[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/05: gnu: graphite2: Add fixes for CVE-2017-5436 and other bugs.
From: |
Mark H. Weaver |
Subject: |
01/05: gnu: graphite2: Add fixes for CVE-2017-5436 and other bugs. |
Date: |
Thu, 20 Apr 2017 19:12:38 -0400 (EDT) |
mhw pushed a commit to branch security-updates
in repository guix.
commit 852c6adbf192ffe68faf60c753db5d66b519430e
Author: Mark H Weaver <address@hidden>
Date: Thu Apr 20 15:10:54 2017 -0400
gnu: graphite2: Add fixes for CVE-2017-5436 and other bugs.
* gnu/packages/fontutils.scm (graphite2)[replacement]: New field.
(graphite2/fixed): New variable.
* gnu/packages/patches/graphite2-CVE-2017-5436.patch,
gnu/packages/patches/graphite2-check-code-point-limit.patch,
gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch,
gnu/packages/patches/graphite2-non-linear-classes-even-number.patch:
New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 4 +
gnu/packages/fontutils.scm | 22 +++++
gnu/packages/patches/graphite2-CVE-2017-5436.patch | 25 ++++++
.../patches/graphite2-check-code-point-limit.patch | 50 ++++++++++++
.../graphite2-fix-32-bit-wrap-arounds.patch | 93 ++++++++++++++++++++++
.../graphite2-non-linear-classes-even-number.patch | 26 ++++++
6 files changed, 220 insertions(+)
diff --git a/gnu/local.mk b/gnu/local.mk
index f381262..430286e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -618,7 +618,11 @@ dist_patch_DATA =
\
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
%D%/packages/patches/gobject-introspection-girepository.patch \
+ %D%/packages/patches/graphite2-CVE-2017-5436.patch \
+ %D%/packages/patches/graphite2-check-code-point-limit.patch \
%D%/packages/patches/graphite2-ffloat-store.patch \
+ %D%/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch \
+ %D%/packages/patches/graphite2-non-linear-classes-even-number.patch \
%D%/packages/patches/grep-timing-sensitive-test.patch \
%D%/packages/patches/grub-CVE-2015-8370.patch \
%D%/packages/patches/grub-gets-undeclared.patch \
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 7e72349..cc6d1df 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -376,6 +376,7 @@ applications should be.")
(package
(name "graphite2")
(version "1.3.9")
+ (replacement graphite2/fixed)
(source
(origin
(method url-fetch)
@@ -400,6 +401,27 @@ and returns a sequence of positioned glyphids from the
font.")
(license license:lgpl2.1+)
(home-page "https://github.com/silnrsi/graphite")))
+(define graphite2/fixed
+ (package
+ (inherit graphite2)
+ (name "graphite2")
+ (version "1.3.9")
+ (replacement #f)
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/silnrsi/graphite/releases/"
+ "download/" version "/" name "-" version ".tgz"))
+ (patches (search-patches
+ "graphite2-ffloat-store.patch"
+ "graphite2-check-code-point-limit.patch"
+ "graphite2-CVE-2017-5436.patch"
+ "graphite2-fix-32-bit-wrap-arounds.patch"
+ "graphite2-non-linear-classes-even-number.patch"))
+ (sha256
+ (base32
+ "0rs5h7m340z75kygx8d72cps0q6yvvqa9i788vym7585cfv8a0gc"))))))
+
(define-public potrace
(package
(name "potrace")
diff --git a/gnu/packages/patches/graphite2-CVE-2017-5436.patch
b/gnu/packages/patches/graphite2-CVE-2017-5436.patch
new file mode 100644
index 0000000..d7383ec
--- /dev/null
+++ b/gnu/packages/patches/graphite2-CVE-2017-5436.patch
@@ -0,0 +1,25 @@
+From 1ce331d5548b98ed8b818532b2556d6f2c7a3b83 Mon Sep 17 00:00:00 2001
+From: Martin Hosken <address@hidden>
+Date: Thu, 9 Mar 2017 22:04:04 +0000
+Subject: [PATCH] Ensure features have enough space. Fix from Mozilla
+
+---
+ src/FeatureMap.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/FeatureMap.cpp b/src/FeatureMap.cpp
+index b8c8405..83bd5f6 100644
+--- a/src/FeatureMap.cpp
++++ b/src/FeatureMap.cpp
+@@ -275,7 +275,7 @@ bool FeatureRef::applyValToFeature(uint32 val, Features &
pDest) const
+ else
+ if (pDest.m_pMap!=&m_pFace->theSill().theFeatureMap())
+ return false; //incompatible
+- pDest.reserve(m_index);
++ pDest.reserve(m_index+1);
