aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorMarius Bakke <mbakke@fastmail.com>2019-12-04 22:18:43 +0100
committerMarius Bakke <mbakke@fastmail.com>2019-12-04 23:18:24 +0100
commit0fa9f29a5100f19a8494521659a1fa3baaa7fd0e (patch)
treead38f1e1230e517d62d009be46d30c19e665a708 /gnu
parent4fe7adcbcc5465da8adfd5d85375546905cf9eca (diff)
downloadguix-0fa9f29a5100f19a8494521659a1fa3baaa7fd0e.tar
guix-0fa9f29a5100f19a8494521659a1fa3baaa7fd0e.tar.gz
gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201.
* gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/image.scm (libjpeg-turbo/fixed): New variable. (libjpeg-turbo)[replacement]: New field.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/image.scm17
-rw-r--r--gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch31
3 files changed, 48 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 0494f1d05d..6c484e2046 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1062,6 +1062,7 @@ dist_patch_DATA = \
%D%/packages/patches/libgnomeui-utf8.patch \
%D%/packages/patches/libgpg-error-gawk-compat.patch \
%D%/packages/patches/libffi-3.2.1-complex-alpha.patch \
+ %D%/packages/patches/libjpeg-turbo-CVE-2019-2201.patch \
%D%/packages/patches/libjxr-fix-function-signature.patch \
%D%/packages/patches/libjxr-fix-typos.patch \
%D%/packages/patches/libotr-test-auth-fix.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 731a1e8aed..71bd381cef 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -19,7 +19,7 @@
;;; Copyright © 2018 Joshua Sierles, Nextjournal <joshua@nextjournal.com>
;;; Copyright © 2018 Fis Trivial <ybbs.daans@hotmail.com>
;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
-;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2018, 2019 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2018 Pierre-Antoine Rouby <contact@parouby.fr>
;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;; Copyright © 2018 Rutger Helling <rhelling@mykolab.com>
@@ -1489,6 +1489,7 @@ is hereby granted."))))
(package
(name "libjpeg-turbo")
(version "2.0.2")
+ (replacement libjpeg-turbo/fixed)
(source (origin
(method url-fetch)
(uri (string-append "mirror://sourceforge/libjpeg-turbo/"
@@ -1518,6 +1519,20 @@ and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).")
license:ijg ;the libjpeg library and associated tools
license:zlib)))) ;the libjpeg-turbo SIMD extensions
+;; Replacement package to fix CVE-2019-13960 and CVE-2019-2201.
+(define libjpeg-turbo/fixed
+ (package
+ (inherit libjpeg-turbo)
+ (version "2.0.3")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
+ version "/libjpeg-turbo-" version ".tar.gz"))
+ (sha256
+ (base32
+ "1ds16bnj17v6hzd43w8pzijz3imd9am4hw75ir0fxm240m8dwij2"))
+ (patches (search-patches "libjpeg-turbo-CVE-2019-2201.patch"))))))
+
(define-public niftilib
(package
(name "niftilib")
diff --git a/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch
new file mode 100644
index 0000000000..35f2bf5963
--- /dev/null
+++ b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch
@@ -0,0 +1,31 @@
+Fix integer overflow which can potentially lead to RCE.
+
+https://www.openwall.com/lists/oss-security/2019/11/11/1
+https://nvd.nist.gov/vuln/detail/CVE-2019-2201
+
+The problem was partially fixed in 2.0.3. This patch is a follow-up.
+https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad
+
+diff --git a/tjbench.c b/tjbench.c
+index a7d397318..13a5bde62 100644
+--- a/tjbench.c
++++ b/tjbench.c
+@@ -171,7 +171,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
+ }
+ /* Set the destination buffer to gray so we know whether the decompressor
+ attempted to write to it */
+- memset(dstBuf, 127, pitch * scaledh);
++ memset(dstBuf, 127, (size_t)pitch * scaledh);
+
+ if (doYUV) {
+ int width = doTile ? tilew : scaledw;
+@@ -193,7 +193,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
+ double start = getTime();
+
+ for (row = 0, dstPtr = dstBuf; row < ntilesh;
+- row++, dstPtr += pitch * tileh) {
++ row++, dstPtr += (size_t)pitch * tileh) {
+ for (col = 0, dstPtr2 = dstPtr; col < ntilesw;
+ col++, tile++, dstPtr2 += ps * tilew) {
+ int width = doTile ? min(tilew, w - col * tilew) : scaledw;