From a411f8be11890b18b2aaa90463628d236424407d Mon Sep 17 00:00:00 2001 From: Nathan Owens Date: Fri, 4 Jan 2019 17:04:58 -0600 Subject: [PATCH] libgxps: CVE-2018-10733 ; CVE-2018-10767 --- srcpkgs/libgxps/patches/CVE-2018-10733.patch | 148 +++++++++++++++++++ srcpkgs/libgxps/patches/CVE-2018-10767.patch | 28 ++++ srcpkgs/libgxps/template | 2 +- 3 files changed, 177 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/libgxps/patches/CVE-2018-10733.patch create mode 100644 srcpkgs/libgxps/patches/CVE-2018-10767.patch diff --git a/srcpkgs/libgxps/patches/CVE-2018-10733.patch b/srcpkgs/libgxps/patches/CVE-2018-10733.patch new file mode 100644 index 00000000000..b7f07dfdfc5 --- /dev/null +++ b/srcpkgs/libgxps/patches/CVE-2018-10733.patch @@ -0,0 +1,148 @@ +Sources: +https://git.gnome.org/browse/libgxps/commit/?id=b458226e162fe1ffe7acb4230c114a52ada5131b + +https://git.gnome.org/browse/libgxps/commit/?id=133fe2a96e020d4ca65c6f64fb28a404050ebbfd +From 133fe2a96e020d4ca65c6f64fb28a404050ebbfd Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Sat, 5 May 2018 12:02:36 +0200 +Subject: [PATCH] gxps-archive: Handle errors returned by archive_read_data + +--- + libgxps/gxps-archive.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git libgxps/gxps-archive.c libgxps/gxps-archive.c +index 346ba73..1bae729 100644 +--- libgxps/gxps-archive.c ++++ libgxps/gxps-archive.c +@@ -520,6 +520,13 @@ gxps_archive_input_stream_read (GInputStream *stream, + return -1; + + bytes_read = archive_read_data (istream->zip->archive, buffer, count); ++ if (bytes_read < 0) { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ g_io_error_from_errno (archive_errno (istream->zip->archive)), ++ archive_error_string (istream->zip->archive)); ++ return -1; ++ } + if (bytes_read == 0 && istream->is_interleaved && !gxps_archive_input_stream_is_last_piece (istream)) { + /* Read next piece */ + gxps_archive_input_stream_next_piece (istream); +-- +2.18.1 + +From b458226e162fe1ffe7acb4230c114a52ada5131b Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Sat, 5 May 2018 12:01:24 +0200 +Subject: [PATCH] gxps-archive: Ensure gxps_archive_read_entry() fills the + GError in case of failure + +And fix the callers to not overwrite the GError. +--- + libgxps/gxps-archive.c | 15 +++++++++++---- + libgxps/gxps-fonts.c | 17 +++++------------ + libgxps/gxps-images.c | 17 ++++++----------- + 3 files changed, 22 insertions(+), 27 deletions(-) + +diff --git libgxps/gxps-archive.c libgxps/gxps-archive.c +index e763773..346ba73 100644 +--- libgxps/gxps-archive.c ++++ libgxps/gxps-archive.c +@@ -406,9 +406,13 @@ gxps_archive_read_entry (GXPSArchive *archive, + gboolean retval; + + stream = gxps_archive_open (archive, path); +- if (!stream) +- /* TODO: Error */ ++ if (!stream) { ++ g_set_error (error, ++ G_IO_ERROR, ++ G_IO_ERROR_NOT_FOUND, ++ "The entry '%s' was not found in archive", path); + return FALSE; ++ } + + entry_size = archive_entry_size (GXPS_ARCHIVE_INPUT_STREAM (stream)->entry); + if (entry_size <= 0) { +@@ -423,7 +427,7 @@ gxps_archive_read_entry (GXPSArchive *archive, + *buffer = g_malloc (buffer_size); + do { + bytes = g_input_stream_read (stream, &buf, BUFFER_SIZE, NULL, error); +- if (*error != NULL) { ++ if (bytes < 0) { + g_free (*buffer); + g_object_unref (stream); + +@@ -441,7 +445,10 @@ gxps_archive_read_entry (GXPSArchive *archive, + g_object_unref (stream); + + if (*bytes_read == 0) { +- /* TODO: Error */ ++ g_set_error (error, ++ G_IO_ERROR, ++ G_IO_ERROR_INVALID_DATA, ++ "The entry '%s' is empty in archive", path); + g_free (*buffer); + return FALSE; + } +diff --git libgxps/gxps-fonts.c libgxps/gxps-fonts.c +index 882157d..8d02ffc 100644 +--- libgxps/gxps-fonts.c ++++ libgxps/gxps-fonts.c +@@ -220,19 +220,12 @@ gxps_fonts_new_font_face (GXPSArchive *zip, + cairo_font_face_t *font_face; + guchar *font_data; + gsize font_data_len; +- gboolean res; + +- res = gxps_archive_read_entry (zip, font_uri, +- &font_data, &font_data_len, +- error); +- if (!res) { +- g_set_error (error, +- GXPS_ERROR, +- GXPS_ERROR_SOURCE_NOT_FOUND, +- "Font source %s not found in archive", +- font_uri); +- return NULL; +- } ++ if (!gxps_archive_read_entry (zip, font_uri, ++ &font_data, &font_data_len, ++ error)) { ++ return NULL; ++ } + + ft_face.font_data = font_data; + ft_face.font_data_len = (gssize)font_data_len; +diff --git libgxps/gxps-images.c libgxps/gxps-images.c +index 4dcf9e2..50f899f 100644 +--- libgxps/gxps-images.c ++++ libgxps/gxps-images.c +@@ -742,17 +742,12 @@ gxps_images_create_from_tiff (GXPSArchive *zip, + guchar *data; + guchar *p; + +- if (!gxps_archive_read_entry (zip, image_uri, +- &buffer.buffer, +- &buffer.buffer_len, +- error)) { +- g_set_error (error, +- GXPS_ERROR, +- GXPS_ERROR_SOURCE_NOT_FOUND, +- "Image source %s not found in archive", +- image_uri); +- return NULL; +- } ++ if (!gxps_archive_read_entry (zip, image_uri, ++ &buffer.buffer, ++ &buffer.buffer_len, ++ error)) { ++ return NULL; ++ } + + buffer.pos = 0; + +-- +2.18.1 + diff --git a/srcpkgs/libgxps/patches/CVE-2018-10767.patch b/srcpkgs/libgxps/patches/CVE-2018-10767.patch new file mode 100644 index 00000000000..be77fd2d012 --- /dev/null +++ b/srcpkgs/libgxps/patches/CVE-2018-10767.patch @@ -0,0 +1,28 @@ +Source: +https://gitlab.gnome.org/GNOME/libgxps/commit/123dd99c6a1ae2ef6fcb5547e51fa58e8c954b51 + +From 123dd99c6a1ae2ef6fcb5547e51fa58e8c954b51 Mon Sep 17 00:00:00 2001 +From: Carlos Garcia Campos +Date: Fri, 8 Dec 2017 11:11:38 +0100 +Subject: [PATCH] gxps-images: fix integer overflow in png decoder + +--- + libgxps/gxps-images.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git libgxps/gxps-images.c libgxps/gxps-images.c +index 98c7052..19cb1c0 100644 +--- libgxps/gxps-images.c ++++ libgxps/gxps-images.c +@@ -286,7 +286,7 @@ gxps_images_create_from_png (GXPSArchive *zip, + } + + stride = cairo_format_stride_for_width (format, png_width); +- if (stride < 0) { ++ if (stride < 0 || png_height >= INT_MAX / stride) { + fill_png_error (error, image_uri, NULL); + g_object_unref (stream); + png_destroy_read_struct (&png, &info, NULL); +-- +2.18.1 + diff --git a/srcpkgs/libgxps/template b/srcpkgs/libgxps/template index 48468da5a01..202085fb1a5 100644 --- a/srcpkgs/libgxps/template +++ b/srcpkgs/libgxps/template @@ -1,7 +1,7 @@ # Template file for 'libgxps' pkgname=libgxps version=0.3.0 -revision=1 +revision=2 build_style=meson configure_args="-Denable-test=false -Ddisable-introspection=$(vopt_if gir false true)" hostmakedepends="pkg-config $(vopt_if gir gobject-introspection)"