+ pDest[m_index] &= ~m_mask;
+ pDest[m_index] |= (uint32(val) << m_bits);
+ return true;
+--
+2.12.2
+
diff --git a/gnu/packages/patches/graphite2-check-code-point-limit.patch
b/gnu/packages/patches/graphite2-check-code-point-limit.patch
new file mode 100644
index 0000000..a9b6caf
--- /dev/null
+++ b/gnu/packages/patches/graphite2-check-code-point-limit.patch
@@ -0,0 +1,50 @@
+From 348c11e4571b534efdbd58a575bbea979c880b2f Mon Sep 17 00:00:00 2001
+From: Tim Eves <address@hidden>
+Date: Wed, 1 Mar 2017 14:23:46 +0700
+Subject: [PATCH] Fix decoding of USV greater than U+110000
+
+Add test cases too
+---
+ src/inc/UtfCodec.h | 4 ++--
+ tests/utftest/utftest.cpp | 3 +++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/inc/UtfCodec.h b/src/inc/UtfCodec.h
+index 3417bac..9dc760f 100644
+--- a/src/inc/UtfCodec.h
++++ b/src/inc/UtfCodec.h
+@@ -124,7 +124,7 @@ struct _utf_codec<8>
+ private:
+ static const int8 sz_lut[16];
+ static const byte mask_lut[5];
+-
++ static const uchar_t limit = 0x110000;
+
+ public:
+ typedef uint8 codeunit_t;
+@@ -157,7 +157,7 @@ public:
+ case 0: l = -1; return 0xFFFD;
+ }
+
+- if (l != seq_sz || toolong)
++ if (l != seq_sz || toolong || u >= limit)
+ {
+ l = -l;
+ return 0xFFFD;
+diff --git a/tests/utftest/utftest.cpp b/tests/utftest/utftest.cpp
+index 21cb188..a23553a 100644
+--- a/tests/utftest/utftest.cpp
++++ b/tests/utftest/utftest.cpp
+@@ -8,6 +8,9 @@ struct test8
+ unsigned char str[12];
+ };
+ struct test8 tests8[] = {
++ { 0, 0, {0xF4, 0x90, 0x80, 0x80, 0, 0, 0, 0, 0, 0, 0,
0} }, // bad(4) [U+110000]
++ { 0, 0, {0xC0, 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0} }, // bad(4) [U+110000]
++ { 0, 0, {0xA0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0} }, // bad(4) [U+110000]
+ { 4, -1, {0x7F, 0xDF, 0xBF, 0xEF, 0xBF, 0xBF, 0xF4, 0x8F, 0xBF, 0xBF, 0,
0} }, // U+7F, U+7FF, U+FFFF, U+10FFF
+ { 2, 3, {0x7F, 0xDF, 0xBF, 0xF0, 0x8F, 0xBF, 0xBF, 0xF4, 0x8F, 0xBF,
0xBF, 0} }, // U+7F, U+7FF, long(U+FFFF), U+10FFF
+ { 1, 1, {0x7F, 0xE0, 0x9F, 0xBF, 0xEF, 0xBF, 0xBF, 0xF4, 0x8F, 0xBF,
0xBF, 0} }, // U+7F, long(U+7FF), U+FFFF, U+10FFF
+--
+2.12.2
+
diff --git a/gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch
b/gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch
new file mode 100644
index 0000000..57d4ce2
--- /dev/null
+++ b/gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch
@@ -0,0 +1,93 @@
+This patch incorporates the following 6 consecutive commits from the upstream
+graphite2 repository:
+
+75b83cd..: Martin Hosken 2017-03-28 Fix 32-bit wrap arounds
+1f97e36..: Martin Hosken 2017-03-28 balance comparisons in decompressor
+9493785..: Martin Hosken 2017-03-29 Speculative rounding fix
+09af043..: Tim Eves 2017-03-31 Move a MINMATCH to rhs of a comparisio
+28cc60d..: Tim Eves 2017-03-31 Deal with similar wrap around in
literal_len
+8afc7d0..: Martin Hosken 2017-04-03 Fix 32-bit rollover in decompressor, again
+
+This diff was generated by the following command:
+
+ git diff 1ce331d5548b98ed..8afc7d0081959866
+
+
+diff --git a/src/Decompressor.cpp b/src/Decompressor.cpp
+index 084570f..56d531f 100644
+--- a/src/Decompressor.cpp
++++ b/src/Decompressor.cpp
+@@ -51,7 +51,7 @@ bool read_sequence(u8 const * &src, u8 const * const end, u8
const * &literal, u
+ literal = src;
+ src += literal_len;
+
+- if (src > end - 2)
++ if (src > end - 2 || src < literal)
+ return false;
+
+ match_dist = *src++;
+@@ -85,7 +85,7 @@ int lz4::decompress(void const *in, size_t in_size, void
*out, size_t out_size)
+ {
+ // Copy in literal. At this point the last full sequence must be
at
+ // least MINMATCH + 5 from the end of the output buffer.
+- if (dst + align(literal_len) > dst_end - (MINMATCH+5))
++ if (align(literal_len) > unsigned(dst_end - dst - (MINMATCH+5))
|| dst_end - dst < MINMATCH + 5)
+ return -1;
+ dst = overrun_copy(dst, literal, literal_len);
+ }
+@@ -94,7 +94,8 @@ int lz4::decompress(void const *in, size_t in_size, void
*out, size_t out_size)
+ // decoded output.
