From 43acfcb2c77fd9d8b08e3e4366248bdc20c998e9 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 24 Apr 2017 01:03:34 -0400 Subject: libcroco: Fix CVE-2017-{7960,7961}. * gnu/packages/gnome.scm (libcroco)[replacement]: New field. (libcroco/fixed): New variable. * gnu/packages/patches/libcroco-CVE-2017-7960.patch, gnu/packages/patches/libcroco-CVE-2017-7961.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. --- gnu/packages/patches/libcroco-CVE-2017-7960.patch | 66 +++++++++++++++++++++++ gnu/packages/patches/libcroco-CVE-2017-7961.patch | 50 +++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 gnu/packages/patches/libcroco-CVE-2017-7960.patch create mode 100644 gnu/packages/patches/libcroco-CVE-2017-7961.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/libcroco-CVE-2017-7960.patch b/gnu/packages/patches/libcroco-CVE-2017-7960.patch new file mode 100644 index 0000000000..0319c7389f --- /dev/null +++ b/gnu/packages/patches/libcroco-CVE-2017-7960.patch @@ -0,0 +1,66 @@ +Fix CVE-2017-7960: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7960 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 + +From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Sun, 16 Apr 2017 13:13:43 +0200 +Subject: input: check end of input before reading a byte + +When reading bytes we weren't check that the index wasn't +out of bound and this could produce an invalid read which +could deal to a security bug. +--- + src/cr-input.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/cr-input.c b/src/cr-input.c +index 49000b1..3b63a88 100644 +--- a/src/cr-input.c ++++ b/src/cr-input.c +@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc) + *we should free buf here because it's own by CRInput. + *(see the last parameter of cr_input_new_from_buf(). + */ +- buf = NULL ; ++ buf = NULL; + } + + cleanup: +@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this) + enum CRStatus + cr_input_read_byte (CRInput * a_this, guchar * a_byte) + { ++ gulong nb_bytes_left = 0; ++ + g_return_val_if_fail (a_this && PRIVATE (a_this) + && a_byte, CR_BAD_PARAM_ERROR); + +@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte) + if (PRIVATE (a_this)->end_of_input == TRUE) + return CR_END_OF_INPUT_ERROR; + ++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this); ++ ++ if (nb_bytes_left < 1) { ++ return CR_END_OF_INPUT_ERROR; ++ } ++ + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; + + if (PRIVATE (a_this)->nb_bytes - +@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char) + if (*a_char == '\n') { + PRIVATE (a_this)->end_of_line = TRUE; + } +- + } + + return status; +-- +cgit v0.12 + diff --git a/gnu/packages/patches/libcroco-CVE-2017-7961.patch b/gnu/packages/patches/libcroco-CVE-2017-7961.patch new file mode 100644 index 0000000000..675dbe4f08 --- /dev/null +++ b/gnu/packages/patches/libcroco-CVE-2017-7961.patch @@ -0,0 +1,50 @@ +Fix CVE-2017-7961: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7961 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 + +From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro +Date: Sun, 16 Apr 2017 13:56:09 +0200 +Subject: tknzr: support only max long rgb values + +This fixes a possible out of bound when reading rgbs which +are longer than the support MAXLONG +--- + src/cr-tknzr.