control tags -1 security patch upstream
severity -1 important
thanks
Ping.
I'd like to stress out this bug has security implications (DoS and
potential host memory exposure).
Debdiffs against jessie and sid versions attached.
diff -Nru imlib2-1.4.6/debian/changelog imlib2-1.4.6/debian/changelog
--- imlib2-1.4.6/debian/changelog 2016-03-29 19:55:12.000000000 +0300
+++ imlib2-1.4.6/debian/changelog 2016-03-31 18:30:21.000000000 +0300
@@ -1,3 +1,12 @@
+imlib2 (1.4.6-2+deb8u1.1) UNRELEASED; urgency=high
+
+ * Non-maintainer upload.
+ * Drop 02_fix-gif-with-no-cmap.patch (redundant with CVE-2014-9762.patch).
+ * Fix out-of-bound read from colormap. (Closes: #785369)
+ * Drop now-redundant CVE-2014-9762.patch.
+
+ -- Yuriy M. Kaminskiy <yumkam+deb...@gmail.com> Thu, 31 Mar 2016 17:53:34
+0300
+
imlib2 (1.4.6-2+deb8u1) jessie-security; urgency=high
* Non-maintainer upload.
diff -Nru imlib2-1.4.6/debian/patches/02_fix-gif-with-no-cmap.patch
imlib2-1.4.6/debian/patches/02_fix-gif-with-no-cmap.patch
--- imlib2-1.4.6/debian/patches/02_fix-gif-with-no-cmap.patch 2016-03-29
19:55:12.000000000 +0300
+++ imlib2-1.4.6/debian/patches/02_fix-gif-with-no-cmap.patch 1970-01-01
03:00:00.000000000 +0300
@@ -1,32 +0,0 @@
-Description: Do not segfault when loading gif without color map
-Origin: vendor
-Bug-Debian: http://bugs.debian.org/697143
-Forwarded: no
-Author: Samuel Thibault <sthiba...@debian.org>
-Reviewed-by: Alessandro Ghedini <gh...@debian.org>
-Last-Update: 2013-10-06
-
---- a/src/modules/loaders/loader_gif.c
-+++ b/src/modules/loaders/loader_gif.c
-@@ -162,10 +162,17 @@
- {
- if (rows[i][j] == transp)
- {
-- r = cmap->Colors[bg].Red;
-- g = cmap->Colors[bg].Green;
-- b = cmap->Colors[bg].Blue;
-- *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
-+ if (cmap)
-+ {
-+ r = cmap->Colors[bg].Red;
-+ g = cmap->Colors[bg].Green;
-+ b = cmap->Colors[bg].Blue;
-+ *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
-+ }
-+ else
-+ {
-+ *ptr++ = 0;
-+ }
- }
- else
- {
diff -Nru imlib2-1.4.6/debian/patches/CVE-2014-9762.patch
imlib2-1.4.6/debian/patches/CVE-2014-9762.patch
--- imlib2-1.4.6/debian/patches/CVE-2014-9762.patch 2016-03-29
19:55:12.000000000 +0300
+++ imlib2-1.4.6/debian/patches/CVE-2014-9762.patch 1970-01-01
03:00:00.000000000 +0300
@@ -1,35 +0,0 @@
-From: Markus Koschany <a...@debian.org>
-Date: Mon, 21 Mar 2016 22:40:04 +0100
-Subject: CVE-2014-9762
-
-Fix segmentation fault on images without colormap.
-
-Origin:
https://git.enlightenment.org/legacy/imlib2.git/commit/?h=v1.4.7&id=39641e74a560982fbf93f29bf96b37d27803cb56
----
- src/modules/loaders/loader_gif.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/src/modules/loaders/loader_gif.c
b/src/modules/loaders/loader_gif.c
-index 45ff0b9..ff78d22 100644
---- a/src/modules/loaders/loader_gif.c
-+++ b/src/modules/loaders/loader_gif.c
-@@ -154,6 +154,19 @@ load(ImlibImage * im, ImlibProgressFunction progress,
char progress_granularity,
- free(rows);
- return 0;
- }
-+ if (!cmap)
-+ {
-+ /* No colormap? Now what?? Let's clear the image (and not segv)
*/
-+ memset(im->data, 0, sizeof(DATA32) * w * h);
-+ DGifCloseFile(gif);
-+ for (i = 0; i < h; i++)
-+ {
-+ free(rows[i]);
-+ }
-+ free(rows);
-+ return 1;
-+ }
-+
- ptr = im->data;
- per_inc = 100.0 / (((float)w) * h);
- for (i = 0; i < h; i++)
diff -Nru imlib2-1.4.6/debian/patches/fix-bug-785369.patch
imlib2-1.4.6/debian/patches/fix-bug-785369.patch
--- imlib2-1.4.6/debian/patches/fix-bug-785369.patch 1970-01-01
03:00:00.000000000 +0300
+++ imlib2-1.4.6/debian/patches/fix-bug-785369.patch 2016-03-31
18:28:58.000000000 +0300
@@ -0,0 +1,59 @@
+Description: Fixes out-of-bound reads from colormap
+Bug-Debian: http://bugs.debian.org/785369
+Note: removes all special-casing from the inner loop, optimize for common case.
