main/libcroco: fix a few CVEs

- CVE-2017-7960 - CVE-2017-7961 - CVE-2017-8834 - CVE-2017-8871 Fixes https://gitlab.alpinelinux.org/alpine/aports/issues/10566
author: Leo <thinkabit.ukim@gmail.com> 2019-07-21 02:35:49 -0300
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-07-22 11:48:40 +0200
commit: 1e378edcf6caaa3ed5646459e4c8a47234afa01a (patch)
tree: d8f4342a0d27fb8900ff2bc398f0c07ee1a559df
parent: 63295e4a667669a5dadf360d6a5e0d3ca67af2c1 (diff)
4 files changed, 149 insertions, 6 deletions
diff --git a/main/libcroco/APKBUILD b/main/libcroco/APKBUILD
index ef28628b1e4..fa44fa80660 100644
--- a/main/libcroco/APKBUILD
+++ b/main/libcroco/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libcroco
 pkgver=0.6.12
-pkgrel=0
+pkgrel=1
 pkgdesc="GNOME CSS2 parsing and manipulation toolkit"
 url="http://www.gnome.org"
 arch="all"
@@ -9,11 +9,20 @@ license="LGPL"
 subpackages="$pkgname-dev"
 depends=
 makedepends="glib-dev libxml2-dev"
-source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz"
+source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz
+	CVE-2017-7960.patch
+	CVE-2017-7961.patch
+	CVE-2017-8871-and-CVE-2017-8834.patch
+	"
 
-depends_dev="glib-dev libxml2-dev pkgconfig"
+# secfixes:
+#   0.6.12-r1:
+#     - CVE-2017-7960
+#     - CVE-2017-7961
+#     - CVE-2017-8871
+#     - CVE-2017-8834
 
-builddir="$srcdir/$pkgname-$pkgver"
+depends_dev="glib-dev libxml2-dev pkgconfig"
 
 build() {
 	cd "$builddir"
@@ -28,6 +37,9 @@ build() {
 
 package() {
 	cd "$builddir"
-	make DESTDIR="$pkgdir" install || return 1
+	make DESTDIR="$pkgdir" install
 }
-sha512sums="af9a171d5ccded255b57f170576e67155f12fa0f61ab3e379e907975f77afc37e82e22772c6019b2897cffc15b2425faf3ccfda92b1a45b23eda2519debabeb6  libcroco-0.6.12.tar.xz"
+sha512sums="af9a171d5ccded255b57f170576e67155f12fa0f61ab3e379e907975f77afc37e82e22772c6019b2897cffc15b2425faf3ccfda92b1a45b23eda2519debabeb6  libcroco-0.6.12.tar.xz
+e6a799e5547c60a317602aa5b537b27ecbc47de84ceb9ef109586370406cd8151c7ab1e7c27f346becf3c10f0524bfc7ac98dcf3160089880c2ac189ee4e7176  CVE-2017-7960.patch
+a1820039d23793ac53ba3acb771f487fe7fed839b298734435e168fecb5cd8b2b20b2fd08b4f827d0ed7eb0b5e76c9290ba912533b95acbf1be7cda5fd604da6  CVE-2017-7961.patch
+568ad8205f5c2ab1eb949ef664671069fad5991e43992e35092738c1a741289303dba343c8002caec817d1c27fe5645dc2a861573fb4d91074aef59ff41f3d27  CVE-2017-8871-and-CVE-2017-8834.patch"
diff --git a/main/libcroco/CVE-2017-7960.patch b/main/libcroco/CVE-2017-7960.patch
new file mode 100644
index 00000000000..cd8dbaafa48
--- /dev/null
+++ b/main/libcroco/CVE-2017-7960.patch
@@ -0,0 +1,59 @@
+From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:13:43 +0200
+Subject: [PATCH] input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+---
+ src/cr-input.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1..3b63a88 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+                  *we should  free buf here because it's own by CRInput.
+                  *(see the last parameter of cr_input_new_from_buf().
+                  */
+-                buf = NULL ;
++                buf = NULL;
+         }
+ 
+  cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++        gulong nb_bytes_left = 0;
++
+         g_return_val_if_fail (a_this && PRIVATE (a_this)
+                               && a_byte, CR_BAD_PARAM_ERROR);
+ 
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+         if (PRIVATE (a_this)->end_of_input == TRUE)
+                 return CR_END_OF_INPUT_ERROR;
+ 
++        nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++        if (nb_bytes_left < 1) {
++                return CR_END_OF_INPUT_ERROR;
++        }
++
+         *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+ 
+         if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+                 if (*a_char == '\n') {
+                         PRIVATE (a_this)->end_of_line = TRUE;
+                 }
+-
+         }
+ 
+         return status;
+-- 
+2.21.0
+
+
diff --git a/main/libcroco/CVE-2017-7961.patch b/main/libcroco/CVE-2017-7961.patch
new file mode 100644
index 00000000000..bb0236e6a5a
--- /dev/null
+++ b/main/libcroco/CVE-2017-7961.patch
@@ -0,0 +1,43 @@
+From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:56:09 +0200
+Subject: [PATCH] tknzr: support only max long rgb values
+
+This fixes a possible out of bound when reading rgbs which
+are longer than the support MAXLONG
+---
+ src/cr-tknzr.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c
+index 1a7cfeb..1548c35 100644
+--- a/src/cr-tknzr.c
++++ b/src/cr-tknzr.c
+@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+         status = cr_tknzr_parse_num (a_this, &num);
+         ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++        if (num->val > G_MAXLONG) {
++                status = CR_PARSING_ERROR;
++                goto error;
++        }
++
+         red = num->val;
+         cr_num_destroy (num);
+         num = NULL;
+@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+                 status = cr_tknzr_parse_num (a_this, &num);
+                 ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++                if (num->val > G_MAXLONG) {
++                        status = CR_PARSING_ERROR;
++                        goto error;
++                }
++
+                 PEEK_BYTE (a_this, 1, &next_bytes[0]);
+                 if (next_bytes[0] == '%') {
+                         SKIP_CHARS (a_this, 1);
+-- 
+2.21.0
+
+
diff --git a/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch
new file mode 100644
index 00000000000..f65c6a97481
--- /dev/null
+++ b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch
@@ -0,0 +1,29 @@
+From deda38539f5b25616aa294d8b19d33ebf8e175ff Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@alum.wpi.edu>
+Date: Thu, 2 May 2019 10:54:43 -0500
+Subject: [PATCH] cr_utils_read_char_from_utf8_buf: move past invalid UTF-8
+
+Otherwise, the offending character is never consumed, possibly leading
+to an infinite loop.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=782647
+---
+ src/cr-utils.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cr-utils.c b/src/cr-utils.c
+index 2420cec..6cf4849 100644
+--- a/src/cr-utils.c
++++ b/src/cr-utils.c
+@@ -505,6 +505,7 @@ cr_utils_read_char_from_utf8_buf (const guchar * a_in,
+ 
+         } else {
+                 /*BAD ENCODING */
++                nb_bytes_2_decode = 1;
+                 goto end;
+         }
+ 
+-- 
+2.20.1
+
+
author	Leo <thinkabit.ukim@gmail.com>	2019-07-21 02:35:49 -0300
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-07-22 11:48:40 +0200
commit	1e378edcf6caaa3ed5646459e4c8a47234afa01a (patch)
tree	d8f4342a0d27fb8900ff2bc398f0c07ee1a559df
parent	63295e4a667669a5dadf360d6a5e0d3ca67af2c1 (diff)