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c +index 1a7cfeb..1548c35 100644 +--- a/src/cr-tknzr.c ++++ b/src/cr-tknzr.c +@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) + status = cr_tknzr_parse_num (a_this, &num); + ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + ++ if (num->val > G_MAXLONG) { ++ status = CR_PARSING_ERROR; ++ goto error; ++ } ++ + red = num->val; + cr_num_destroy (num); + num = NULL; +@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) + status = cr_tknzr_parse_num (a_this, &num); + ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + ++ if (num->val > G_MAXLONG) { ++ status = CR_PARSING_ERROR; ++ goto error; ++ } ++ + PEEK_BYTE (a_this, 1, &next_bytes[0]); + if (next_bytes[0] == '%') { + SKIP_CHARS (a_this, 1); +-- +cgit v0.12 + -- cgit v1.2.3 From 0611abff32ddf0dd6cfbbff74aee4c9a7abe1936 Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Sun, 23 Apr 2017 14:04:41 -0400 Subject: gnu: wmfire: Update source code for new GDK versions. * gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnustep.scm (wmfire)[source]: Add patch. --- gnu/local.mk | 1 + gnu/packages/gnustep.scm | 5 +- .../wmfire-update-for-new-gdk-versions.patch | 144 +++++++++++++++++++++ 3 files changed, 149 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch (limited to 'gnu/packages/patches') diff --git a/gnu/local.mk b/gnu/local.mk index f7ffd4e94c..cb94d27e99 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -996,6 +996,7 @@ dist_patch_DATA = \ %D%/packages/patches/wicd-urwid-1.3.patch \ %D%/packages/patches/wicd-wpa2-ttls.patch \ %D%/packages/patches/wmctrl-64-fix.patch \ + %D%/packages/patches/wmfire-update-for-new-gdk-versions.patch \ %D%/packages/patches/woff2-libbrotli.patch \ %D%/packages/patches/wordnet-CVE-2008-2149.patch \ %D%/packages/patches/wordnet-CVE-2008-3908-pt1.patch \ diff --git a/gnu/packages/gnustep.scm b/gnu/packages/gnustep.scm index 6e729165c9..e2ee4748ff 100644 --- a/gnu/packages/gnustep.scm +++ b/gnu/packages/gnustep.scm @@ -22,6 +22,7 @@ (define-module (gnu packages gnustep) #:use-module (guix packages) #:use-module (guix build-system gnu) #:use-module (guix licenses) + #:use-module (gnu packages) #:use-module (gnu packages xorg) #:use-module (gnu packages gnome) #:use-module (gnu packages gtk) @@ -244,7 +245,9 @@ (define-public wmfire name "/" name "-" version ".tar.gz")) (sha256 (base32 - "101grahd80n97y2dczb629clmcgiavdpbbwy78kk5wgs362m12z3")))) + "101grahd80n97y2dczb629clmcgiavdpbbwy78kk5wgs362m12z3")) + (patches + (search-patches "wmfire-update-for-new-gdk-versions.patch")))) (build-system gnu-build-system) (inputs `(("gtk+" ,gtk+-2) diff --git a/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch b/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch new file mode 100644 index 0000000000..51d6c3e791 --- /dev/null +++ b/gnu/packages/patches/wmfire-update-for-new-gdk-versions.patch @@ -0,0 +1,144 @@ +This patch comes from Debian and was modified by Kei Kebreau . +Link: https://anonscm.debian.org/cgit/pkg-wmaker/wmfire.git/plain/debian/patches/gdk_updates.patch?h=debian/1.2.4-2&id=a272234fc5eecdbfc469adb12133196bc62f3059 + +Description: Update for newer versions of GDK. + In particular, the icon window was not receiving enter and leave events from + the pointer. To fix this, we get rid of the second GdkWindow iconwin entirely + and set win to be its own icon. + . + This also removes the need for the "broken window manager" fix, so we remove it + and all references to it. +Author: Doug Torrance + +diff -ur wmfire-1.2.4.old/src/wmfire.c wmfire-1.2.4/src/wmfire.c +--- wmfire-1.2.4.old/src/wmfire.c 2017-04-23 14:26:58.449487117 -0400 ++++ wmfire-1.2.4/src/wmfire.c 2017-04-23 14:32:10.785238671 -0400 +@@ -77,7 +77,6 @@ + typedef struct { + Display *display; /* X11 display */ + GdkWindow *win; /* Main window */ +- GdkWindow *iconwin; /* Icon window */ + GdkGC *gc; /* Drawing GC */ + GdkPixmap *pixmap; /* Main pixmap */ + GdkBitmap *mask; /* Dockapp mask */ +@@ -141,7 +140,6 @@ + int cmap = 0; + int lock = 0; + int proximity = 0; +-int broken_wm = 0; + + /******************************************/ + /* Main */ +@@ -262,12 +260,8 @@ + usleep(REFRESH); + + /* Draw the rgb buffer to screen */ +- if (!broken_wm) +- gdk_draw_rgb_image(bm.iconwin, bm.gc, 4, 4, XMAX, YMAX, GDK_RGB_DITHER_NONE, bm.rgb, XMAX * 3); +- else +- gdk_draw_rgb_image(bm.win, bm.gc, 4, 4, XMAX, YMAX, GDK_RGB_DITHER_NONE, bm.rgb, XMAX * 3); ++ gdk_draw_rgb_image(bm.win, bm.gc, 4, 4, XMAX, YMAX, GDK_RGB_DITHER_NONE, bm.rgb, XMAX * 3); + } +- + return 0; + } + +@@ -556,9 +550,7 @@ + #define MASK GDK_BUTTON_PRESS_MASK | GDK_ENTER_NOTIFY_MASK | GDK_LEAVE_NOTIFY_MASK | GDK_POINTER_MOTION_HINT_MASK + + GdkWindowAttr attr; +- GdkWindowAttr attri; + Window win; +- Window iconwin; + + GdkPixmap *icon; + +@@ -578,10 +570,6 @@ + attr.wmclass_class = "wmfire"; + attr.window_type = GDK_WINDOW_TOPLEVEL; + +- /* Make a copy for the iconwin - parameters are the same */ +- memcpy(&attri, &attr, sizeof (GdkWindowAttr)); +- attri.window_type = GDK_WINDOW_CHILD; +- + sizehints.flags = USSize; + sizehints.width = 64; + sizehints.height = 64; +@@ -592,18 +580,11 @@ + exit(1); + } + +- bm.iconwin = gdk_window_new(bm.win, &attri, GDK_WA_TITLE | GDK_WA_WMCLASS); +- if (!bm.iconwin) { +- fprintf(stderr, "FATAL: Cannot make icon window\n"); +- exit(1); +- } +- + win = GDK_WINDOW_XWINDOW(bm.win); +- iconwin = GDK_WINDOW_XWINDOW(bm.iconwin); + XSetWMNormalHints(GDK_WINDOW_XDISPLAY(bm.win), win, &sizehints); + + wmhints.initial_state = WithdrawnState; +- wmhints.icon_window = iconwin; ++ wmhints.icon_window = win; + wmhints.icon_x = 0; + wmhints.icon_y = 0; + wmhints.window_group = win; +@@ -613,10 +594,8 @@ + + bm.pixmap = gdk_pixmap_create_from_xpm_d(bm.win, &(bm.mask), NULL, master_xpm); + gdk_window_shape_combine_mask(bm.win, bm.mask, 0, 0); +- gdk_window_shape_combine_mask(bm.iconwin, bm.mask, 0, 0); + + gdk_window_set_back_pixmap(bm.win, bm.pixmap, False); +- gdk_window_set_back_pixmap(bm.iconwin, bm.pixmap, False); + + #if 0 + gdk_window_set_type_hint(bm.win, GDK_WINDOW_TYPE_HINT_DOCK); +@@ -626,7 +605,6 @@ + #endif + + icon = gdk_pixmap_create_from_xpm_d(bm.win, NULL, NULL, icon_xpm); +- gdk_window_set_icon(bm.win, bm.iconwin, icon, NULL); + + gdk_window_show(bm.win); + +@@ -721,9 +699,6 @@ + case 'l': + lock = 1; + break; +- case 'b': +- broken_wm = 1; +- break; + case 'h': + default: + do_help(); +@@ -766,6 +741,5 @@ + for (i = 0; i < NFLAMES; i++) + fprintf(stderr, "%d:%s ", i + 1, fire[i].text); + fprintf(stderr, "\n\t-l\t\t\tlock flame colour and monitor\n"); +- fprintf(stderr, "\t-b\t\t\tactivate broken window manager fix\n"); + fprintf(stderr, "\t-h\t\t\tprints this help\n"); + } +Only in wmfire-1.2.4/src: wmfire.c~ +diff -ur wmfire-1.2.4.old/wmfire.1 wmfire-1.2.4/wmfire.1 +--- wmfire-1.2.4.old/wmfire.1 2017-04-23 14:26:58.449487117 -0400 ++++ wmfire-1.2.4/wmfire.1 2017-04-23 14:41:20.697186114 -0400 +@@ -8,7 +8,6 @@ + + .SH SYNOPSIS + .B wmfire +-[-b] + [-c CPU] + [-f COLOUR] + [-F FILE] +@@ -54,9 +53,6 @@ + + .SH OPTIONS + .TP +-.B -b +-Activate broken window manager fix (if grey box diplayed) +-.TP + .B -c [0..3] + .br + Monitor SMP CPU number X -- cgit v1.2.3