diff options
| author | Efraim Flashner <efraim@flashner.co.il> | 2017-11-01 10:29:59 +0200 |
|---|---|---|
| committer | Efraim Flashner <efraim@flashner.co.il> | 2017-11-01 10:29:59 +0200 |
| commit | 19b7bba1b5f115168b1669325cd51bc66b9dc4b4 (patch) | |
| tree | 7b4e77080fe6fbc3a54b8612adc3c5c27ab81d05 /gnu/packages/patches | |
| parent | f37931d6632627a24e4eccafa1603ffadb649ff6 (diff) | |
| parent | 5010d0e36452882eb95666467bb983efa8cca081 (diff) | |
Merge remote-tracking branch 'origin/master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch | 66 | ||||
| -rw-r--r-- | gnu/packages/patches/exiv2-CVE-2017-14860.patch | 48 | ||||
| -rw-r--r-- | gnu/packages/patches/wget-CVE-2017-6508.patch | 45 | ||||
| -rw-r--r-- | gnu/packages/patches/wget-fix-504-test-timeout.patch | 160 | ||||
| -rw-r--r-- | gnu/packages/patches/wget-perl-5.26.patch | 96 |
5 files changed, 114 insertions, 301 deletions
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch new file mode 100644 index 0000000000..69e65aeb6b --- /dev/null +++ b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch @@ -0,0 +1,66 @@ +Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864 + +Copied from upstream: + +https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607 + +From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com> +Date: Sat, 7 Oct 2017 23:08:36 +0200 +Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859 + +The invalid memory dereference in +Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read() +is caused further up the call-stack, by +v->read(pData, size, byteOrder) in TiffReader::readTiffEntry() +passing an invalid pData pointer (pData points outside of the Tiff +file). pData can be set out of bounds in the (size > 4) branch where +baseOffset() and offset are added to pData_ without checking whether +the result is still in the file. As offset comes from an untrusted +source, an attacker can craft an arbitrarily large offset into the +file. + +This commit adds a check into the problematic branch, whether the +result of the addition would be out of bounds of the Tiff +file. Furthermore the whole operation is checked for possible +overflows. +--- + src/tiffvisitor.cpp | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp +index 4ab733d4..ef13542e 100644 +--- a/src/tiffvisitor.cpp ++++ b/src/tiffvisitor.cpp +@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$") + #include <iostream> + #include <iomanip> + #include <cassert> ++#include <limits> + + // ***************************************************************************** + namespace { +@@ -1517,7 +1518,19 @@ namespace Exiv2 { + size = 0; + } + if (size > 4) { ++ // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory, ++ // as offset can be arbitrarily large ++ if ((static_cast<uintptr_t>(baseOffset()) > std::numeric_limits<uintptr_t>::max() - static_cast<uintptr_t>(offset)) ++ || (static_cast<uintptr_t>(baseOffset() + offset) > std::numeric_limits<uintptr_t>::max() - reinterpret_cast<uintptr_t>(pData_))) ++ { ++ throw Error(59); ++ } ++ if (pData_ + static_cast<uintptr_t>(baseOffset()) + static_cast<uintptr_t>(offset) > pLast_) { ++ throw Error(58); ++ } + pData = const_cast<byte*>(pData_) + baseOffset() + offset; ++ ++ // check for size being invalid + if (size > static_cast<uint32_t>(pLast_ - pData)) { + #ifndef SUPPRESS_WARNINGS + EXV_ERROR << "Upper boundary of data for " diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch new file mode 100644 index 0000000000..43e6076b71 --- /dev/null +++ b/gnu/packages/patches/exiv2-CVE-2017-14860.patch @@ -0,0 +1,48 @@ +Fix CVE-2017-14860. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860 +https://nvd.nist.gov/vuln/detail/CVE-2017-14860 + +Copied from upstream: + +https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce + +From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com> +Date: Fri, 6 Oct 2017 23:09:08 +0200 +Subject: [PATCH] Fix for CVE-2017-14860 + +A heap buffer overflow could occur in memcpy when icc.size_ is larger +than data.size_ - pad, as then memcpy would read out of bounds of data. + +This commit adds a sanity check to iccLength (= icc.size_): if it is +larger than data.size_ - pad (i.e. an overflow would be caused) an +exception is thrown. + +This fixes #71. +--- + src/jp2image.cpp | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/jp2image.cpp b/src/jp2image.cpp +index 747145cf..748d39b5 100644 +--- a/src/jp2image.cpp ++++ b/src/jp2image.cpp +@@ -269,10 +269,15 @@ namespace Exiv2 + std::cout << "Exiv2::Jp2Image::readMetadata: " + << "Color data found" << std::endl; + #endif +- long pad = 3 ; // 3 padding bytes 2 0 0 ++ const long pad = 3 ; // 3 padding bytes 2 0 0 + DataBuf data(subBox.length+8); + io_->read(data.pData_,data.size_); +- long iccLength = getULong(data.pData_+pad, bigEndian); ++ const long iccLength = getULong(data.pData_+pad, bigEndian); ++ // subtracting