Resolves: rhbz#660161 security issues

2010-12-06 15:05:21 +00:00 · 2010-12-06 15:05:21 +00:00 · 866d0616c7
commit 866d0616c7
parent 3d3c6a6c5f
8 changed files with 218 additions and 19 deletions
--- a/libwmf-0.2.8.4-CAN-2004-0941.patch
+++ b/libwmf-0.2.8.4-CAN-2004-0941.patch
@ -0,0 +1,17 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c	2004-11-11 14:02:37.407589824 -0500
+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c	2004-11-11 14:04:29.672522960 -0500
+@@ -188,6 +188,14 @@
+ 
+   png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 		&interlace_type, NULL, NULL);
+  if (overflow2(sizeof (int), width)) 
+    {
+      return NULL;
+    }
+  if (overflow2(sizeof (int) * width, height)) 
+    {
+      return NULL;
+    }  
+   if ((color_type == PNG_COLOR_TYPE_RGB) ||
+       (color_type == PNG_COLOR_TYPE_RGB_ALPHA))
+     {
--- a/libwmf-0.2.8.4-CVE-2007-0455.patch
+++ b/libwmf-0.2.8.4-CVE-2007-0455.patch
@ -0,0 +1,11 @@
+--- libwmf-0.2.8.4/src/extra/gd/gdft.c	2010-12-06 11:18:26.000000000 +0000
+++ libwmf-0.2.8.4/src/extra/gd/gdft.c	2010-12-06 11:21:09.000000000 +0000
+@@ -811,7 +811,7 @@
+ 	    {
+ 	      ch = c & 0xFF;	/* don't extend sign */
+ 	    }
+-	  next++;
+	  if (*next) next++;
+ 	}
+       else
+ 	{
--- a/libwmf-0.2.8.4-CVE-2007-2756.patch
+++ b/libwmf-0.2.8.4-CVE-2007-2756.patch
@ -0,0 +1,16 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_png.c	1 Apr 2007 20:41:01 -0000	1.21.2.1
+++ libwmf-0.2.8.4/src/extra/gd/gd_png.c	16 May 2007 19:06:11 -0000
+@@ -78,8 +78,11 @@
+ gdPngReadData (png_structp png_ptr,
+ 	       png_bytep data, png_size_t length)
+ {
+-  gdGetBuf (data, length, (gdIOCtx *)
+-	    png_get_io_ptr (png_ptr));
+  int check;
+  check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
+  if (check != length) {
+    png_error(png_ptr, "Read Error: truncated data");
+  }
+ }
+ 
+ static void
--- a/libwmf-0.2.8.4-CVE-2007-3472.patch
+++ b/libwmf-0.2.8.4-CVE-2007-3472.patch
@ -0,0 +1,61 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -106,6 +106,18 @@
+   gdImagePtr im;
+   unsigned long cpa_size;
+ 
+  if (overflow2(sx, sy)) {
+    return NULL;
+  }
+
+  if (overflow2(sizeof (int *), sy)) {
+    return NULL;
+  }
+
+  if (overflow2(sizeof(int), sx)) {
+    return NULL;
+  }
+
+   im = (gdImage *) gdMalloc (sizeof (gdImage));
+   if (im == 0) return 0;
+   memset (im, 0, sizeof (gdImage));
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c	2010-12-06 11:47:31.000000000 +0000
+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c	2010-12-06 11:48:04.000000000 +0000
+@@ -2,6 +2,7 @@
+ #include "gdhelpers.h"
+ #include <stdlib.h>
+ #include <string.h>
+#include <limits.h>
+ 
+ /* TBB: gd_strtok_r is not portable; provide an implementation */
+ 
+@@ -94,3 +95,18 @@
+ {
+   free (ptr);
+ }
+
+int overflow2(int a, int b)
+{
+	if(a < 0 || b < 0) {
+		fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n");
+		return 1;
+	}
+	if(b == 0)
+		return 0;
+	if(a > INT_MAX / b) {
+		fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n");
+		return 1;
+	}
+	return 0;
+}
+--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h	2010-12-06 11:47:17.000000000 +0000
+++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h	2010-12-06 11:48:36.000000000 +0000
+@@ -15,6 +15,8 @@
+ void *gdMalloc(size_t size);
+ void *gdRealloc(void *ptr, size_t size);
+ 
+int overflow2(int a, int b);
+
+ #pragma GCC visibility pop
+ 
+ #endif /* GDHELPERS_H */
--- a/libwmf-0.2.8.4-CVE-2007-3473.patch
+++ b/libwmf-0.2.8.4-CVE-2007-3473.patch
@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd)
+     }
+   bytes = (w * h / 8) + 1;
+   im = gdImageCreate (w, h);
+  if (!im) {
+    return 0;
+  }
+
+   gdImageColorAllocate (im, 255, 255, 255);
+   gdImageColorAllocate (im, 0, 0, 0);
+   x = 0;
--- a/libwmf-0.2.8.4-CVE-2007-3477.patch
+++ b/libwmf-0.2.8.4-CVE-2007-3477.patch
