From 6da7fabda7678267136a16c9afa70bc44f192427 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Jul 13 2017 13:07:05 +0000 Subject: + gdk-pixbuf2-2.36.6-2 Fix crasher in jpeg loader --- diff --git a/0001-jpeg-Throw-error-when-number-of-color-components-is-.patch b/0001-jpeg-Throw-error-when-number-of-color-components-is-.patch new file mode 100644 index 0000000..e28097e --- /dev/null +++ b/0001-jpeg-Throw-error-when-number-of-color-components-is-.patch @@ -0,0 +1,69 @@ +From c2a40a92fe3df4111ed9da51fe3368c079b86926 Mon Sep 17 00:00:00 2001 +From: Tobias Mueller +Date: Wed, 12 Jul 2017 20:36:11 +0200 +Subject: [PATCH] jpeg: Throw error when number of color components is + unsupported + +Explicitly check "3" or "4" output color components. + +gdk-pixbuf assumed that the value of output_components to be either +3 or 4, but not an invalid value (9) or an unsupported value (1). + +The way the buffer size was deduced was using a naive "== 4" check, +with a 1, 3 or 9 color component picture getting the same buffer size, +a size just sufficient for 3 color components, causing invalid writes +later when libjpeg-turbo was decoding the image. + +CVE-2017-2862 + +Sent by from Marcin 'Icewall' Noga of Cisco Talos + +https://bugzilla.gnome.org/show_bug.cgi?id=784866 +--- + gdk-pixbuf/io-jpeg.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c +index dd88a350a..1c0eba1a9 100644 +--- a/gdk-pixbuf/io-jpeg.c ++++ b/gdk-pixbuf/io-jpeg.c +@@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, + if (!context->got_header) { + int rc; + gchar* comment; ++ gboolean has_alpha; + + jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff); + jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff); +@@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, + } + } + jpeg_calc_output_dimensions (cinfo); +- +- context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, +- cinfo->output_components == 4 ? TRUE : FALSE, +- 8, ++ ++ if (cinfo->output_components == 3) { ++ has_alpha = FALSE; ++ } else if (cinfo->output_components == 4) { ++ has_alpha = TRUE; ++ } else { ++ g_set_error (error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Unsupported number of color components (%d)"), ++ cinfo->output_components); ++ retval = FALSE; ++ goto out; ++ } ++ ++ context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, ++ has_alpha, ++ 8, + cinfo->output_width, + cinfo->output_height); + +-- +2.13.0 + diff --git a/gdk-pixbuf2.spec b/gdk-pixbuf2.spec index 18cfdf0..5a31b80 100644 --- a/gdk-pixbuf2.spec +++ b/gdk-pixbuf2.spec @@ -2,7 +2,7 @@ Name: gdk-pixbuf2 Version: 2.36.6 -Release: 1%{?dist} +Release: 2%{?dist} Summary: An image loading library License: LGPLv2+ @@ -10,6 +10,8 @@ URL: http://www.gtk.org #VCS: git:git://git.gnome.org/gdk-pixbuf Source0: http://download.gnome.org/sources/gdk-pixbuf/2.36/gdk-pixbuf-%{version}.tar.xz +Patch0: 0001-jpeg-Throw-error-when-number-of-color-components-is-.patch + BuildRequires: pkgconfig(gio-2.0) >= %{glib2_version} BuildRequires: libpng-devel BuildRequires: libjpeg-devel @@ -23,6 +25,7 @@ BuildRequires: shared-mime-info # Bootstrap requirements BuildRequires: autoconf automake libtool gtk-doc BuildRequires: gettext-autopoint +BuildRequires: git Requires: glib2%{?_isa} >= %{glib2_version} @@ -87,7 +90,7 @@ the functionality of the installed %{name} package. %prep -%setup -q -n gdk-pixbuf-%{version} +%autosetup -n gdk-pixbuf-%{version} -S git %build (if ! test -x configure; then NOCONFIGURE=1 ./autogen.sh; CONFIGFLAGS=--enable-gtk-doc; fi; @@ -174,6 +177,10 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache %changelog +* Thu Jul 13 2017 Bastien Nocera - 2.36.6-2 ++ gdk-pixbuf2-2.36.6-2 +- Fix crasher in jpeg loader + * Mon Apr 03 2017 Kalev Lember - 2.36.6-1 - Update to 2.36.6