+Author: Yuriy M. Kaminskiy <yumkam+deb...@gmail.com>
+Reported-By: Jakub Wilk <jw...@debian.org>
+
+Thanks to Bernhard U:belacker <bernha...@vr-web.de> for analysis.
+
+Index: imlib2-1.4.6/src/modules/loaders/loader_gif.c
+===================================================================
+--- imlib2-1.4.6.orig/src/modules/loaders/loader_gif.c
++++ imlib2-1.4.6/src/modules/loaders/loader_gif.c
+@@ -150,8 +150,24 @@ load(ImlibImage * im, ImlibProgressFunct
+ im->format = strdup("gif");
+ if (im->loader || immediate_load || progress)
+ {
++ DATA32 colormap[256];
++
+ bg = gif->SBackGroundColor;
+ cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
++ memset (colormap, 0, sizeof(colormap));
++ if (cmap != NULL)
++ {
++ for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- >
0;)
++ {
++ r = cmap->Colors[i].Red;
++ g = cmap->Colors[i].Green;
++ b = cmap->Colors[i].Blue;
++ colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
++ }
++ /* if bg > cmap->ColorCount, it is transparent black already */
++ if (transp >= 0 && transp < 256)
++ colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] &
0x00ffffff : 0x00000000;
++ }
+ im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
+ if (!im->data)
+ {
+@@ -165,20 +181,7 @@ load(ImlibImage * im, ImlibProgressFunct
+ {
+ for (j = 0; j < w; j++)
+ {
+- if (rows[i][j] == transp)
+- {
+- r = cmap->Colors[bg].Red;
+- g = cmap->Colors[bg].Green;
+- b = cmap->Colors[bg].Blue;
+- *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
+- }
+- else
+- {
+- r = cmap->Colors[rows[i][j]].Red;
+- g = cmap->Colors[rows[i][j]].Green;
+- b = cmap->Colors[rows[i][j]].Blue;
+- *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
+- }
++ *ptr++ = colormap[rows[i][j]];
+ per += per_inc;
+ if (progress && (((int)per) != last_per)
+ && (((int)per) % progress_granularity == 0))
diff -Nru imlib2-1.4.6/debian/patches/series imlib2-1.4.6/debian/patches/series
--- imlib2-1.4.6/debian/patches/series 2016-03-29 19:55:12.000000000 +0300
+++ imlib2-1.4.6/debian/patches/series 2016-03-31 18:27:50.000000000 +0300
@@ -1,6 +1,7 @@
01_removed-data-dir.patch
-02_fix-gif-with-no-cmap.patch
+# 02_fix-gif-with-no-cmap.patch # redundant by CVE-2014-9762.patch
03_fix-imlib-config-libraries.patch
-CVE-2014-9762.patch
+# CVE-2014-9762.patch # redundant by fix-bug-785369.patch
CVE-2014-9763.patch
CVE-2014-9764.patch
+fix-bug-785369.patch
diff -Nru imlib2-1.4.7/debian/changelog imlib2-1.4.7/debian/changelog
--- imlib2-1.4.7/debian/changelog 2015-04-17 23:58:42.000000000 +0300
+++ imlib2-1.4.7/debian/changelog 2016-03-31 18:34:32.000000000 +0300
@@ -1,3 +1,12 @@
+imlib2 (1.4.7-1.1) UNRELEASED; urgency=high
+
+ * Non-maintainer upload.
+ * Fix out-of-bound read from colormap. (Closes: #785369)
+ - Drop now-redundant 02_fix-gif-with-no-cmap.patch.
+ - Remove now-redundant check.
+
+ -- Yuriy M. Kaminskiy <yumkam+deb...@gmail.com> Thu, 31 Mar 2016 18:34:00
+0300
+
imlib2 (1.4.7-1) unstable; urgency=medium
* New upstream release
diff -Nru imlib2-1.4.7/debian/patches/02_fix-gif-with-no-cmap.patch
imlib2-1.4.7/debian/patches/02_fix-gif-with-no-cmap.patch
--- imlib2-1.4.7/debian/patches/02_fix-gif-with-no-cmap.patch 2015-04-17
23:58:42.000000000 +0300
+++ imlib2-1.4.7/debian/patches/02_fix-gif-with-no-cmap.patch 1970-01-01
03:00:00.000000000 +0300
@@ -1,32 +0,0 @@
-Description: Do not segfault when loading gif without color map
-Origin: vendor
-Bug-Debian: http://bugs.debian.org/697143
-Forwarded: no
-Author: Samuel Thibault <sthiba...@debian.org>
-Reviewed-by: Alessandro Ghedini <gh...@debian.org>
-Last-Update: 2013-10-06
-
---- a/src/modules/loaders/loader_gif.c
-+++ b/src/modules/loaders/loader_gif.c
-@@ -163,10 +163,17 @@
- {
- if (rows[i][j] == transp)
- {
-- r = cmap->Colors[bg].Red;
-- g = cmap->Colors[bg].Green;
-- b = cmap->Colors[bg].Blue;
-- *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
-+ if (cmap)
-+ {
-+ r = cmap->Colors[bg].Red;
-+ g = cmap->Colors[bg].Green;
-+ b = cmap->Colors[bg].Blue;
-+ *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
-+ }
-+ else
-+ {
-+ *ptr++ = 0;
-+ }
- }
- else
- {
diff -Nru imlib2-1.4.7/debian/patches/fix-bug-785369.patch
imlib2-1.4.7/debian/patches/fix-bug-785369.patch
--- imlib2-1.4.7/debian/patches/fix-bug-785369.patch 1970-01-01
03:00:00.000000000 +0300
+++ imlib2-1.4.7/debian/patches/fix-bug-785369.patch 2016-03-31
18:39:16.000000000 +0300
@@ -0,0 +1,59 @@
+Description: Fixes out-of-bound reads from colormap
+Bug-Debian: http://bugs.debian.org/785369
+Note: removes all special-casing from the inner loop, optimize for common case.
