From mboxrd@z Thu Jan  1 00:00:00 1970
From: Kei Kebreau <kei@openmailbox.org>
Subject: Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu:
	freeimage: Fix CVE-2016-5684.]
Date: Sat, 15 Oct 2016 14:57:37 -0400
Message-ID: <87instcue6.fsf@openmailbox.org>
References: <20161014104404.22087.86582@vcs.savannah.gnu.org>
	<20161014104405.901E322012A@vcs.savannah.gnu.org>
	<20161014174820.GA30644@jasmine> <87mvi6xyl7.fsf@openmailbox.org>
	<20161015180335.GC14171@macbook42.flashner.co.il>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33506)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1bvUAE-0001Ce-6J
	for guix-devel@gnu.org; Sat, 15 Oct 2016 14:58:40 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1bvUA3-0002MN-4s
	for guix-devel@gnu.org; Sat, 15 Oct 2016 14:58:28 -0400
Received: from smtp3.openmailbox.org ([62.4.1.37]:46732)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <kei@openmailbox.org>) id 1bvUA0-0002Gr-Ml
	for guix-devel@gnu.org; Sat, 15 Oct 2016 14:58:23 -0400
In-Reply-To: <20161015180335.GC14171@macbook42.flashner.co.il> (Efraim
	Flashner's message of "Sat, 15 Oct 2016 21:03:35 +0300")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Efraim Flashner <efraim@flashner.co.il> writes:

> On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
>> Leo Famulari <leo@famulari.name> writes:
>>=20
>> > On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
>> >> efraim pushed a commit to branch master
>> >> in repository guix.
>> >>=20
>> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> >> Author: Efraim Flashner <efraim@flashner.co.il>
>> >> Date:   Fri Oct 14 11:28:21 2016 +0300
>> >>=20
>> >>     gnu: freeimage: Fix CVE-2016-5684.
>> >>=20=20=20=20=20
>> >>     * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> >>     * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>> >>     * gnu/local.mk (dist_patch_DATA): Register it.
>> >> ---
>> >>  gnu/local.mk                                       |    1 +
>> >>  gnu/packages/image.scm                             |    3 +-
>> >>  gnu/packages/patches/freeimage-CVE-2016-5684.patch |   34 ++++++++++=
++++++++++
>> >>  3 files changed, 37 insertions(+), 1 deletion(-)
>> >
>> > Efraim pointed out on IRC that our freeimage packages bundles many
>> > 3rd-party libraries:
>> >
>> > $ ls -1 FreeImage/Source
>> > CacheFile.h
>> > DeprecationManager
>> > FreeImage
>> > FreeImage.h
>> > FreeImageIO.h
>> > FreeImageLib
>> > FreeImageToolkit
>> > LibJPEG
>> > LibJXR
>> > LibOpenJPEG
>> > LibPNG
>> > LibRawLite
>> > LibTIFF4
>> > LibWebP
>> > MapIntrospector.h
>> > Metadata
>> > OpenEXR
>> > Plugin.h
>> > Quantizers.h
>> > ToneMapping.h
>> > Utilities.h
>> > ZLib
>> >
>> > Debian has a patch to make it use "system" copies of the libraries:
>> >
>> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/=
tree/debian/patches/Disable-vendored-dependencies.patch?h=3Ddebian/sid
>> >
>> > For now, our freeimage package is probably vulnerable to many publicly
>> > disclosed security bugs.
>> >
>> > Who volunteers to try fixing this?
>>=20
>> The patch is attached. I've removed the bit from Debian that disables JP=
EG
>> transformation functions, as seen below. JPEGTransform.cpp (in
>> Source/FreeImageToolkit) gave me some trouble when I left that part of
>> the patch alone.
>>=20
>> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
>>  	FID_BAYER16x16	=3D 6		//! Bayer ordered dispersed dot dithering (order=
 4 dithering matrix)
>>  };
>>=20=20
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our=
 build
>> +   of FreeImage, since they require usage of the vendored copy of libjp=
eg. */
>> +#if 0
>>  /** Lossless JPEG transformations
>>  Constants used in FreeImage_JPEGTransform
>>  */
>> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
>>  	FIJPEG_OP_ROTATE_180	=3D 6,	//! 180-degree rotation
>>  	FIJPEG_OP_ROTATE_270	=3D 7		//! 270-degree clockwise (or 90 ccw)
>>  };
>> +#endif
>>=20=20
>>  /** Tone mapping operators.
>>  Constants used in FreeImage_ToneMapping.
>> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV FreeImage_TagToSt=
ring(FREE_IMAGE_MDMODEL model,
>>  // --------------------------------------------------------------------=
------
>>  // JPEG lossless transformation routines
>>  // --------------------------------------------------------------------=
------
>> -
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our=
 build
>> +   of FreeImage, since they require usage of the vendored copy of libjp=
eg. */
>> +#if 0
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file,=
 const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect FI=
_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_f=
ile, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL per=
fect FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, cons=
t char *dst_file, int left, int top, int right, int bottom);
>> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformF=
romHandle(FreeImageIO* src_io,
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char *s=
rc_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int* le=
ft, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_=
t *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, =
int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE)=
);
>>  DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIM=
EMORY* src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operatio=
n, int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TR=
UE));
>> +#endif
>
>> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <kei@openmailbox.org>
>> Date: Fri, 14 Oct 2016 18:09:45 -0400
>> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
>>=20
>> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: Ne=
w file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> ---
>>  gnu/local.mk                                       |   1 +
>>  gnu/packages/image.scm                             |   6 +-
>>  .../freeimage-disable-vendored-dependencies.patch  | 398 ++++++++++++++=
+++++++
>>  3 files changed, 404 insertions(+), 1 deletion(-)
>>  create mode 100644 gnu/packages/patches/freeimage-disable-vendored-depe=
ndencies.patch
>
> I was looking at it and I thought it was going to be much more than 400
> lines in the end.
>
> Did we also need the other patch?
> https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Us=
e-system-dependencies.patch/
>
> On one hand we could carry a modified version of Debian's patch, on the
> other hand some of these look like they could be a series of substitute*
> commands. I started looking through the patch and thinking how to
> convert them from "../path/to/header.h" to <header.h> and realizing I
> myself wouldn't want to do that, so that could easily be an option for
> another time :).

