From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Building AbiWord without libwmf and removing libwmf from Guix Date: Sat, 27 May 2017 13:06:00 -0400 Message-ID: <20170527170600.GA16269@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="hQiwHBbRI9kgIhsi" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34975) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dEfAE-0001tg-E5 for guix-devel@gnu.org; Sat, 27 May 2017 13:06:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dEfA9-0000iO-RC for guix-devel@gnu.org; Sat, 27 May 2017 13:06:06 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:56889) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dEfA9-0000iB-LC for guix-devel@gnu.org; Sat, 27 May 2017 13:06:01 -0400 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id D80357E814 for ; Sat, 27 May 2017 13:06:00 -0400 (EDT) Content-Disposition: inline List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --hQiwHBbRI9kgIhsi Content-Type: multipart/mixed; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline The last update to libwmf was twelve years ago, in 2005. In the meantime, a large number of security issues have been discovered in this library. These bugs are fixed somewhat haphazardly by the distributions. While working on patching CVE-2016-9011 in libwmf, and backporting fixes for CVE-2016-{9317,10167,10168} in the ancient bundled libgd, I find myself wondering if we need this library at all. The patches from this 12 year span of 3rd party fixes begin to conflict with each other... Libwmf is only used as a "plugin" by AbiWord, and AbiWord can be configured to build without it. Otherwise, someone needs to overhaul and update our libwmf patch series. I've included a WIP patch that includes the fixes. Not all of the new patches apply. WDYT? --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-WIP-libwmf-Fix-CVE-2016-9011-9317-10167-10168.patch" Content-Transfer-Encoding: quoted-printable =46rom 7149e16c9e6890fa914b0a49f363439ab5627f3a Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Sat, 27 May 2017 12:56:54 -0400 Subject: [PATCH] WIP: libwmf: Fix CVE-2016-{9011,9317,10167,10168}. XXX: Not all of these patches apply. * gnu/packages/patches/libwmf-CVE-2016-9011.patch, gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (libwmf)[source]: Use them. --- gnu/local.mk | 2 + gnu/packages/image.scm | 4 +- gnu/packages/patches/libwmf-CVE-2016-9011.patch | 45 ++++++++++++ .../patches/libwmf-fixes-for-bundled-gd.patch | 80 ++++++++++++++++++= ++++ 4 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libwmf-CVE-2016-9011.patch create mode 100644 gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch diff --git a/gnu/local.mk b/gnu/local.mk index d0117be85..f60b66948 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -781,6 +781,8 @@ dist_patch_DATA =3D \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ + %D%/packages/patches/libwmf-CVE-2016-9011.patch \ + %D%/packages/patches/libwmf-fixes-for-bundled-gd.patch \ %D%/packages/patches/libxcb-python-3.5-compat.patch \ %D%/packages/patches/libxml2-CVE-2016-4658.patch \ %D%/packages/patches/libxml2-CVE-2016-5131.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 86902d568..f33396968 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -421,7 +421,9 @@ collection of tools for doing simple manipulations of T= IFF images.") "libwmf-CVE-2009-3546.patch" "libwmf-CVE-2015-0848+CVE-2015-4588.patch" "libwmf-CVE-2015-4695.patch" - "libwmf-CVE-2015-4696.patch")))) + "libwmf-CVE-2015-4696.patch" + "libwmf-CVE-2016-9011.patch" + "libwmf-fixes-for-bundled-gd.patch")))) =20 (build-system gnu-build-system) (inputs diff --git a/gnu/packages/patches/libwmf-CVE-2016-9011.patch b/gnu/packages= /patches/libwmf-CVE-2016-9011.patch new file mode 100644 index 000000000..a74120c15 --- /dev/null +++ b/gnu/packages/patches/libwmf-CVE-2016-9011.patch @@ -0,0 +1,45 @@ +Fix CVE-2016-9011: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-9011 +https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-i= n-wmf_malloc-api-c/ + +Patch copied from Fedora: + +https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=3D9a43f910ab= ce9940f07843e7186646ad46b686d6 + +--- libwmf-0.2.8.4/src/player.c ++++ libwmf-0.2.8.4/src/player.c +@@ -139,8 +139,31 @@ + WMF_DEBUG (API,"bailing..."); + return (API->err); + } +-=09 +- P->Parameters =3D (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) = ) * 2 * sizeof (unsigned char)); ++ ++ U32 nMaxRecordSize =3D (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char= ); ++ if (nMaxRecordSize) ++ { ++ //before allocating memory do a sanity check on size by seeking ++ //to claimed end to see if its possible. We're constrained here ++ //by the api and existing implementations to not simply seeking ++ //to SEEK_END. So use what we have to skip to the last byte and ++ //try and read it. ++ const long nPos =3D WMF_TELL (API); ++ WMF_SEEK (API, nPos + nMaxRecordSize - 1); ++ if (ERR (API)) ++ { WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ int byte =3D WMF_READ (API); ++ if (byte =3D=3D (-1)) ++ { WMF_ERROR (API,"Unexpected EOF!"); ++ API->err =3D wmf_E_EOF; ++ return (API->err); ++ } ++ WMF_SEEK (API, nPos); ++ } ++ ++ P->Parameters =3D (unsigned char*) wmf_malloc (API, nMaxRecordSize); +=20 + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); diff --git a/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch b/gnu/p= ackages/patches/libwmf-fixes-for-bundled-gd.patch new file mode 100644 index 000000000..92a3f7cdb --- /dev/null +++ b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch @@ -0,0 +1,80 @@ +Fix CVE-2016-{9317,10167,10168} in bundled libgd: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-9317 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-10167 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-10168 + +Patches copied from Fedora: + +CVE-2016-9317: +https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=3Dd851798416= d005977d9409babf710c050124cfda +CVE-2016-10167: +https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=3Db439c6f363= d3f9c7b22e7f3b2211d423abd7d612 +CVE-2016-10168: +https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=3Dd8c724ed48= 4d01f3535bd1f317d6c5aa6d33aa80 + +--- libwmf-0.2.8.4/src/extra/gd/gd.c ++++ libwmf-0.2.8.4/src/extra/gd/gd.c +@@ -65,6 +65,18 @@ + { + int i; + gdImagePtr im; ++ ++ if (overflow2(sx, sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof (unsigned char *), sy)) { ++ return NULL; ++ } ++ if (overflow2(sizeof (unsigned char), sx)) { ++ return NULL; ++ } ++ + im =3D (gdImage *) gdMalloc (sizeof (gdImage)); + memset (im, 0, sizeof (gdImage)); + /* Row-major ever since gd 1.3 */ +--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c ++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c +@@ -362,10 +362,9 @@ + { + if (!gdGetInt (&im->tpixels[y][x], in)) + { +- /*printf("EOF while reading\n"); */ +- /*gdImageDestroy(im); */ +- /*return 0; */ +- im->tpixels[y][x] =3D 0; ++ fprintf(stderr, "gd2: EOF while reading\n"= ); ++ gdImageDestroy(im); ++ return NULL; + } + } + else +@@ -373,10 +372,9 @@ + int ch; + if (!gdGetByte (&ch, in)) + { +- /*printf("EOF while reading\n"); */ +- /*gdImageDestroy(im); */ +- /*return 0; */ +- ch =3D 0; ++ fprintf(stderr, "gd2: EOF while reading\n"); ++ gdImageDestroy(im); ++ return NULL; + } + im->pixels[y][x] =3D ch; + } +--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c ++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c +@@ -145,6 +145,11 @@ +=20 + if ((*fmt) =3D=3D GD2_FMT_COMPRESSED) + { ++ if (*ncx <=3D 0 || *ncy <=3D 0 || *ncx > INT_MAX / *ncy) { ++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *n= cy)); ++ goto fail1; ++ } ++ + nc =3D (*ncx) * (*ncy); + GD2_DBG (printf ("Reading %d chunk index entries\n", nc)); + sidx =3D sizeof (t_chunk_info) * nc; --=20 2.13.0 --rwEMma7ioTxnRzrJ-- --hQiwHBbRI9kgIhsi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkpsfgACgkQJkb6MLrK fwizOQ/+Mpu7VEkJHjabuqoQTo021eN7zRqJyU6yg5RXtpdi3ZkVGj/eb7USowOF rsS4FdKTg5uqoXEGcVljwadSve+1ScxGNbKfiG9FfvbSUX/mEnx0FQ5CenK7ldNa heNpXiTFEL6xUMvGOceG3LJP9qlZBaHkT4PPJcbuT+utnRnz7Pl0Qu1PldUg0f3F kmJsCh3cjsuDi+fUrEDK4jj1CX6kyShaE2tVaRvF9rxTbbssTI+qszKyXIUy3tef 5W/WbYyBLGPvxlh/zfwxCiIO2JNkIwBSLwLTtgSCVgmsZwH9X8nS4ntAuGPsLjgZ gZQrbq5bO1hC0fQ8DRMANQupMqzo88Rzc6dYE1L50pbkAT8AjpjMHUxvgKyMDwoG G/0xh7mL5iZ+IFiID0bMPT2qaUYxQ2zu8UnouvSYeOgnIDZggA0jNOsf1E0ikB4g Jb/yWLjha9DMmCxyH60QtPao9J3//2nehPFo3ZBO2uvDNBYQXUyLWimavydv5MBI jpMQLkBoFjQeqpLq21aWvyzeOXjvTVbES6Dz5ukwozr5qz8yCsv7a3VdWmO5m0UM C8Bnvz3gRE0seRlDbrLjVSrgkgxiy/tgA5LCud/uJmUg02NQqiwrp2gGyH6XW96R JOj0OuG87VVnUnesK95q9NksRhhalqlNjRQmqqzUUNFjs3l+WTs= =E1nN -----END PGP SIGNATURE----- --hQiwHBbRI9kgIhsi--