diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-05-11 10:54:07 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2016-05-11 12:00:42 +0000 |
| commit | 655fce2fcf9f3d6390a1ab8fba039f4125df9e94 (patch) | |
| tree | dd142bb25fba50400d1e5179e0960e038fc18520 | |
| parent | 2ec6e5d9fefa2fc48f839cfd7561cff006d6432e (diff) | |
| download | aports-655fce2fcf9f3d6390a1ab8fba039f4125df9e94.tar.bz2 aports-655fce2fcf9f3d6390a1ab8fba039f4125df9e94.tar.xz | |
main/imlib2: security fix (CVE-2016-4024). Fixes #5521
(cherry picked from commit 4ab4dc28195ac810b25649d6b25ada802248bfdf)
| -rw-r--r-- | main/imlib2/APKBUILD | 13 | ||||
| -rw-r--r-- | main/imlib2/CVE-2016-4024.patch | 45 | ||||
| -rw-r--r-- | main/imlib2/imlib2-giflib5.patch | 14 | ||||
| -rw-r--r-- | main/imlib2/remove-my_libs.patch | 11 |
4 files changed, 54 insertions, 29 deletions
diff --git a/main/imlib2/APKBUILD b/main/imlib2/APKBUILD index 9bd61b2b62..43e7fa0e89 100644 --- a/main/imlib2/APKBUILD +++ b/main/imlib2/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=imlib2 -pkgver=1.4.6 -pkgrel=2 +pkgver=1.4.7 +pkgrel=0 pkgdesc="Library that does image file loading and saving as well as rendering, manipulation, arbitrary polygon support" url="http://sourceforge.net/projects/enlightenment/" arch="all" @@ -12,8 +12,7 @@ depends_dev="freetype-dev libxext-dev libsm-dev" makedepends="$depends_dev tiff-dev giflib-dev bzip2-dev libpng-dev libid3tag-dev libjpeg-turbo-dev zlib-dev util-linux-dev" source="http://downloads.sourceforge.net/enlightenment/$pkgname-$pkgver.tar.bz2 - imlib2-giflib5.patch - remove-my_libs.patch + CVE-2016-4024.patch " _builddir="$srcdir"/$pkgname-$pkgver @@ -56,3 +55,9 @@ sha256sums="af51be727d62cfcff7457c753f355e44848fb997f33a7e1d43775276a9073274 im sha512sums="50d9f16eb09029c127c2ea904d59c46dceefabec7cf2aeb05a6cec7bfd9886f01fee863958c209cbdb7fe7991e0b6a883e5d910c9c2bf2991038719aa8687787 imlib2-1.4.6.tar.bz2 7a99f7d59f320f02119411a5a078679ef4a549700fbcfe5987e1bc3e79787c6ea65e7779883b8e2b686bfae87827408fce7de1669ac97ea1db8612fca3202870 imlib2-giflib5.patch e4fdc734f00f9b85c84517802502c482c78132f2badc800cb8c08c851c7535556ded0c011515f669599ee6b8aa10096c58cd5cf64257f341b5c943dd1e07448e remove-my_libs.patch" +md5sums="f2f1418c376da6125453f90f2d58d938 imlib2-1.4.7.tar.bz2 +5b78f464f0fa3a351da7ff7ce15d203f CVE-2016-4024.patch" +sha256sums="35d733ce23ad7d338cff009095d37e656cb8a7a53717d53793a38320f9924701 imlib2-1.4.7.tar.bz2 +441b1bdf1e2a65905cd711c60df5a8d44b8bbf9125e21ab8ac1b2141f0aa5cd5 CVE-2016-4024.patch" +sha512sums="3954d6426efbe2fcfb755c74a0ea7c1c61e65c5dc3cbdcea88c9e5de6294de69439ac05c724d83f4703f121d70f6af2f860e2aa423296c30ef99f4bdd2e60db8 imlib2-1.4.7.tar.bz2 +af06a82049ea7b5a13da19c550efe264183415040616f36284ece78fd6437f5ac5a287ea3ad7902e289f44ffdd06048bb37b931ebbd6ae80f4633d86c6992c21 CVE-2016-4024.patch" diff --git a/main/imlib2/CVE-2016-4024.patch b/main/imlib2/CVE-2016-4024.patch new file mode 100644 index 0000000000..be2159ce0d --- /dev/null +++ b/main/imlib2/CVE-2016-4024.patch @@ -0,0 +1,45 @@ +From 7eba2e4c8ac0e20838947f10f29d0efe1add8227 Mon Sep 17 00:00:00 2001 +From: "Yuriy M. Kaminskiy" <yumkam@gmail.com> +Date: Wed, 6 Apr 2016 03:34:01 +0300 +Subject: Fix integer overflow resulting in insufficient heap allocation + +IMAGE_DIMENSIONS_OK ensures that image width and height are less then +46340, so that maximum number of pixels is ~2**31. + +Unfortunately, there are a lot of code that allocates image data with +something like + + malloc(w * h * sizeof(DATA32)); + +Obviously, on 32-bit machines this results in integer overflow, +insufficient heap allocation, with [massive] out-of-bounds heap +overwrite. +Either X_MAX should be reduced to 32767, or (w)*(h) should be checked to +not exceed ULONG_MAX/sizeof(DATA32). + +Security implications: +*) for 32-bit machines: insufficient heap allocation and heap overwrite +in many image loaders, with escalation potential to remote code +execution; +*) for 64-bit machines: it seems, no impact. +--- + src/lib/image.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/lib/image.h b/src/lib/image.h +index e9eb678..5fae6ed 100644 +--- a/src/lib/image.h ++++ b/src/lib/image.h +@@ -188,7 +188,8 @@ void __imlib_SaveImage(ImlibImage * im, const char *file, + + /* The maximum pixmap dimension is 65535. */ + /* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */ +-#define X_MAX_DIM 46340 ++/* Reduced further to 32767, so that (w * h * sizeof(DATA32)) won't exceed ULONG_MAX */ ++#define X_MAX_DIM 32767 + + #define IMAGE_DIMENSIONS_OK(w, h) \ + ( ((w) > 0) && ((h) > 0) && ((w) < X_MAX_DIM) && ((h) < X_MAX_DIM) ) +-- +cgit v0.12 + diff --git a/main/imlib2/imlib2-giflib5.patch b/main/imlib2/imlib2-giflib5.patch deleted file mode 100644 index 5a7b38d134..0000000000 --- a/main/imlib2/imlib2-giflib5.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/src/modules/loaders/loader_gif.c.orig -+++ b/src/modules/loaders/loader_gif.c -@@ -40,7 +40,11 @@ load(ImlibImage * im, ImlibProgressFunct - #endif - if (fd < 0) - return 0; -+#if defined(GIFLIB_MAJOR) && (GIFLIB_MAJOR >= 5) -+ gif = DGifOpenFileHandle(fd, NULL); -+#else - gif = DGifOpenFileHandle(fd); -+#endif - if (!gif) - { - close(fd); diff --git a/main/imlib2/remove-my_libs.patch b/main/imlib2/remove-my_libs.patch deleted file mode 100644 index 1d4dc93bef..0000000000 --- a/main/imlib2/remove-my_libs.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- ./imlib2-config.in.orig -+++ ./imlib2-config.in -@@ -46,7 +46,7 @@ - ;; - --libs) - libdirs=-L@libdir@ -- echo $libdirs -lImlib2 @my_libs@ -+ echo $libdirs -lImlib2 - ;; - *) - echo "${usage}" 1>&2 |