Backport fixes for CVE-2021-46829 and CVE-2021-44648

False positive, see https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/150

.gdk-pixbuf2.metadata

@@ -0,0 +1 @@
+320ed10a4cb74a0770de91a9e5741767ebdef2bf gdk-pixbuf-2.42.6.tar.xz

.gitignore

@@ -70,3 +70,4 @@ gdk-pixbuf-2.21.6.tar.bz2
 /gdk-pixbuf-2.40.0.tar.xz
 /gdk-pixbuf-2.42.2.tar.xz
 /gdk-pixbuf-2.42.4.tar.xz
+/gdk-pixbuf-2.42.6.tar.xz

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}

gdk-pixbuf2.spec

@@ -1,23 +1,27 @@
 %global glib2_version 2.56.0
 
 Name:           gdk-pixbuf2
-Version:        2.42.4
-Release:        2%{?dist}
+Version:        2.42.6
+Release:        3%{?dist}
 Summary:        An image loading library
 
 License:        LGPLv2+
 URL:            https://gitlab.gnome.org/GNOME/gdk-pixbuf
 Source0:        https://download.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz
 
+Patch0:         gif-check-for-overflow.patch
+Patch1:         gif-lzw-code-size-overflow.patch
+
 BuildRequires:  docbook-style-xsl
 BuildRequires:  gettext
+BuildRequires:  git
 BuildRequires:  pkgconfig(gio-2.0) >= %{glib2_version}
 BuildRequires:  libpng-devel
 BuildRequires:  libjpeg-devel
 BuildRequires:  libtiff-devel
 BuildRequires:  libxslt
 BuildRequires:  meson
-BuildRequires:  pkgconfig(gobject-introspection-1.0) >= 0.9.3
+BuildRequires:  pkgconfig(gobject-introspection-1.0)
 # gdk-pixbuf does a configure time check which uses the GIO mime
 # layer; we need to actually have the mime type database.
 BuildRequires:  shared-mime-info
@@ -57,10 +61,10 @@ The %{name}-tests package contains tests that can be used to verify
 the functionality of the installed %{name} package.
 
 %prep
-%autosetup -n gdk-pixbuf-%{version} -p1
+%autosetup -n gdk-pixbuf-%{version} -p1 -Sgit
 
 %build
-%meson -Dbuiltin_loaders=png \
+%meson \
        -Dgtk_doc=false \
        -Dman=true \
        %{nil}
@@ -117,6 +121,22 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
 %{_datadir}/installed-tests
 
 %changelog
+* Mon Oct 31 2022 Tomas Popela <tpopela@redhat.com> - 2.42.6-3
+- Backport fixes for CVE-2021-46829 and CVE-2021-44648
+- Resolves: rhbz#2115213
+- Resolves: rhbz#2044346
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.42.6-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Fri May 14 2021 Kalev Lember <klember@redhat.com> - 2.42.6-1
+- Update to 2.42.6
+- Use upstream defaults (png and jpeg) for builtin loaders
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.42.4-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
 * Tue Mar 23 2021 Kalev Lember <klember@redhat.com> - 2.42.4-2
 - Rebuild
 

