diff options
author | Marius Bakke <mbakke@fastmail.com> | 2019-12-04 22:18:43 +0100 |
---|---|---|
committer | Marius Bakke <mbakke@fastmail.com> | 2019-12-04 23:18:24 +0100 |
commit | 0fa9f29a5100f19a8494521659a1fa3baaa7fd0e (patch) | |
tree | ad38f1e1230e517d62d009be46d30c19e665a708 /gnu | |
parent | 4fe7adcbcc5465da8adfd5d85375546905cf9eca (diff) | |
download | patches-0fa9f29a5100f19a8494521659a1fa3baaa7fd0e.tar patches-0fa9f29a5100f19a8494521659a1fa3baaa7fd0e.tar.gz |
gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201.
* gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch: New file.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/image.scm (libjpeg-turbo/fixed): New variable.
(libjpeg-turbo)[replacement]: New field.
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 1 | ||||
-rw-r--r-- | gnu/packages/image.scm | 17 | ||||
-rw-r--r-- | gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch | 31 |
3 files changed, 48 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 0494f1d05d..6c484e2046 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1062,6 +1062,7 @@ dist_patch_DATA = \ %D%/packages/patches/libgnomeui-utf8.patch \ %D%/packages/patches/libgpg-error-gawk-compat.patch \ %D%/packages/patches/libffi-3.2.1-complex-alpha.patch \ + %D%/packages/patches/libjpeg-turbo-CVE-2019-2201.patch \ %D%/packages/patches/libjxr-fix-function-signature.patch \ %D%/packages/patches/libjxr-fix-typos.patch \ %D%/packages/patches/libotr-test-auth-fix.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 731a1e8aed..71bd381cef 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -19,7 +19,7 @@ ;;; Copyright © 2018 Joshua Sierles, Nextjournal <joshua@nextjournal.com> ;;; Copyright © 2018 Fis Trivial <ybbs.daans@hotmail.com> ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz> -;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com> +;;; Copyright © 2018, 2019 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2018 Pierre-Antoine Rouby <contact@parouby.fr> ;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com> ;;; Copyright © 2018 Rutger Helling <rhelling@mykolab.com> @@ -1489,6 +1489,7 @@ is hereby granted.")))) (package (name "libjpeg-turbo") (version "2.0.2") + (replacement libjpeg-turbo/fixed) (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/libjpeg-turbo/" @@ -1518,6 +1519,20 @@ and decompress to 32-bit and big-endian pixel buffers (RGBX, XBGR, etc.).") license:ijg ;the libjpeg library and associated tools license:zlib)))) ;the libjpeg-turbo SIMD extensions +;; Replacement package to fix CVE-2019-13960 and CVE-2019-2201. +(define libjpeg-turbo/fixed + (package + (inherit libjpeg-turbo) + (version "2.0.3") + (source (origin + (method url-fetch) + (uri (string-append "mirror://sourceforge/libjpeg-turbo/" + version "/libjpeg-turbo-" version ".tar.gz")) + (sha256 + (base32 + "1ds16bnj17v6hzd43w8pzijz3imd9am4hw75ir0fxm240m8dwij2")) + (patches (search-patches "libjpeg-turbo-CVE-2019-2201.patch")))))) + (define-public niftilib (package (name "niftilib") diff --git a/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch new file mode 100644 index 0000000000..35f2bf5963 --- /dev/null +++ b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch @@ -0,0 +1,31 @@ +Fix integer overflow which can potentially lead to RCE. + +https://www.openwall.com/lists/oss-security/2019/11/11/1 +https://nvd.nist.gov/vuln/detail/CVE-2019-2201 + +The problem was partially fixed in 2.0.3. This patch is a follow-up. +https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388 +https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad + +diff --git a/tjbench.c b/tjbench.c +index a7d397318..13a5bde62 100644 +--- a/tjbench.c ++++ b/tjbench.c +@@ -171,7 +171,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf, + } + /* Set the destination buffer to gray so we know whether the decompressor + attempted to write to it */ +- memset(dstBuf, 127, pitch * scaledh); ++ memset(dstBuf, 127, (size_t)pitch * scaledh); + + if (doYUV) { + int width = doTile ? tilew : scaledw; +@@ -193,7 +193,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf, + double start = getTime(); + + for (row = 0, dstPtr = dstBuf; row < ntilesh; +- row++, dstPtr += pitch * tileh) { ++ row++, dstPtr += (size_t)pitch * tileh) { + for (col = 0, dstPtr2 = dstPtr; col < ntilesw; + col++, tile++, dstPtr2 += ps * tilew) { + int width = doTile ? min(tilew, w - col * tilew) : scaledw; |