@ -0,0 +1,38 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
+++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -1335,10 +1335,31 @@
+   int w2, h2;
+   w2 = w / 2;
+   h2 = h / 2;
+-  while (e < s)
+-    {
+-      e += 360;
+-    }
+
+  if ((s % 360)  == (e % 360)) {
+         s = 0; e = 360;
+  } else {
+         if (s > 360) {
+                 s = s % 360;
+         }
+
+         if (e > 360) {
+                 e = e % 360;
+         }
+
+         while (s < 0) {
+                 s += 360;
+         }
+
+         while (e < s) {
+                 e += 360;
+         }
+
+         if (s == e) {
+                 s = 0; e = 360;
+         }
+  }
+
+   for (i = s; (i <= e); i++)
+     {
+       int x, y;
--- a/libwmf-0.2.8.4-CVE-2009-3546.patch
+++ b/libwmf-0.2.8.4-CVE-2009-3546.patch
@ -0,0 +1,13 @@
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c	2010-12-06 14:56:06.000000000 +0000
+++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c	2010-12-06 14:57:04.000000000 +0000
+@@ -42,6 +42,10 @@
+ 	    {
+ 	      goto fail1;
+ 	    }
+	  if (&im->colorsTotal > gdMaxColors)
+	    {
+	      goto fail1;
+	    }
+ 	}
+       /* Int to accommodate truecolor single-color transparency */
+       if (!gdGetInt (&im->transparent, in))
--- a/libwmf.spec
+++ b/libwmf.spec
@ -1,7 +1,7 @@
 Summary: Windows MetaFile Library
 Name: libwmf
 Version: 0.2.8.4
-Release: 27%{?dist}
+Release: 28%{?dist}
 Group: System Environment/Libraries
 #libwmf is under the LGPLv2+, however...
 #1. The tarball contains an old version of the urw-fonts under GPL+.
@ -14,25 +14,45 @@ URL: http://wvware.sourceforge.net/libwmf.html
 #Upstream is uncontactable for some time now, which is a real pity esp.
 #wrt CVE-2006-3376/CVE-2009-1364
 #Don't install out of date documentation
-Patch0: libwmf-0.2.8.3-nodocs.patch
+Patch0:  libwmf-0.2.8.3-nodocs.patch
 #Allow use of system install fonts intead of libwmf bundled ones
-Patch1: libwmf-0.2.8.3-relocatablefonts.patch
+Patch1:  libwmf-0.2.8.3-relocatablefonts.patch
 #Set a fallback font of Times for text if a .wmf file don't set any
-Patch2: libwmf-0.2.8.4-fallbackfont.patch
+Patch2:  libwmf-0.2.8.4-fallbackfont.patch
 #Strip unnecessary extra library dependencies
-Patch3: libwmf-0.2.8.4-deps.patch
+Patch3:  libwmf-0.2.8.4-deps.patch
 #convert libwmf-config to a pkg-config to avoid multilib conflicts
-Patch4: libwmf-0.2.8.4-multiarchdevel.patch
+Patch4:  libwmf-0.2.8.4-multiarchdevel.patch
 #CVE-2006-3376 Integer overflow in player.c
-Patch5: libwmf-0.2.8.4-intoverflow.patch
+Patch5:  libwmf-0.2.8.4-intoverflow.patch
 #Don't export the modified embedded GD library symbols, to avoid conflicts with
 #the external one
-Patch6: libwmf-0.2.8.4-reducesymbols.patch
+Patch6:  libwmf-0.2.8.4-reducesymbols.patch
 #CVE-2009-1364, Use-after-free vulnerability in the modified embedded GD
 #library
-Patch7: libwmf-0.2.8.4-useafterfree.patch
+Patch7:  libwmf-0.2.8.4-useafterfree.patch
 # adapt to standalone gdk-pixbuf
-Patch8: libwmf-0.2.8.4-pixbufloaderdir.patch
+Patch8:  libwmf-0.2.8.4-pixbufloaderdir.patch
+# CVE-2007-0455
+Patch9:  libwmf-0.2.8.4-CVE-2007-0455.patch
+# CVE-2007-3472
+Patch10: libwmf-0.2.8.4-CVE-2007-3472.patch
+# CVE-2007-3473
+Patch11: libwmf-0.2.8.4-CVE-2007-3473.patch
+# CVE-2006-2906 affects GIFs, which is not implemented here
+# CVE-2006-4484 affects GIFs, which is not implemented here
+# CVE-2007-3474 affects GIFs, which is not implemented here
+# CVE-2007-3475 affects GIFs, which is not implemented here
+# CVE-2007-3476 affects GIFs, which is not implemented here
+# CVE-2007-3477
+Patch12: libwmf-0.2.8.4-CVE-2007-3477.patch
+# CVE-2007-3478 affects shared ttf files across threads, which is not implemented here
+# CVE-2007-2756
+Patch13: libwmf-0.2.8.4-CVE-2007-2756.patch
+# CAN-2004-0941
+Patch14: libwmf-0.2.8.4-CAN-2004-0941.patch
+# CVE-2009-3546
+Patch15: libwmf-0.2.8.4-CVE-2009-3546.patch

