main/gdk-pixbuf: security fixes (CVE-2017-6311, CVE-2017-6312, CVE-2017-6314)

Partially fixes #6954 CVE-2017-6313: fix N/A, https://bugzilla.gnome.org/show_bug.cgi?id=779016
author: Leonardo Arena <rnalrd@alpinelinux.org> 2017-06-16 08:24:59 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2017-06-16 08:32:52 +0000
commit: b94677ab61788321ca49525a88ae523c9f0a6bca (patch)
tree: a8aa57f6fa9ce3db67078113380ae43d78571021
parent: 93fd1a38cd5fd45ff4049e23489bd9f46b5065b3 (diff)
4 files changed, 78 insertions, 2 deletions
diff --git a/main/gdk-pixbuf/APKBUILD b/main/gdk-pixbuf/APKBUILD
index e828f3e2f50..335826903dd 100644
--- a/main/gdk-pixbuf/APKBUILD
+++ b/main/gdk-pixbuf/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=gdk-pixbuf
 pkgver=2.36.6
-pkgrel=0
+pkgrel=1
 pkgdesc="GDK Pixbuf library"
 url="http://www.gtk.org/"
 arch="all"
@@ -14,11 +14,20 @@ install="$pkgname.pre-deinstall"
 triggers="$pkgname.trigger=/usr/lib/gdk-pixbuf-2.0/*/loaders"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
 source="http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/${pkgver%.*}/gdk-pixbuf-$pkgver.tar.xz
+	CVE-2017-6311.patch
+	CVE-2017-6312.patch
+	CVE-2017-6314.patch
 	"
 replaces="gtk+"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 
+# secfixes:
+#   2.36.6-r1:
+#     - CVE-2017-6311
+#     - CVE-2017-6312
+#     - CVE-2017-6314
+
 prepare() {
 	cd "$_builddir"
 	for i in $source; do
@@ -57,4 +66,7 @@ dev() {
 	default_dev
 }
 
-sha512sums="b963f01161b58463c83499079545aa946fd824ec5e7167e0898698ac46e0cc3fb3dcb0cac5afabd6b7d957391b9c9bba55f340294076433155fc91052d5403ec  gdk-pixbuf-2.36.6.tar.xz"
+sha512sums="b963f01161b58463c83499079545aa946fd824ec5e7167e0898698ac46e0cc3fb3dcb0cac5afabd6b7d957391b9c9bba55f340294076433155fc91052d5403ec  gdk-pixbuf-2.36.6.tar.xz
+b1da3b159b20fe9fcfb06ec77970d3f4adc516dbc63a9fe7e81dbaa61db2f18188775668a2bc764128186696adc9ee3dfd4dcf1a04faa302e23957d38071a610  CVE-2017-6311.patch
+3b67e10ae02ecfdb541c427f811541e2cd0cfc3f048b1e4b119767b7f8f3a02de8a9c7302c21d23de1ea886f994d4dcdb687580c970d7d49eba80f17075ff0de  CVE-2017-6312.patch
+2ea67f0716234de017f7e8c628d544b40513f23689d70e5e5e2621affabce40ae733d399f64d2641616c114ac7f3fa22396e68142656dbb10993d70181ff5a50  CVE-2017-6314.patch"
diff --git a/main/gdk-pixbuf/CVE-2017-6311.patch b/main/gdk-pixbuf/CVE-2017-6311.patch
new file mode 100644
index 00000000000..d3d65789eef
--- /dev/null
+++ b/main/gdk-pixbuf/CVE-2017-6311.patch
@@ -0,0 +1,23 @@
+@@ -, +, @@ 
+ returned
+ thumbnailer/gnome-thumbnailer-skeleton.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+--- a/thumbnailer/gnome-thumbnailer-skeleton.c	
++++ a/thumbnailer/gnome-thumbnailer-skeleton.c	
+@@ -315,11 +315,15 @@ int main (int argc, char **argv)
+ #endif
+ 	g_free (input_filename);
+ 
+-	if (!pixbuf) {
++	if (!pixbuf && error) {
+ 		g_warning ("Could not thumbnail '%s': %s", filenames[0], error->message);
+ 		g_error_free (error);
+ 		g_strfreev (filenames);
+ 		return 1;
++	} else if (!pixbuf) {
++		g_warning ("Could not thumbnail '%s'", filenames[0]);
++		g_strfreev (filenames);
++		return 1;
+ 	}
+ 
+ 	if (gdk_pixbuf_save (pixbuf, output, "png", &error, NULL) == FALSE) {
diff --git a/main/gdk-pixbuf/CVE-2017-6312.patch b/main/gdk-pixbuf/CVE-2017-6312.patch
new file mode 100644
index 00000000000..3cd9bbe7577
--- /dev/null
+++ b/main/gdk-pixbuf/CVE-2017-6312.patch
@@ -0,0 +1,25 @@
+--- a/gdk-pixbuf/io-ico.c	
++++ a/gdk-pixbuf/io-ico.c	
+@@ -330,10 +330,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
+ 			return;
+ 		}
+ 
+-		/* We know how many bytes are in the "header" part. */
+-		State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
+-
+-		if (State->HeaderSize < 0) {
++		/* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
++		if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
+ 			g_set_error (error,
+ 			             GDK_PIXBUF_ERROR,
+ 			             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+@@ -341,6 +339,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
+ 			return;
+ 		}
+ 
++		/* We know how many bytes are in the "header" part. */
++		State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
++
+ 		if (State->HeaderSize>State->BytesInHeaderBuf) {
+ 			guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
+ 			if (!tmp) {
diff --git a/main/gdk-pixbuf/CVE-2017-6314.patch b/main/gdk-pixbuf/CVE-2017-6314.patch
new file mode 100644
index 00000000000..a345fe03fd8
--- /dev/null
+++ b/main/gdk-pixbuf/CVE-2017-6314.patch
@@ -0,0 +1,16 @@
+--- gdk-pixbuf-2.30.8/gdk-pixbuf/io-tiff.c	
++++ gdk-pixbuf-2.30.8/gdk-pixbuf/io-tiff.c	
+@@ -458,9 +458,12 @@ make_available_at_least (TiffContext *co
+         need_alloc = context->used + needed;
+         if (need_alloc > context->allocated) {
+                 guint new_size = 1;
+-                while (new_size < need_alloc)
++                while (new_size && (new_size < need_alloc))
+                         new_size *= 2;
+ 
++		if(!(new_size))
++			return FALSE;
++
+                 new_buffer = g_try_realloc (context->buffer, new_size);
+                 if (new_buffer) {
+                         context->buffer = new_buffer;
author	Leonardo Arena <rnalrd@alpinelinux.org>	2017-06-16 08:24:59 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2017-06-16 08:32:52 +0000
commit	b94677ab61788321ca49525a88ae523c9f0a6bca (patch)
tree	a8aa57f6fa9ce3db67078113380ae43d78571021
parent	93fd1a38cd5fd45ff4049e23489bd9f46b5065b3 (diff)