+Author: Yuriy M. Kaminskiy <yumkam+deb...@gmail.com>
+Reported-By: Jakub Wilk <jw...@debian.org>
+
+Thanks to Bernhard U:belacker <bernha...@vr-web.de> for analysis.
+
+Index: imlib2-1.4.7/src/modules/loaders/loader_gif.c
+===================================================================
+--- imlib2-1.4.7.orig/src/modules/loaders/loader_gif.c
++++ imlib2-1.4.7/src/modules/loaders/loader_gif.c
+@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunct
+
+ if (im->loader || immediate_load || progress)
+ {
++ DATA32 colormap[256];
++
+ bg = gif->SBackGroundColor;
+ cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
++ memset (colormap, 0, sizeof(colormap));
++ if (cmap != NULL)
++ {
++ for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- >
0;)
++ {
++ r = cmap->Colors[i].Red;
++ g = cmap->Colors[i].Green;
++ b = cmap->Colors[i].Blue;
++ colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
++ }
++ /* if bg > cmap->ColorCount, it is transparent black already */
++ if (transp >= 0 && transp < 256)
++ colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] &
0x00ffffff : 0x00000000;
++ }
+ im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
+ if (!im->data)
+ goto quit;
+@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunct
+ {
+ for (j = 0; j < w; j++)
+ {
+- if (rows[i][j] == transp)
+- {
+- r = cmap->Colors[bg].Red;
+- g = cmap->Colors[bg].Green;
+- b = cmap->Colors[bg].Blue;
+- *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
+- }
+- else
+- {
+- r = cmap->Colors[rows[i][j]].Red;
+- g = cmap->Colors[rows[i][j]].Green;
+- b = cmap->Colors[rows[i][j]].Blue;
+- *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
+- }
++ *ptr++ = colormap[rows[i][j]];
+ per += per_inc;
+ if (progress && (((int)per) != last_per)
+ && (((int)per) % progress_granularity == 0))
diff -Nru imlib2-1.4.7/debian/patches/remove-redundant-check.patch
imlib2-1.4.7/debian/patches/remove-redundant-check.patch
--- imlib2-1.4.7/debian/patches/remove-redundant-check.patch 1970-01-01
03:00:00.000000000 +0300
+++ imlib2-1.4.7/debian/patches/remove-redundant-check.patch 2016-03-31
18:40:15.000000000 +0300
@@ -0,0 +1,21 @@
+Description: cleanup: remove check become redundant by fix-bug-785369.patch
+
+Index: imlib2-1.4.7/src/modules/loaders/loader_gif.c
+===================================================================
+--- imlib2-1.4.7.orig/src/modules/loaders/loader_gif.c
++++ imlib2-1.4.7/src/modules/loaders/loader_gif.c
+@@ -163,14 +163,6 @@ load(ImlibImage * im, ImlibProgressFunct
+ if (!im->data)
+ goto quit;
+
+- if (!cmap)
+- {
+- /* No colormap? Now what?? Let's clear the image (and not segv)
*/
+- memset(im->data, 0, sizeof(DATA32) * w * h);
+- rc = 1;
+- goto finish;
+- }
+-
+ ptr = im->data;
+ per_inc = 100.0 / (((float)w) * h);
+ for (i = 0; i < h; i++)
diff -Nru imlib2-1.4.7/debian/patches/series imlib2-1.4.7/debian/patches/series
--- imlib2-1.4.7/debian/patches/series 2015-04-17 23:58:42.000000000 +0300
+++ imlib2-1.4.7/debian/patches/series 2016-03-31 18:38:47.000000000 +0300
@@ -1,2 +1,4 @@
01_removed-data-dir.patch
-02_fix-gif-with-no-cmap.patch
+# 02_fix-gif-with-no-cmap.patch # redundant by upstream changes
+fix-bug-785369.patch
+remove-redundant-check.patch