+ u8 const * const pcpy = dst - match_dist;
+ if (pcpy < static_cast<u8*>(out)
+- || dst + match_len + MINMATCH > dst_end - 5)
++ || match_len > unsigned(dst_end - dst - (MINMATCH+5))
++ || dst_end - dst < MINMATCH + 5)
+ return -1;
+ if (dst > pcpy+sizeof(unsigned long)
+ && dst + align(match_len + MINMATCH) <= dst_end)
+@@ -103,8 +104,8 @@ int lz4::decompress(void const *in, size_t in_size, void
*out, size_t out_size)
+ dst = safe_copy(dst, pcpy, match_len + MINMATCH);
+ }
+
+- if (literal + literal_len > src_end
+- || dst + literal_len > dst_end)
++ if (literal_len > src_end - literal
++ || literal_len > dst_end - dst)
+ return -1;
+ dst = fast_copy(dst, literal, literal_len);
+
+diff --git a/src/Pass.cpp b/src/Pass.cpp
+index a4bac2e..683143c 100644
+--- a/src/Pass.cpp
++++ b/src/Pass.cpp
+@@ -171,7 +171,7 @@ bool Pass::readPass(const byte * const pass_start, size_t
pass_length, size_t su
+ const uint16 * const o_actions = reinterpret_cast<const uint16 *>(p);
+ be::skip<uint16>(p, m_numRules + 1);
+ const byte * const states = p;
+- if (e.test(p + 2u*m_numTransition*m_numColumns >= pass_end,
E_BADPASSLENGTH)) return face.error(e);
++ if (e.test(2u*m_numTransition*m_numColumns >= (unsigned)(pass_end - p),
E_BADPASSLENGTH)) return face.error(e);
+ be::skip<int16>(p, m_numTransition*m_numColumns);
+ be::skip<uint8>(p);
+ if (e.test(p != pcCode, E_BADPASSCCODEPTR)) return face.error(e);
+@@ -192,7 +192,7 @@ bool Pass::readPass(const byte * const pass_start, size_t
pass_length, size_t su
+ m_cPConstraint = vm::Machine::Code(true, pcCode, pcCode +
pass_constraint_len,
+ precontext[0], be::peek<uint16>(sort_keys),
*m_silf, face, PASS_TYPE_UNKNOWN);
+ if (e.test(!m_cPConstraint, E_OUTOFMEM)
+- || e.test(!m_cPConstraint, m_cPConstraint.status() +
E_CODEFAILURE))
++ || e.test(m_cPConstraint.status() != Code::loaded,
m_cPConstraint.status() + E_CODEFAILURE))
+ return face.error(e);
+ face.error_context(face.error_context() - 1);
+ }
+diff --git a/src/Silf.cpp b/src/Silf.cpp
+index 72a22cd..d661992 100644
+--- a/src/Silf.cpp
++++ b/src/Silf.cpp
+@@ -191,7 +191,7 @@ bool Silf::readGraphite(const byte * const silf_start,
size_t lSilf, Face& face,
+
+ const size_t clen = readClassMap(p, passes_start - p, version, e);
+ m_passes = new Pass[m_numPasses];
+- if (e || e.test(p + clen > passes_start, E_BADPASSESSTART)
++ if (e || e.test(clen > unsigned(passes_start - p), E_BADPASSESSTART)
+ || e.test(!m_passes, E_OUTOFMEM))
+ { releaseBuffers(); return face.error(e); }
+
diff --git
a/gnu/packages/patches/graphite2-non-linear-classes-even-number.patch
b/gnu/packages/patches/graphite2-non-linear-classes-even-number.patch
new file mode 100644
index 0000000..2bb1c9f
--- /dev/null
+++ b/gnu/packages/patches/graphite2-non-linear-classes-even-number.patch
@@ -0,0 +1,26 @@
+From 0646e4ee471183994f78a759269f0505617711f3 Mon Sep 17 00:00:00 2001
+From: Martin Hosken <address@hidden>
+Date: Tue, 18 Apr 2017 13:17:14 +0100
+Subject: [PATCH] Ensure non linear classes have even number of elements
+
+---
+ src/Silf.cpp | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/Silf.cpp b/src/Silf.cpp
+index d661992..9f2f954 100644
+--- a/src/Silf.cpp
++++ b/src/Silf.cpp
+@@ -293,7 +293,8 @@ size_t Silf::readClassMap(const byte *p, size_t data_len,
uint32 version, Error
+ if (e.test(*o + 4 > max_off, E_HIGHCLASSOFFSET)
// LookupClass doesn't stretch over max_off
+ || e.test(lookup[0] == 0
// A LookupClass with no looks is a suspicious thing ...
+ || lookup[0] * 2 + *o + 4 > max_off
// numIDs lookup pairs fits within (start of LookupClass' lookups array,
max_off]
+- || lookup[3] + lookup[1] != lookup[0],
E_BADCLASSLOOKUPINFO)) // rangeShift: numIDs - searchRange
++ || lookup[3] + lookup[1] != lookup[0],
E_BADCLASSLOOKUPINFO) // rangeShift: numIDs - searchRange
++ || e.test(((o[1] - *o) & 1) != 0, ERROROFFSET))
// glyphs are in pairs so difference must be even.
+ return ERROROFFSET;
+ }
+
+--
+2.12.2
+