all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: Building AbiWord without libwmf and removing libwmf from Guix
Date: Sat, 27 May 2017 13:06:00 -0400	[thread overview]
Message-ID: <20170527170600.GA16269@jasmine> (raw)


[-- Attachment #1.1: Type: text/plain, Size: 758 bytes --]

The last update to libwmf was twelve years ago, in 2005. In the
meantime, a large number of security issues have been discovered in this
library. These bugs are fixed somewhat haphazardly by the distributions.

While working on patching CVE-2016-9011 in libwmf, and backporting fixes
for CVE-2016-{9317,10167,10168} in the ancient bundled libgd, I find
myself wondering if we need this library at all. The patches from this
12 year span of 3rd party fixes begin to conflict with each other...

Libwmf is only used as a "plugin" by AbiWord, and AbiWord can be
configured to build without it.

Otherwise, someone needs to overhaul and update our libwmf patch series.

I've included a WIP patch that includes the fixes. Not all of the new
patches apply.

WDYT?

[-- Attachment #1.2: 0001-WIP-libwmf-Fix-CVE-2016-9011-9317-10167-10168.patch --]
[-- Type: text/plain, Size: 6986 bytes --]

From 7149e16c9e6890fa914b0a49f363439ab5627f3a Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Sat, 27 May 2017 12:56:54 -0400
Subject: [PATCH] WIP: libwmf: Fix CVE-2016-{9011,9317,10167,10168}.

XXX: Not all of these patches apply.

* gnu/packages/patches/libwmf-CVE-2016-9011.patch,
gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libwmf)[source]: Use them.
---
 gnu/local.mk                                       |  2 +
 gnu/packages/image.scm                             |  4 +-
 gnu/packages/patches/libwmf-CVE-2016-9011.patch    | 45 ++++++++++++
 .../patches/libwmf-fixes-for-bundled-gd.patch      | 80 ++++++++++++++++++++++
 4 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libwmf-CVE-2016-9011.patch
 create mode 100644 gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index d0117be85..f60b66948 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -781,6 +781,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch	\
   %D%/packages/patches/libwmf-CVE-2015-4695.patch		\
   %D%/packages/patches/libwmf-CVE-2015-4696.patch		\
+  %D%/packages/patches/libwmf-CVE-2016-9011.patch		\
+  %D%/packages/patches/libwmf-fixes-for-bundled-gd.patch	\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
   %D%/packages/patches/libxml2-CVE-2016-4658.patch		\
   %D%/packages/patches/libxml2-CVE-2016-5131.patch		\
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 86902d568..f33396968 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -421,7 +421,9 @@ collection of tools for doing simple manipulations of TIFF images.")
                          "libwmf-CVE-2009-3546.patch"
                          "libwmf-CVE-2015-0848+CVE-2015-4588.patch"
                          "libwmf-CVE-2015-4695.patch"
-                         "libwmf-CVE-2015-4696.patch"))))
+                         "libwmf-CVE-2015-4696.patch"
+                         "libwmf-CVE-2016-9011.patch"
+                         "libwmf-fixes-for-bundled-gd.patch"))))
 
