[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: fr
From: |
Kei Kebreau |
Subject: |
Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.] |
Date: |
Fri, 14 Oct 2016 20:09:08 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Leo Famulari <address@hidden> writes:
> On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
>> efraim pushed a commit to branch master
>> in repository guix.
>>
>> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> Author: Efraim Flashner <address@hidden>
>> Date: Fri Oct 14 11:28:21 2016 +0300
>>
>> gnu: freeimage: Fix CVE-2016-5684.
>>
>> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> ---
>> gnu/local.mk | 1 +
>> gnu/packages/image.scm | 3 +-
>> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34
>> ++++++++++++++++++++
>> 3 files changed, 37 insertions(+), 1 deletion(-)
>
> Efraim pointed out on IRC that our freeimage packages bundles many
> 3rd-party libraries:
>
> $ ls -1 FreeImage/Source
> CacheFile.h
> DeprecationManager
> FreeImage
> FreeImage.h
> FreeImageIO.h
> FreeImageLib
> FreeImageToolkit
> LibJPEG
> LibJXR
> LibOpenJPEG
> LibPNG
> LibRawLite
> LibTIFF4
> LibWebP
> MapIntrospector.h
> Metadata
> OpenEXR
> Plugin.h
> Quantizers.h
> ToneMapping.h
> Utilities.h
> ZLib
>
> Debian has a patch to make it use "system" copies of the libraries:
>
> https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>
> For now, our freeimage package is probably vulnerable to many publicly
> disclosed security bugs.
>
> Who volunteers to try fixing this?
The patch is attached. I've removed the bit from Debian that disables JPEG
transformation functions, as seen below. JPEGTransform.cpp (in
Source/FreeImageToolkit) gave me some trouble when I left that part of
the patch alone.
@@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot
dithering (order 4 dithering matrix)
};
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+ of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
/** Lossless JPEG transformations
Constants used in FreeImage_JPEGTransform
*/
@@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
FIJPEG_OP_ROTATE_180 = 6, //! 180-degree rotation
FIJPEG_OP_ROTATE_270 = 7 //! 270-degree clockwise (or 90
ccw)
};
+#endif
/** Tone mapping operators.
Constants used in FreeImage_ToneMapping.
@@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV
FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
// --------------------------------------------------------------------------
// JPEG lossless transformation routines
// --------------------------------------------------------------------------
-
+/* Debian: The JPEGTransform functions are deliberately disabled in our build
+ of FreeImage, since they require usage of the vendored copy of libjpeg. */
+#if 0
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file, const
char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect
FI_DEFAULT(TRUE));
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file,
const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect
FI_DEFAULT(TRUE));
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const char
*dst_file, int left, int top, int right, int bottom);
@@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV
FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char
*src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int*
left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t
*src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int*
left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY*
src_stream, FIMEMORY* dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int*
left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
+#endif
0001-gnu-freeimage-Disable-in-tree-third-party-libraries.patch
Description: Text document
signature.asc
Description: PGP signature