01/02: gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/02: gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201.

From:	guix-commits
Subject:	01/02: gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201.
Date:	Wed, 4 Dec 2019 17:19:39 -0500 (EST)

mbakke pushed a commit to branch master
in repository guix.

commit 0fa9f29a5100f19a8494521659a1fa3baaa7fd0e
Author: Marius Bakke <address@hidden>
Date:   Wed Dec 4 22:18:43 2019 +0100

    gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201.
    
    * gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch: New file.
    * gnu/local.mk (dist_patch_DATA): Adjust accordingly.
    * gnu/packages/image.scm (libjpeg-turbo/fixed): New variable.
    (libjpeg-turbo)[replacement]: New field.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/image.scm                             | 17 +++++++++++-
 .../patches/libjpeg-turbo-CVE-2019-2201.patch      | 31 ++++++++++++++++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 0494f1d..6c484e2 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1062,6 +1062,7 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/libgnomeui-utf8.patch                   \
   %D%/packages/patches/libgpg-error-gawk-compat.patch          \
   %D%/packages/patches/libffi-3.2.1-complex-alpha.patch                \
+  %D%/packages/patches/libjpeg-turbo-CVE-2019-2201.patch       \
   %D%/packages/patches/libjxr-fix-function-signature.patch     \
   %D%/packages/patches/libjxr-fix-typos.patch                  \
   %D%/packages/patches/libotr-test-auth-fix.patch              \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 731a1e8..71bd381 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -19,7 +19,7 @@
 ;;; Copyright © 2018 Joshua Sierles, Nextjournal <address@hidden>
 ;;; Copyright © 2018 Fis Trivial <address@hidden>
 ;;; Copyright © 2018 Pierre Neidhardt <address@hidden>
-;;; Copyright © 2018 Marius Bakke <address@hidden>
+;;; Copyright © 2018, 2019 Marius Bakke <address@hidden>
 ;;; Copyright © 2018 Pierre-Antoine Rouby <address@hidden>
 ;;; Copyright © 2018 Alex Vong <address@hidden>
 ;;; Copyright © 2018 Rutger Helling <address@hidden>
@@ -1489,6 +1489,7 @@ is hereby granted."))))
   (package
     (name "libjpeg-turbo")
     (version "2.0.2")
+    (replacement libjpeg-turbo/fixed)
     (source (origin
               (method url-fetch)
               (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
@@ -1518,6 +1519,20 @@ and decompress to 32-bit and big-endian pixel buffers 
(RGBX, XBGR, etc.).")
                    license:ijg          ;the libjpeg library and associated 
tools
                    license:zlib))))     ;the libjpeg-turbo SIMD extensions
 
+;; Replacement package to fix CVE-2019-13960 and CVE-2019-2201.
+(define libjpeg-turbo/fixed
+  (package
+    (inherit libjpeg-turbo)
+    (version "2.0.3")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append "mirror://sourceforge/libjpeg-turbo/"
+                                  version "/libjpeg-turbo-" version ".tar.gz"))
+              (sha256
+               (base32
+                "1ds16bnj17v6hzd43w8pzijz3imd9am4hw75ir0fxm240m8dwij2"))
+              (patches (search-patches 
"libjpeg-turbo-CVE-2019-2201.patch"))))))
+
 (define-public niftilib
   (package
     (name "niftilib")
diff --git a/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch 
b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch
new file mode 100644
index 0000000..35f2bf5
--- /dev/null
+++ b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch
@@ -0,0 +1,31 @@
+Fix integer overflow which can potentially lead to RCE.
+
+https://www.openwall.com/lists/oss-security/2019/11/11/1
+https://nvd.nist.gov/vuln/detail/CVE-2019-2201
+
+The problem was partially fixed in 2.0.3.  This patch is a follow-up.
+https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388
+https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad
+
+diff --git a/tjbench.c b/tjbench.c
+index a7d397318..13a5bde62 100644
+--- a/tjbench.c
++++ b/tjbench.c
+@@ -171,7 +171,7 @@ static int decomp(unsigned char *srcBuf, unsigned char 
**jpegBuf,
+   }
+   /* Set the destination buffer to gray so we know whether the decompressor
+      attempted to write to it */
+-  memset(dstBuf, 127, pitch * scaledh);
++  memset(dstBuf, 127, (size_t)pitch * scaledh);
+ 
+   if (doYUV) {
+     int width = doTile ? tilew : scaledw;
+@@ -193,7 +193,7 @@ static int decomp(unsigned char *srcBuf, unsigned char 
**jpegBuf,
+     double start = getTime();
+ 
+     for (row = 0, dstPtr = dstBuf; row < ntilesh;
+-         row++, dstPtr += pitch * tileh) {
++         row++, dstPtr += (size_t)pitch * tileh) {
+       for (col = 0, dstPtr2 = dstPtr; col < ntilesw;
+            col++, tile++, dstPtr2 += ps * tilew) {
+         int width = doTile ? min(tilew, w - col * tilew) : scaledw;

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (4fe7adc -> 29e621a), guix-commits, 2019/12/04
- 02/02: gnu: Remove unused module import., guix-commits, 2019/12/04
- 01/02: gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201., guix-commits <=

Prev by Date: branch master updated (4fe7adc -> 29e621a)
Next by Date: branch master updated (ac1ee30 -> 73bd8ab)
Previous by thread: 02/02: gnu: Remove unused module import.
Next by thread: branch master updated (ac1ee30 -> 73bd8ab)
Index(es):
- Date
- Thread