The last update to libwmf was twelve years ago, in 2005. In the meantime, a large number of security issues have been discovered in this library. These bugs are fixed somewhat haphazardly by the distributions.
While working on patching CVE-2016-9011 in libwmf, and backporting fixes
for CVE-2016-{9317,10167,10168} in the ancient bundled libgd, I find
myself wondering if we need this library at all. The patches from this
12 year span of 3rd party fixes begin to conflict with each other...
Libwmf is only used as a "plugin" by AbiWord, and AbiWord can be
configured to build without it.
Otherwise, someone needs to overhaul and update our libwmf patch series.
I've included a WIP patch that includes the fixes. Not all of the new
patches apply.
WDYT?
From 7149e16c9e6890fa914b0a49f363439ab5627f3a Mon Sep 17 00:00:00 2001
From: Leo Famulari <l...@famulari.name>
Date: Sat, 27 May 2017 12:56:54 -0400
Subject: [PATCH] WIP: libwmf: Fix CVE-2016-{9011,9317,10167,10168}.
XXX: Not all of these patches apply.
* gnu/packages/patches/libwmf-CVE-2016-9011.patch,
gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (libwmf)[source]: Use them.
---
gnu/local.mk | 2 +
gnu/packages/image.scm | 4 +-
gnu/packages/patches/libwmf-CVE-2016-9011.patch | 45 ++++++++++++
.../patches/libwmf-fixes-for-bundled-gd.patch | 80 ++++++++++++++++++++++
4 files changed, 130 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libwmf-CVE-2016-9011.patch
create mode 100644 gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index d0117be85..f60b66948 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -781,6 +781,8 @@ dist_patch_DATA =
\
%D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \
%D%/packages/patches/libwmf-CVE-2015-4695.patch \
%D%/packages/patches/libwmf-CVE-2015-4696.patch \
+ %D%/packages/patches/libwmf-CVE-2016-9011.patch \
+ %D%/packages/patches/libwmf-fixes-for-bundled-gd.patch \
%D%/packages/patches/libxcb-python-3.5-compat.patch \
%D%/packages/patches/libxml2-CVE-2016-4658.patch \
%D%/packages/patches/libxml2-CVE-2016-5131.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 86902d568..f33396968 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -421,7 +421,9 @@ collection of tools for doing simple manipulations of TIFF
images.")
"libwmf-CVE-2009-3546.patch"
"libwmf-CVE-2015-0848+CVE-2015-4588.patch"
"libwmf-CVE-2015-4695.patch"
- "libwmf-CVE-2015-4696.patch"))))
+ "libwmf-CVE-2015-4696.patch"
+ "libwmf-CVE-2016-9011.patch"
+ "libwmf-fixes-for-bundled-gd.patch"))))
(build-system gnu-build-system)
(inputs
diff --git a/gnu/packages/patches/libwmf-CVE-2016-9011.patch
b/gnu/packages/patches/libwmf-CVE-2016-9011.patch
new file mode 100644
index 000000000..a74120c15
--- /dev/null
+++ b/gnu/packages/patches/libwmf-CVE-2016-9011.patch
@@ -0,0 +1,45 @@
+Fix CVE-2016-9011:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9011
+https://blogs.gentoo.org/ago/2016/10/18/libwmf-memory-allocation-failure-in-wmf_malloc-api-c/
+
+Patch copied from Fedora:
+
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=9a43f910abce9940f07843e7186646ad46b686d6
+
+--- libwmf-0.2.8.4/src/player.c
++++ libwmf-0.2.8.4/src/player.c
+@@ -139,8 +139,31 @@
+ WMF_DEBUG (API,"bailing...");
+ return (API->err);
+ }
+-
+- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) )
* 2 * sizeof (unsigned char));
++
++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
++ if (nMaxRecordSize)
++ {
++ //before allocating memory do a sanity check on size by seeking
++ //to claimed end to see if its possible. We're constrained here
++ //by the api and existing implementations to not simply seeking
++ //to SEEK_END. So use what we have to skip to the last byte and
++ //try and read it.
++ const long nPos = WMF_TELL (API);
++ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++ if (ERR (API))
++ { WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++ int byte = WMF_READ (API);
++ if (byte == (-1))
++ { WMF_ERROR (API,"Unexpected EOF!");
++ API->err = wmf_E_EOF;
++ return (API->err);
++ }
++ WMF_SEEK (API, nPos);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
diff --git a/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
new file mode 100644
index 000000000..92a3f7cdb
--- /dev/null
+++ b/gnu/packages/patches/libwmf-fixes-for-bundled-gd.patch
@@ -0,0 +1,80 @@
+Fix CVE-2016-{9317,10167,10168} in bundled libgd:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9317
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10167
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10168
+
+Patches copied from Fedora:
+
+CVE-2016-9317:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d851798416d005977d9409babf710c050124cfda
+CVE-2016-10167:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=b439c6f363d3f9c7b22e7f3b2211d423abd7d612
+CVE-2016-10168:
+https://src.fedoraproject.org/cgit/rpms/libwmf.git/commit/?id=d8c724ed484d01f3535bd1f317d6c5aa6d33aa80
+
+--- libwmf-0.2.8.4/src/extra/gd/gd.c
++++ libwmf-0.2.8.4/src/extra/gd/gd.c
+@@ -65,6 +65,18 @@
+ {
+ int i;
+ gdImagePtr im;
++
++ if (overflow2(sx, sy)) {
++ return NULL;
++ }
++
++ if (overflow2(sizeof (unsigned char *), sy)) {
++ return NULL;
++ }
++ if (overflow2(sizeof (unsigned char), sx)) {
++ return NULL;
++ }
++
+ im = (gdImage *) gdMalloc (sizeof (gdImage));
+ memset (im, 0, sizeof (gdImage));
+ /* Row-major ever since gd 1.3 */
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -362,10 +362,9 @@
+ {
+ if (!gdGetInt (&im->tpixels[y][x], in))
+ {
+- /*printf("EOF while reading\n"); */
+- /*gdImageDestroy(im); */
+- /*return 0; */
+- im->tpixels[y][x] = 0;
++ fprintf(stderr, "gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ }
+ else
+@@ -373,10 +372,9 @@
+ int ch;
+ if (!gdGetByte (&ch, in))
+ {
+- /*printf("EOF while reading\n"); */
+- /*gdImageDestroy(im); */
+- /*return 0; */
+- ch = 0;
++ fprintf(stderr, "gd2: EOF while reading\n");
++ gdImageDestroy(im);
++ return NULL;
+ }
+ im->pixels[y][x] = ch;
+ }
+--- libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
++++ libwmf-0.2.8.4/src/extra/gd/gd_gd2.c
+@@ -145,6 +145,11 @@
+
+ if ((*fmt) == GD2_FMT_COMPRESSED)
+ {
++ if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
++ GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
++ goto fail1;
++ }
++
+ nc = (*ncx) * (*ncy);
+ GD2_DBG (printf ("Reading %d chunk index entries\n", nc));
+ sidx = sizeof (t_chunk_info) * nc;
--
2.13.0
signature.asc
Description: PGP signature
