mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 21:38:07 -05:00
gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201.
* gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/image.scm (libjpeg-turbo/fixed): New variable. (libjpeg-turbo)[replacement]: New field.
This commit is contained in:
parent
4fe7adcbcc
commit
0fa9f29a51
3 changed files with 48 additions and 1 deletions
|
@ -1062,6 +1062,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/libgnomeui-utf8.patch \
|
||||
%D%/packages/patches/libgpg-error-gawk-compat.patch \
|
||||
%D%/packages/patches/libffi-3.2.1-complex-alpha.patch \
|
||||
%D%/packages/patches/libjpeg-turbo-CVE-2019-2201.patch \
|
||||
%D%/packages/patches/libjxr-fix-function-signature.patch \
|
||||
%D%/packages/patches/libjxr-fix-typos.patch \
|
||||
%D%/packages/patches/libotr-test-auth-fix.patch \
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
;;; Copyright © 2018 Joshua Sierles, Nextjournal <joshua@nextjournal.com>
|
||||
;;; Copyright © 2018 Fis Trivial <ybbs.daans@hotmail.com>
|
||||
;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
|
||||
;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
|
||||
;;; Copyright © 2018, 2019 Marius Bakke <mbakke@fastmail.com>
|
||||
;;; Copyright © 2018 Pierre-Antoine Rouby <contact@parouby.fr>
|
||||
;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
|
||||
;;; Copyright © 2018 Rutger Helling <rhelling@mykolab.com>
|
||||
|
@ -1489,6 +1489,7 @@ (define-public libjpeg-turbo
|
|||
(package
|
||||
(name "libjpeg-turbo")
|
||||
(version "2.0.2")
|
||||
(replacement libjpeg-turbo/fixed)
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "mirror://sourceforge/libjpeg-turbo/"
|
||||
|
@ -1518,6 +1519,20 @@ (define-public libjpeg-turbo
|
|||
license:ijg ;the libjpeg library and associated tools
|
||||
license:zlib)))) ;the libjpeg-turbo SIMD extensions
|
||||
|
||||
;; Replacement package to fix CVE-2019-13960 and CVE-2019-2201.
|
||||
(define libjpeg-turbo/fixed
|
||||
(package
|
||||
(inherit libjpeg-turbo)
|
||||
(version "2.0.3")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "mirror://sourceforge/libjpeg-turbo/"
|
||||
version "/libjpeg-turbo-" version ".tar.gz"))
|
||||
(sha256
|
||||
(base32
|
||||
"1ds16bnj17v6hzd43w8pzijz3imd9am4hw75ir0fxm240m8dwij2"))
|
||||
(patches (search-patches "libjpeg-turbo-CVE-2019-2201.patch"))))))
|
||||
|
||||
(define-public niftilib
|
||||
(package
|
||||
(name "niftilib")
|
||||
|
|
31
gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch
Normal file
31
gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch
Normal file
|
@ -0,0 +1,31 @@
|
|||
Fix integer overflow which can potentially lead to RCE.
|
||||
|
||||
https://www.openwall.com/lists/oss-security/2019/11/11/1
|
||||
https://nvd.nist.gov/vuln/detail/CVE-2019-2201
|
||||
|
||||
The problem was partially fixed in 2.0.3. This patch is a follow-up.
|
||||
https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388
|
||||
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad
|
||||
|
||||
diff --git a/tjbench.c b/tjbench.c
|
||||
index a7d397318..13a5bde62 100644
|
||||
--- a/tjbench.c
|
||||
+++ b/tjbench.c
|
||||
@@ -171,7 +171,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
|
||||
}
|
||||
/* Set the destination buffer to gray so we know whether the decompressor
|
||||
attempted to write to it */
|
||||
- memset(dstBuf, 127, pitch * scaledh);
|
||||
+ memset(dstBuf, 127, (size_t)pitch * scaledh);
|
||||
|
||||
if (doYUV) {
|
||||
int width = doTile ? tilew : scaledw;
|
||||
@@ -193,7 +193,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf,
|
||||
double start = getTime();
|
||||
|
||||
for (row = 0, dstPtr = dstBuf; row < ntilesh;
|
||||
- row++, dstPtr += pitch * tileh) {
|
||||
+ row++, dstPtr += (size_t)pitch * tileh) {
|
||||
for (col = 0, dstPtr2 = dstPtr; col < ntilesw;
|
||||
col++, tile++, dstPtr2 += ps * tilew) {
|
||||
int width = doTile ? min(tilew, w - col * tilew) : scaledw;
|
Loading…
Reference in a new issue