aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/gimp-CVE-2016-4994.patch96
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-6265.patch30
-rw-r--r--gnu/packages/patches/mupdf-CVE-2016-6525.patch21
-rw-r--r--gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch15
4 files changed, 51 insertions, 111 deletions
diff --git a/gnu/packages/patches/gimp-CVE-2016-4994.patch b/gnu/packages/patches/gimp-CVE-2016-4994.patch
deleted file mode 100644
index 6c81c63386..0000000000
--- a/gnu/packages/patches/gimp-CVE-2016-4994.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-Fix CVE-2016-4994:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
-
-Copied from upstream repository:
-https://git.gnome.org/browse/gimp/patch/?id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f
-
-From e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f Mon Sep 17 00:00:00 2001
-From: Shmuel H <shmuelgimp@gmail.com>
-Date: Mon, 20 Jun 2016 17:14:41 +0300
-Subject: Bug 767873 - (CVE-2016-4994) Multiple Use-After-Free when parsing...
-
-...XCF channel and layer properties
-
-The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION,
-PROP_ACTIVE_CHANNEL saves the current object pointer the @info
-structure. Others like PROP_SELECTION (for channel) and
-PROP_GROUP_ITEM (for layer) will delete the current object and create
-a new object, leaving the pointers in @info invalid (dangling).
-
-Therefore, if a property from the first type will come before the
-second, the result will be an UaF in the last lines of xcf_load_image
-(when it actually using the pointers from @info).
-
-I wasn't able to exploit this bug because that
-g_object_instance->c_class gets cleared by the last g_object_unref and
-GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE.
-
-(cherry picked from commit 6d804bf9ae77bc86a0a97f9b944a129844df9395)
----
- app/xcf/xcf-load.c | 29 +++++++++++++++++++++++++++++
- 1 file changed, 29 insertions(+)
-
-diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
-index b180377..67cc6d4 100644
---- a/app/xcf/xcf-load.c
-+++ b/app/xcf/xcf-load.c
-@@ -904,6 +904,18 @@ xcf_load_layer_props (XcfInfo *info,
- case PROP_GROUP_ITEM:
- {
- GimpLayer *group;
-+ gboolean is_active_layer;
-+
-+ /* We're going to delete *layer, Don't leave its pointers
-+ * in @info. After that, we'll restore them back with the
-+ * new pointer. See bug #767873.
-+ */
-+ is_active_layer = (*layer == info->active_layer);
-+ if (is_active_layer)
-+ info->active_layer = NULL;
-+
-+ if (*layer == info->floating_sel)
-+ info->floating_sel = NULL;
-
- group = gimp_group_layer_new (image);
-
-@@ -916,6 +928,13 @@ xcf_load_layer_props (XcfInfo *info,
- g_object_ref_sink (*layer);
- g_object_unref (*layer);
- *layer = group;
-+
-+ if (is_active_layer)
-+ info->active_layer = *layer;
-+
-+ /* Don't restore info->floating_sel because group layers
-+ * can't be floating selections
-+ */
- }
- break;
-
-@@ -986,6 +1005,12 @@ xcf_load_channel_props (XcfInfo *info,
- {
- GimpChannel *mask;
-
-+ /* We're going to delete *channel, Don't leave its pointer
-+ * in @info. See bug #767873.
-+ */
-+ if (*channel == info->active_channel)
-+ info->active_channel = NULL;
-+
- mask =
- gimp_selection_new (image,
- gimp_item_get_width (GIMP_ITEM (*channel)),
-@@ -1000,6 +1025,10 @@ xcf_load_channel_props (XcfInfo *info,
- *channel = mask;
- (*channel)->boundary_known = FALSE;
- (*channel)->bounds_known = FALSE;
-+
-+ /* Don't restore info->active_channel because the
-+ * selection can't be the active channel
-+ */
- }
- break;
-
---
-cgit v0.12
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-6265.patch b/gnu/packages/patches/mupdf-CVE-2016-6265.patch
new file mode 100644
index 0000000000..58f5c3726c
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-6265.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6265 (use after free in pdf_load_xref()).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265
+https://security-tracker.debian.org/tracker/CVE-2016-6265
+
+Patch copied from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 576c315..3222599 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
+ }
+ if (entry->type == 'o')
+- if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
+- fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
++ {
++ /* Read this into a local variable here, because pdf_get_xref_entry
++ * may solidify the xref, hence invalidating "entry", meaning we
++ * need a stashed value for the throw. */
++ fz_off_t ofs = entry->ofs;
++ if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
++ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
++ }
+ }
+ }
+
diff --git a/gnu/packages/patches/mupdf-CVE-2016-6525.patch b/gnu/packages/patches/mupdf-CVE-2016-6525.patch
new file mode 100644
index 0000000000..370af5ade6
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-6525.patch
@@ -0,0 +1,21 @@
+Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525
+https://security-tracker.debian.org/tracker/CVE-2016-6525
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
+
+diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
+index 7815b3c..6e25efa 100644
+--- a/source/pdf/pdf-shade.c
++++ b/source/pdf/pdf-shade.c
+@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob
+ obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
+ if (pdf_array_len(ctx, obj) >= 6)
+ {
+- n = (pdf_array_len(ctx, obj) - 4) / 2;
++ n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
+ shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
+ shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
+ shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
diff --git a/gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch b/gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch
deleted file mode 100644
index 4ed7ab00bf..0000000000
--- a/gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Allow builds with glibc 2.20.
-Based on a patch by Peter Hutterer <peter.hutterer@who-t.net>.
-See <https://raw.githubusercontent.com/openembedded/oe-core/master/meta/recipes-graphics/xorg-driver/xf86-input-synaptics/always_include_xorg_server.h.patch>.
-
---- xf86-video-openchrome-0.3.3/src/via_3d.h.~1~ 2013-05-23 11:11:28.000000000 -0400
-+++ xf86-video-openchrome-0.3.3/src/via_3d.h 2014-12-19 01:17:04.000953259 -0500
-@@ -24,6 +24,8 @@
- #ifndef VIA_3D_H
- #define VIA_3D_H
-
-+#include <xorg-server.h>
-+
- #include "xf86.h"
- #include "via_dmabuffer.h"
-