gif-check-for-overflow.patch

@@ -0,0 +1,61 @@
+From 6976bdc8ee9dd2c2954f91066f7b0f643769a379 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Thu, 3 Jun 2021 11:05:56 +1200
+Subject: [PATCH] gif: Check for overflow when compositing or clearing frames.
+
+Fixes: #190
+
+Similar to fix in 086e8adf4cc352cd11572f96066b001b545f354e
+---
+ gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
+index 8335cdd76..71d9265e6 100644
+--- a/gdk-pixbuf/io-gif-animation.c
++++ b/gdk-pixbuf/io-gif-animation.c
+@@ -369,7 +369,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
+         for (i = 0; i < n_indexes; i++) {
+                 guint8 index = index_buffer[i];
+                 guint x, y;
+-                int offset;
++                gsize offset;
+ 
+                 if (index == frame->transparent_index)
+                         continue;
+@@ -379,11 +379,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
+                 if (x >= anim->width || y >= anim->height)
+                         continue;
+ 
+-                offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
+-                pixels[offset + 0] = frame->color_map[index * 3 + 0];
+-                pixels[offset + 1] = frame->color_map[index * 3 + 1];
+-                pixels[offset + 2] = frame->color_map[index * 3 + 2];
+-                pixels[offset + 3] = 255;
++                if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
++                    g_size_checked_add (&offset, offset, x * 4)) {
++                        pixels[offset + 0] = frame->color_map[index * 3 + 0];
++                        pixels[offset + 1] = frame->color_map[index * 3 + 1];
++                        pixels[offset + 2] = frame->color_map[index * 3 + 2];
++                        pixels[offset + 3] = 255;
++                }
+         }
+ 
+ out:
+@@ -448,8 +450,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
+                         x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
+                         y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
+                         for (y = anim->last_frame->y_offset; y < y_end; y++) {
+-                                guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
+-                                memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
++                                gsize offset;
++                                if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
++                                    g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
++                                         memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
++                                }
+                         }
+                         break;
+                 case GDK_PIXBUF_FRAME_REVERT:
+-- 
+GitLab
+

