src/cairo-image-surface= -private.h > +index 8ca694c..7e78d61 100644 > +--- a/src/cairo-image-surface-private.h > ++++ b/src/cairo-image-surface-private.h > +@@ -71,7 +71,7 @@ struct _cairo_image_surface { > +=20 > + int width; > + int height; > +- int stride; > ++ ptrdiff_t stride; > + int depth; > +=20 > + unsigned owns_data : 1; > +diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-patter= n-rasterizer.c > +index 1b63ca8..e7f0db6 100644 > +--- a/src/cairo-mesh-pattern-rasterizer.c > ++++ b/src/cairo-mesh-pattern-rasterizer.c > +@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int heig= ht, int stride, > + tg +=3D tg >> 16; > + tb +=3D tb >> 16; > +=20 > +- *((uint32_t*) (data + y*stride + 4*x)) =3D ((ta << 16) & 0xff000000) | > ++ *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) =3D ((ta << 16) & 0x= ff000000) | > + ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24); > + } > + } > +diff --git a/src/cairo-png.c b/src/cairo-png.c > +index 562b743..aa8c227 100644 > +--- a/src/cairo-png.c > ++++ b/src/cairo-png.c > +@@ -673,7 +673,7 @@ read_png (struct png_read_closure_t *png_closure) > + } > +=20 > + for (i =3D 0; i < png_height; i++) > +- row_pointers[i] =3D &data[i * stride]; > ++ row_pointers[i] =3D &data[i * (ptrdiff_t)stride]; > +=20 > + png_read_image (png, row_pointers); > + png_read_end (png, info); > +diff --git a/src/cairo-script-surface.c b/src/cairo-script-surface.c > +index ea0117d..91e4baa 100644 > +--- a/src/cairo-script-surface.c > ++++ b/src/cairo-script-surface.c > +@@ -1202,7 +1202,8 @@ static cairo_status_t > + _write_image_surface (cairo_output_stream_t *output, > + const cairo_image_surface_t *image) > + { > +- int stride, row, width; > ++ int row, width; > ++ ptrdiff_t stride; > + uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE]; > + uint8_t *rowdata; > + uint8_t *data; > +--=20 > +2.1.4 > + > diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm > index 39f4d02..6442f08 100644 > --- a/gnu/packages/pdf.scm > +++ b/gnu/packages/pdf.scm > @@ -95,6 +95,17 @@ > ;; To build poppler-glib (as needed by Evince), we need Cai= ro and > ;; GLib. But of course, that Cairo must not depend on Popp= ler. > ("cairo" ,(package (inherit cairo) > + (replacement > + (package > + (inherit cairo) > + (replacement #f) > + (source > + (origin > + (inherit (package-source cairo)) > + (patches (search-patches > + "cairo-CVE-2016-9082.patch")= ))) > + (inputs (alist-delete "poppler" > + (package-inputs cairo= ))))) > (inputs (alist-delete "poppler" > (package-inputs cairo))))) > ("glib" ,glib))) This patch LGTM. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEg7ZwOtzKO2lLzi2m5qXuPBlGeg0FAlg8oY0ACgkQ5qXuPBlG eg0wpBAAr95jVcaJnczVyIgUOaew8ghzDh0BzVEZuhxHRQplFJwsiX0+Pdx/PHOw BW+e37kMbMloI+X9NpjetuKyru/qy6f+gZ49VPSB7nO0CzuX6KJNA9qN7WFix5E0 Gb3qWS58wVkWIknNg1D/OByzSluZl7vpwDLwjnciDszgv4mByiLiQ8sqHgj+5lnS TC6ysKClVh5h0M+ZPRHG6c94w62Vzb/tyn+ugHlNtVECUWMYsU0PnKYMGs32P0z/ 9izrEj+CtOoXSkU036qmrRAzFUcH7O6ZIvWUwaU6dU0rmRVBVKNc3I6g5vjwuQSn CJR5dejPyGYA+UqRe1Y+Hp4ibQT5hplPPbyJzVJNDcfK6MAAscmmy5YqOmu+KoOz krkaqy8jh7OwG+XzUpCr18TNRLf6vwiWdY9c5M/hfPCsGbXhVxDxeM6STqrKBYeV ZoxozNnbbwpguTMWv+TByHfIdVsCRngkUT/wz+ycRaydD6iPcCmT/n/T1wHEUuEm DAO0GXwEz1e4Wy+L0FnNeRFV0ykDjoIoojcnEEQpcpQwEuVU5e6LrHFtiQBIvKlb pg4QkhAW9fcig7ixym2aUXu2krr4JVNIFxuT3I5rFVn3ektTZDs+iP1AhxMfDP1K 5Nh75+tU5cTnS2IS8Judyuo4CNeoYhnNxX/gVo2o7eoXbzRfYvQ= =WUG6 -----END PGP SIGNATURE----- --=-=-=--