Leo Famulari writes: > On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote: >> efraim pushed a commit to branch master >> in repository guix. >> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134 >> Author: Efraim Flashner >> Date: Fri Oct 14 11:28:21 2016 +0300 >> >> gnu: freeimage: Fix CVE-2016-5684. >> >> * gnu/packages/image.scm (freeimage)[source]: Add patch. >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Register it. >> --- >> gnu/local.mk | 1 + >> gnu/packages/image.scm | 3 +- >> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 ++++++++++++++++++++ >> 3 files changed, 37 insertions(+), 1 deletion(-) > > Efraim pointed out on IRC that our freeimage packages bundles many > 3rd-party libraries: > > $ ls -1 FreeImage/Source > CacheFile.h > DeprecationManager > FreeImage > FreeImage.h > FreeImageIO.h > FreeImageLib > FreeImageToolkit > LibJPEG > LibJXR > LibOpenJPEG > LibPNG > LibRawLite > LibTIFF4 > LibWebP > MapIntrospector.h > Metadata > OpenEXR > Plugin.h > Quantizers.h > ToneMapping.h > Utilities.h > ZLib > > Debian has a patch to make it use "system" copies of the libraries: > > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid > > For now, our freeimage package is probably vulnerable to many publicly > disclosed security bugs. > > Who volunteers to try fixing this? The patch is attached. I've removed the bit from Debian that disables JPEG transformation functions, as seen below. JPEGTransform.cpp (in Source/FreeImageToolkit) gave me some trouble when I left that part of the patch alone. @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) { FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot dithering (order 4 dithering matrix) }; +/* Debian: The JPEGTransform functions are deliberately disabled in our build + of FreeImage, since they require usage of the vendored copy of libjpeg. */ +#if 0 /** Lossless JPEG transformations Constants used in FreeImage_JPEGTransform */ @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) { FIJPEG_OP_ROTATE_180 = 6, //! 180-degree rotation FIJPEG_OP_ROTATE_270 = 7 //! 270-degree clockwise (or 90 ccw) }; +#endif /** Tone mapping operators. Constants used in FreeImage_ToneMapping. @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToString(FREE_IMAGE_MDMODEL model, // -------------------------------------------------------------------------- // JPEG lossless transformation routines // -------------------------------------------------------------------------- - +/* Debian: The JPEGTransform functions are deliberately disabled in our build + of FreeImage, since they require usage of the vendored copy of libjpeg. */ +#if 0 DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE)); DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI_DEFAULT(TRUE)); DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char *dst_file, int left, int top, int right, int bottom); @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io, DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)); +#endif