gif-lzw-code-size-overflow.patch

@@ -0,0 +1,224 @@
+From 76eda67dbc3f48c9dd6815a5aaf6014ea4a16771 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Wed, 2 Feb 2022 12:36:08 +1300
+Subject: [PATCH 1/4] Fix test GIF that was broken in the LZW code size, not
+ the values of the pixels
+
+---
+ .../test-images/gif-test-suite/invalid-colors.gif | Bin 37 -> 35 bytes
+ 1 file changed, 0 insertions(+), 0 deletions(-)
+
+diff --git a/tests/test-images/gif-test-suite/invalid-colors.gif b/tests/test-images/gif-test-suite/invalid-colors.gif
+index c3111525ac2d977a0dbedf917f2beae610b614f8..6c3a7240e6ba58c344051351eb3581887fa314c7 100644
+GIT binary patch
+delta 11
+ScmY#Yo*>J{%%s7|U=08YGy!b@
+
+delta 13
+UcmY#ZogmA>!}4E&fr-Hy01|-$Y5)KL
+
+-- 
+GitLab
+
+
+From 0cf97225c9c227d11fc4ddf9cba8e8480672ee1b Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Wed, 2 Feb 2022 12:38:45 +1300
+Subject: [PATCH 2/4] Add an assertion that checks for maximum LZW code size
+
+---
+ gdk-pixbuf/lzw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 105daf2b1..15293560b 100644
+--- a/gdk-pixbuf/lzw.c
++++ b/gdk-pixbuf/lzw.c
+@@ -121,6 +121,8 @@ lzw_decoder_new (guint8 code_size)
+         LZWDecoder *self;
+         int i;
+ 
++        g_return_val_if_fail (code_size <= LZW_CODE_MAX, NULL);
++
+         self = g_object_new (lzw_decoder_get_type (), NULL);
+ 
+         self->min_code_size = code_size;
+-- 
+GitLab
+
+
+From 19ebba03117aefc9d0312f675f3a210ffdcc4907 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Wed, 2 Feb 2022 14:03:13 +1300
+Subject: [PATCH 3/4] Fix the check for maximum value of LZW initial code size.
+
+This value is the number of bits for each symbol (i.e. colour index) decoded via LZW.
+The maximum LZW code is specified as 12 bits, so the value here can only be 11 as two additional code words are required (clear and end of information) that immediately uses an additional bit.
+This implementation has always been wrong, and the Firefox implementation has the same issue so it seems a common misinterpretation of the spec.
+This has been changed here to avoid an assertion later in the LZW decoder.
+Note that there is never any reason for a GIF to be encoded with more than 8 bits of colour information, as the colour tables only support up to 8 bits.
+---
+ gdk-pixbuf/io-gif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
+index 1befba155..310bdff6a 100644
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -499,8 +499,8 @@ gif_prepare_lzw (GifContext *context)
+ 		/*g_message (_("GIF: EOF / read error on image data\n"));*/
+ 		return -1;
+ 	}
+-        
+-        if (context->lzw_set_code_size > 12) {
++
++        if (context->lzw_set_code_size >= 12) {
+                 g_set_error_literal (context->error,
+                                      GDK_PIXBUF_ERROR,
+                                      GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+-- 
+GitLab
+
+
+From 449441210921c8ed417b0c4d5edbccd2d57e23f8 Mon Sep 17 00:00:00 2001
+From: Robert Ancell <robert.ancell@canonical.com>
+Date: Wed, 2 Feb 2022 14:19:06 +1300
+Subject: [PATCH 4/4] Add tests for GIF files with invalid LZW code sizes
+
+---
+ tests/test-images/fail/overflow-codes-max.gif      | Bin 0 -> 65 bytes
+ tests/test-images/fail/overflow-codes.gif          | Bin 0 -> 35 bytes
+ tests/test-images/gif-test-suite/TESTS             |   2 ++
+ tests/test-images/gif-test-suite/invalid-code.conf |  11 +++++++++++
+ tests/test-images/gif-test-suite/invalid-code.gif  | Bin 0 -> 35 bytes
+ .../gif-test-suite/overflow-codes-max.conf         |  11 +++++++++++
+ .../gif-test-suite/overflow-codes-max.gif          | Bin 0 -> 65 bytes
+ .../test-images/gif-test-suite/overflow-codes.conf |  11 +++++++++++
+ .../test-images/gif-test-suite/overflow-codes.gif  | Bin 0 -> 35 bytes
+ 9 files changed, 35 insertions(+)
+ create mode 100644 tests/test-images/fail/overflow-codes-max.gif
+ create mode 100644 tests/test-images/fail/overflow-codes.gif
+ create mode 100644 tests/test-images/gif-test-suite/invalid-code.conf
+ create mode 100644 tests/test-images/gif-test-suite/invalid-code.gif
+ create mode 100644 tests/test-images/gif-test-suite/overflow-codes-max.conf
+ create mode 100644 tests/test-images/gif-test-suite/overflow-codes-max.gif
+ create mode 100644 tests/test-images/gif-test-suite/overflow-codes.conf
+ create mode 100644 tests/test-images/gif-test-suite/overflow-codes.gif
+
+diff --git a/tests/test-images/fail/overflow-codes-max.gif b/tests/test-images/fail/overflow-codes-max.gif
+new file mode 100644
+index 0000000000000000000000000000000000000000..3d507ca7daa790c9370e69a2ab277f55d749a013
+GIT binary patch
+literal 65
+ncmZ?wbhEHbWMW`q_`m=H|NsBj0ns24hW`ozAU1Bm$Y2csUc3i2
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/test-images/fail/overflow-codes.gif b/tests/test-images/fail/overflow-codes.gif
+new file mode 100644
+index 0000000000000000000000000000000000000000..c38053872ae2e3378ff6fb8f3eaff839fa5d35ed
+GIT binary patch
+literal 35
+jcmZ?wbhEHbWMW`q_`m=H|NsBj0ns241|B8>Mh0sDhc^Z!
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/test-images/gif-test-suite/TESTS b/tests/test-images/gif-test-suite/TESTS
+index 1d4a3f13f..bc573acf4 100644
+--- a/tests/test-images/gif-test-suite/TESTS
++++ b/tests/test-images/gif-test-suite/TESTS
+@@ -44,6 +44,8 @@ max-height
+ 255-codes
+ large-codes
+ max-codes
++#overflow-codes
++#overflow-codes-max
+ transparent
+ invalid-transparent
+ disabled-transparent
+diff --git a/tests/test-images/gif-test-suite/invalid-code.conf b/tests/test-images/gif-test-suite/invalid-code.conf
+new file mode 100644
+index 000000000..3bf287b4e
+--- /dev/null
++++ b/tests/test-images/gif-test-suite/invalid-code.conf
+@@ -0,0 +1,11 @@
++# Automatically generated, do not edit!
++[config]
++input = invalid-code.gif
++version = GIF89a
++width = 2
++height = 2
++background = #000000
++loop-count = 0
++force-animation = no
++frames = 
++
+diff --git a/tests/test-images/gif-test-suite/invalid-code.gif b/tests/test-images/gif-test-suite/invalid-code.gif
+new file mode 100644
+index 0000000000000000000000000000000000000000..7d929c9431c0c5b7cd53f636f7711d47385f88b2
+GIT binary patch
+literal 35
+jcmZ?wbhEHbWMW`q_`m=H|NsBj0ns241}3Ke{~4?Sjj;#^
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/test-images/gif-test-suite/overflow-codes-max.conf b/tests/test-images/gif-test-suite/overflow-codes-max.conf
+new file mode 100644
+index 000000000..f6d3f38d8
+--- /dev/null
++++ b/tests/test-images/gif-test-suite/overflow-codes-max.conf
+@@ -0,0 +1,11 @@
++# Automatically generated, do not edit!
++[config]
++input = overflow-codes-max.gif
++version = GIF89a
++width = 2
++height = 2
++background = #000000
++loop-count = 0
++force-animation = no
++frames = 
++
+diff --git a/tests/test-images/gif-test-suite/overflow-codes-max.gif b/tests/test-images/gif-test-suite/overflow-codes-max.gif
+new file mode 100644
+index 0000000000000000000000000000000000000000..3d507ca7daa790c9370e69a2ab277f55d749a013
+GIT binary patch
+literal 65
+ncmZ?wbhEHbWMW`q_`m=H|NsBj0ns24hW`ozAU1Bm$Y2csUc3i2
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/test-images/gif-test-suite/overflow-codes.conf b/tests/test-images/gif-test-suite/overflow-codes.conf
+new file mode 100644
+index 000000000..19f57fa74
+--- /dev/null
++++ b/tests/test-images/gif-test-suite/overflow-codes.conf
+@@ -0,0 +1,11 @@
++# Automatically generated, do not edit!
++[config]
++input = overflow-codes.gif
++version = GIF89a
++width = 2
++height = 2
++background = #000000
++loop-count = 0
++force-animation = no
++frames = 
++
+diff --git a/tests/test-images/gif-test-suite/overflow-codes.gif b/tests/test-images/gif-test-suite/overflow-codes.gif
+new file mode 100644
+index 0000000000000000000000000000000000000000..c38053872ae2e3378ff6fb8f3eaff839fa5d35ed
+GIT binary patch
+literal 35
+jcmZ?wbhEHbWMW`q_`m=H|NsBj0ns241|B8>Mh0sDhc^Z!
+
+literal 0
+HcmV?d00001
+
+-- 
+GitLab
+