     (build-system gnu-build-system)
     (inputs
diff --git a/gnu/packages/patches/libwmf-CVE-2016-9011.patch b/gnu/packages/patches/libwmf-CVE-2016-9011.patch
new file mode 100644
index 000000000..a74120c15
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2016-9011.patch
@@ -0,0 +1,45 @@
+Fix CVE-2016-9011:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011
+https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c/
+
+Patch copied from Fedora:
+
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=9a43f910abce9940f07843e7186646ad46b686d6
+
+--- libwmf-0.2.8.4/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -139,8 +139,31 @@
+ 		WMF_DEBUG (API,"bailing...");
+ 		return (API->err);
+ 	}
+-	
+- 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++
++	U32 nMaxRecordSize = (MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char);
++	if (nMaxRecordSize)
++	{
++		//before allocating memory do a sanity check on size by seeking
++		//to claimed end to see if its possible. We're constrained here
++		//by the api and existing implementations to not simply seeking
++		//to SEEK_END. So use what we have to skip to the last byte and
++		//try and read it.
++		const long nPos = WMF_TELL (API);
++		WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++		if (ERR (API))
++		{	WMF_DEBUG (API,"bailing...");
++			return (API->err);
++		}
++		int byte = WMF_READ (API);
++		if (byte == (-1))
++		{	WMF_ERROR (API,"Unexpected EOF!");
++		       	API->err = wmf_E_EOF;
++		       	return (API->err);
++		}
++		WMF_SEEK (API, nPos);
++	}
++
++ 	P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
diff --git a/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
new file mode 100644
index 000000000..92a3f7cdb
--- /dev/null
+++ b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
@@ -0,0 +1,80 @@
+Fix CVE-2016-{9317,10167,10168} in bundled libgd:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
+
+Patches copied from Fedora:
+
+CVE-2016-9317:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d851798416d005977d9409babf710c050124cfda
+CVE-2016-10167:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=b439c6f363d3f9c7b22e7f3b2211d423abd7d612
+CVE-2016-10168:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d8c724ed484d01f3535bd1f317d6c5aa6d33aa80
+
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -65,6 +65,18 @@
+ {
+   int i;
+   gdImagePtr im;
++
++  if (overflow2(sx, sy)) {
++    return NULL;
++  }
++
++  if (overflow2(sizeof (unsigned char *), sy)) {
++    return NULL;
++  }
++  if (overflow2(sizeof (unsigned char), sx)) {
++    return NULL;
++  }
++
+   im = (gdImage *) gdMalloc (sizeof (gdImage));
+   memset (im, 0, sizeof (gdImage));
+   /* Row-major ever since gd 1.3 */
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -362,10 +362,9 @@
+ 			{
+ 			  if (!gdGetInt (&im->tpixels[y][x], in))
+ 			    {
+-			      /*printf("EOF while reading\n"); */
+-			      /*gdImageDestroy(im); */
+-			      /*return 0; */
+-			      im->tpixels[y][x] = 0;
++                               fprintf(stderr, "gd2: EOF while reading\n");
++                               gdImageDestroy(im);
++                               return NULL;
+ 			    }
+ 			}
+ 		      else
+@@ -373,10 +372,9 @@
+ 			  int ch;
+ 			  if (!gdGetByte (&ch, in))
+ 			    {
+-			      /*printf("EOF while reading\n"); */
+-			      /*gdImageDestroy(im); */
+-			      /*return 0; */
+-			      ch = 0;
++                              fprintf(stderr, "gd2: EOF while reading\n");
++                              gdImageDestroy(im);
++                              return NULL;
+ 			    }
+ 			  im->pixels[y][x] = ch;
+ 			}
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -145,6 +145,11 @@
+ 
+   if ((*fmt) == GD2_FMT_COMPRESSED)
+     {
++      if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++              GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++              goto fail1;
++      }
++
+       nc = (*ncx) * (*ncy);
+       GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+       sidx = sizeof (t_chunk_info) * nc;
-- 
2.13.0


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

             reply	other threads:[~2017-05-27 17:06 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-27 17:06 Leo Famulari [this message]
2017-05-27 19:41 ` Building AbiWord without libwmf and removing libwmf from Guix Mark H Weaver
2017-05-27 21:13   ` Ricardo Wurmus
2017-05-28 13:06     ` Hartmut Goebel
2017-05-28 18:44       ` Leo Famulari
2017-05-28 20:57         ` Ludovic Courtès
2017-06-23 22:30           ` Leo Famulari
2017-06-24  8:12           ` ng0
2017-06-24  8:02     ` ng0
2017-06-24 16:21       ` Leo Famulari
2017-06-24 22:52         ` Mark H Weaver
2017-06-25  3:37           ` Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170527170600.GA16269@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.