From ed7732bc625585e6ec51c6f60716c8a6a916082b Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Sat, 11 Feb 2017 22:58:19 +0800 Subject: gnu: lcms: Mention CVE-2016-10165. * gnu/packages/patches/lcms-fix-out-of-bounds-read.patch: Rename to ... * gnu/packages/patches/lcms-CVE-2016-10165.patch: ... this. * gnu/local.mk (dist_patch_DATA): Adjust. * gnu/packages/ghostscript.scm (lcms)[source]: Use renamed patch. Signed-off-by: Marius Bakke --- gnu/local.mk | 3 +- gnu/packages/ghostscript.scm | 2 +- gnu/packages/patches/lcms-CVE-2016-10165.patch | 36 ++++++++++++++++++++++ .../patches/lcms-fix-out-of-bounds-read.patch | 34 -------------------- 4 files changed, 39 insertions(+), 36 deletions(-) create mode 100644 gnu/packages/patches/lcms-CVE-2016-10165.patch delete mode 100644 gnu/packages/patches/lcms-fix-out-of-bounds-read.patch diff --git a/gnu/local.mk b/gnu/local.mk index 753c0ef053..af9dfff0f8 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -9,6 +9,7 @@ # Copyright © 2016 Adonay "adfeno" Felipe Nogueira # Copyright © 2016, 2017 Ricardo Wurmus # Copyright © 2016 Ben Woodcroft +# Copyright © 2016, 2017 Alex Vong # # This file is part of GNU Guix. # @@ -656,7 +657,7 @@ dist_patch_DATA = \ %D%/packages/patches/kobodeluxe-midicon-segmentation-fault.patch \ %D%/packages/patches/kobodeluxe-graphics-window-signed-char.patch \ %D%/packages/patches/laby-make-install.patch \ - %D%/packages/patches/lcms-fix-out-of-bounds-read.patch \ + %D%/packages/patches/lcms-CVE-2016-10165.patch \ %D%/packages/patches/ldc-disable-tests.patch \ %D%/packages/patches/ldc-1.1.0-disable-dmd-tests.patch \ %D%/packages/patches/ldc-1.1.0-disable-phobos-tests.patch \ diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index 4b8e62348c..826a2fc374 100644 --- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -45,7 +45,7 @@ (define-public lcms (method url-fetch) (uri (string-append "mirror://sourceforge/lcms/lcms/" version "/lcms2-" version ".tar.gz")) - (patches (search-patches "lcms-fix-out-of-bounds-read.patch")) + (patches (search-patches "lcms-CVE-2016-10165.patch")) (sha256 (base32 "08pvl289g0mbznzx5l6ibhaldsgx41kwvdn2c974ga9fkli2pl36")))) (build-system gnu-build-system) diff --git a/gnu/packages/patches/lcms-CVE-2016-10165.patch b/gnu/packages/patches/lcms-CVE-2016-10165.patch new file mode 100644 index 0000000000..fa4d75c9ee --- /dev/null +++ b/gnu/packages/patches/lcms-CVE-2016-10165.patch @@ -0,0 +1,36 @@ +Fix CVE-2016-10165, an out-of-bounds heap read in Type_MLU_Read(): + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10165 +http://seclists.org/oss-sec/2016/q3/288 +https://bugzilla.redhat.com/show_bug.cgi?id=1367357 +https://security-tracker.debian.org/tracker/CVE-2016-10165 + +Patch copied from upstream source repository: + +https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2 + +From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001 +From: Marti +Date: Mon, 15 Aug 2016 23:31:39 +0200 +Subject: [PATCH] Added an extra check to MLU bounds + +Thanks to Ibrahim el-sayed for spotting the bug +--- + src/cmstypes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cmstypes.c b/src/cmstypes.c +index cb61860..c7328b9 100644 +--- a/src/cmstypes.c ++++ b/src/cmstypes.c +@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU + + // Check for overflow + if (Offset < (SizeOfHeader + 8)) goto Error; ++ if ((Offset + Len) > SizeOfTag + 8) goto Error; + + // True begin of the string + BeginOfThisString = Offset - SizeOfHeader - 8; +-- +2.11.0 + diff --git a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch b/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch deleted file mode 100644 index d9f7ac6a36..0000000000 --- a/gnu/packages/patches/lcms-fix-out-of-bounds-read.patch +++ /dev/null @@ -1,34 +0,0 @@ -Fix an out-of-bounds heap read in Type_MLU_Read(): - -http://seclists.org/oss-sec/2016/q3/288 -https://bugzilla.redhat.com/show_bug.cgi?id=1367357 - -Patch copied from upstream source repository: - -https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2 - -From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001 -From: Marti -Date: Mon, 15 Aug 2016 23:31:39 +0200 -Subject: [PATCH] Added an extra check to MLU bounds - -Thanks to Ibrahim el-sayed for spotting the bug ---- - src/cmstypes.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/cmstypes.c b/src/cmstypes.c -index cb61860..c7328b9 100644 ---- a/src/cmstypes.c -+++ b/src/cmstypes.c -@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU - - // Check for overflow - if (Offset < (SizeOfHeader + 8)) goto Error; -+ if ((Offset + Len) > SizeOfTag + 8) goto Error; - - // True begin of the string - BeginOfThisString = Offset - SizeOfHeader - 8; --- -2.11.0 - -- cgit v1.2.3