Looking at its contents, adding that patch would make a lot of sense. :-)

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYAnwhAAoJEOal7jwZRnoNUDgP+QFG4jj6aqrUvq5Bq7H5k+LB
YDF2Rl6/TVzr5Bv5A6C7I0k2rcfKqDzsNTr3CzofERq6KvITVg2QG7kMvCn4ozWV
78blRPDeVRhX3UT9uhFd3biDg7DVlR0Gt5dhZl9KsEVizd7090HLlMMGkX8ojU1x
rLQfM+5C9RUwMoQqu1guakheuNmkj9/37VElHgDrBFJyTfiCpNvZP+4u4en3AnWV
zuY6I+qeTZLrhGlMCa6C51MJLJ/6rRKDSQaU4YQ1li7bwxHX57vmDuPkVSfPVfgA
WpFmu/v83i2RKzcHlHOtDCKyIhymlFH6AH1SKXT8zQltvFTVruB/q5vJj2kOc8EW
Ui8DBYGcVG+7YiaO/40J119ye0KBPAv4YH4ylUMgU0xfgoaKKTYX4HmeeYt8ftEw
2uETYLahyVgzcqE/FNWu/TU5cGzUMMQGksaNaICGUf+40GHkFBFFvzlsxrjNsC7u
Ojx+RXWHzPaLtwwaBm2oxXF4OnL0f5PbbFQQm7E4v6TAa+bKNOhN/v2rXb467IKi
X8Czk7Ff7XyvVLxmAoNWBa5wB2ZkT7T3gEDx3oU2dqu+qAMGrckVJVRHrPZEJN2y
T+2v18+AohmndIEPWjPN+3UuS3EEX+KIRxVcRokmdSa7qGMKBe5H04f/CttMYDDN
n1pkylVISmjBWRDWCmgG
=l7VT
-----END PGP SIGNATURE-----
--=-=-=--