 Requires: urw-fonts
 Requires: %{name}-lite = %{version}-%{release}
@ -63,15 +83,22 @@ using libwmf.

 %prep
 %setup -q
-%patch0 -p1 -b .nodocs
-%patch1 -p1 -b .relocatablefonts
-%patch2 -p1 -b .fallbackfont
-%patch3 -p1 -b .deps
-%patch4 -p1 -b .multiarchdevel
-%patch5 -p1 -b .intoverflow
-%patch6 -p1 -b .reducesymbols.patch
-%patch7 -p1 -b .useafterfree.patch
-%patch8 -p1 -b .pixbufloaderdir
+%patch0  -p1 -b .nodocs
+%patch1  -p1 -b .relocatablefonts
+%patch2  -p1 -b .fallbackfont
+%patch3  -p1 -b .deps
+%patch4  -p1 -b .multiarchdevel
+%patch5  -p1 -b .intoverflow
+%patch6  -p1 -b .reducesymbols.patch
+%patch7  -p1 -b .useafterfree.patch
+%patch8  -p1 -b .pixbufloaderdir
+%patch9  -p1 -b .CVE-2007-0455
+%patch10 -p1 -b .CVE-2007-3472
+%patch11 -p1 -b .CVE-2007-3473
+%patch12 -p1 -b .CVE-2007-3477
+%patch13 -p1 -b .CVE-2007-2756
+%patch14 -p1 -b .CAN-2004-0941
+%patch15 -p1 -b .CVE-2009-3546
 f=README ; iconv -f iso-8859-2 -t utf-8 $f > $f.utf8 ; mv $f.utf8 $f

 %build
@ -137,6 +164,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache || :


 %changelog
+* Mon Dec 06 2010 Caolán McNamara <caolanm@redhat.com> - 0.2.8.4-28
+- Resolves: rhbz#660161 security issues
+
 * Mon Oct 18 2010 Parag Nemade <paragn AT fedoraproject.org> - 0.2.8.4-27
 - Merge-review cleanup (#226058)