rpminspect.yaml

@@ -0,0 +1,14 @@
+---
+# False positive - see https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/150
+#virus:
+#    ignore:
+#        - /usr/libexec/installed-tests/gdk-pixbuf/test-images/gif-test-suite/max-width.gif
+# We have to ignore the file as a whole in rpminspect as it's not possible to
+# ignore it just for virus test in rpminspect - reported as
+# https://github.com/rpminspect/rpminspect/issues/604
+#ignore:
+#    - /usr/libexec/installed-tests/gdk-pixbuf/test-images/gif-test-suite/max-width.gif
+# Seems that we're not able to exclude the file as it's virus scanned anyway,
+# hence we have to disable the whole test.
+inspections:
+    virus: off

sources

@@ -1 +1 @@
-SHA512 (gdk-pixbuf-2.42.4.tar.xz) = b1eca16719e749d111c33592892ab18e2a1dc5f69a16762860bb54e0c97f535d7049fc388ce9daa025153ff2af56a367d8b164fa4025ee9a0131825a6108f772
+SHA512 (gdk-pixbuf-2.42.6.tar.xz) = 02e6d89de6cb6c9768d5173dada88c038e2454b4345ebc6f7b012d484303c08e53b58f085e872290555e1ccb74a478fa6cef4623a75f2e1f05c27bfc4e986f4d