pad from data.size_ is safe: ++ // size_ is at least 8 and pad = 3 ++ if (iccLength > data.size_ - pad) { ++ throw Error(58); ++ } + DataBuf icc(iccLength); + ::memcpy(icc.pData_,data.pData_+pad,icc.size_); + #ifdef DEBUG diff --git a/gnu/packages/patches/wget-CVE-2017-6508.patch b/gnu/packages/patches/wget-CVE-2017-6508.patch deleted file mode 100644 index 0218fceaad..0000000000 --- a/gnu/packages/patches/wget-CVE-2017-6508.patch +++ /dev/null @@ -1,45 +0,0 @@ -Fix CVE-2017-6508: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508 - -Patch copied from upstream source repository: - -https://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 - -From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> -Date: Mon, 6 Mar 2017 10:04:22 +0100 -Subject: [PATCH] Fix CRLF injection in Wget host part - -* src/url.c (url_parse): Reject control characters in host part of URL - -Reported-by: Orange Tsai ---- - src/url.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/src/url.c b/src/url.c -index 8f8ff0b8..7d36b27d 100644 ---- a/src/url.c -+++ b/src/url.c -@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode) - url_unescape (u->host); - host_modified = true; - -+ /* check for invalid control characters in host name */ -+ for (p = u->host; *p; p++) -+ { -+ if (c_iscntrl(*p)) -+ { -+ url_free(u); -+ error_code = PE_INVALID_HOST_NAME; -+ goto error; -+ } -+ } -+ - /* Apply IDNA regardless of iri->utf8_encode status */ - if (opt.enable_iri && iri) - { --- -2.12.0 - diff --git a/gnu/packages/patches/wget-fix-504-test-timeout.patch b/gnu/packages/patches/wget-fix-504-test-timeout.patch deleted file mode 100644 index d9bf154103..0000000000 --- a/gnu/packages/patches/wget-fix-504-test-timeout.patch +++ /dev/null @@ -1,160 +0,0 @@ -This patch is from upstream. If a machine is too slow it can cause -test-504.py to fail. -http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de - -From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> -Date: Tue, 14 Feb 2017 16:20:26 +0100 -Subject: Fix 504 status handling - -* src/http.c (gethttp): Move 504 handling to correct place. - (http_loop): Fix memeory leak. -* testenv/server/http/http_server.py: Add Content-Length header on non-2xx - status codes with a body - -Reported-by: Adam Sampson ---- - src/http.c | 30 +++++++++++------------------- - testenv/server/http/http_server.py | 9 +++++---- - 2 files changed, 16 insertions(+), 23 deletions(-) - -diff --git a/src/http.c b/src/http.c -index 898e184..d2c5c77 100644 ---- a/src/http.c -+++ b/src/http.c -@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - - #ifdef HAVE_METALINK - /* We need to check for the Metalink data in the very first response -- we get from the server (before redirectionrs, authorization, etc.). */ -+ we get from the server (before redirections, authorization, etc.). */ - if (metalink) - { - hs->metalink = metalink_from_http (resp, hs, u); -@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - uerr_t auth_err = RETROK; - bool retry; - /* Normally we are not interested in the response body. -- But if we are writing a WARC file we are: we like to keep everyting. */ -+ But if we are writing a WARC file we are: we like to keep everything. */ - if (warc_enabled) - { - int _err; -@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - pconn.authorized = true; - } - -- if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT) -- { -- hs->len = 0; -- hs->res = 0; -- hs->restval = 0; -- -- CLOSE_FINISH (sock); -- xfree (hs->message); -- -- retval = GATEWAYTIMEOUT; -- goto cleanup; -- } -- -- - { - uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval); - if (ret != RETROK) -@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - retval = _err; - goto cleanup; - } -- else -- CLOSE_FINISH (sock); -+ -+ CLOSE_FINISH (sock); - } - else - { -@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs, - CLOSE_INVALIDATE (sock); - } - -- retval = RETRFINISHED; -+ if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT) -+ retval = GATEWAYTIMEOUT; -+ else -+ retval = RETRFINISHED; -+ - goto cleanup; - } - -@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url *original_url, char **newloc, - bring them to "while" statement at the end, to judge - whether the number of tries was exceeded. */ - printwhat (count, opt.ntry); -+ xfree (hstat.message); -+ xfree (hstat.error); - continue; - case FWRITEERR: case FOPENERR: - /* Another fatal error. */ -diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py -index e96f6e8..b222df0 100644 ---- a/testenv/server/http/http_server.py -+++ b/testenv/server/http/http_server.py -@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler): - - def Response(self, resp_obj): - self.send_response(resp_obj.response_code) -- self.finish_headers() - if resp_obj.response_code == 304: - raise NoBodyServerError("Conditional get falling to head") - raise ServerError("Custom Response code sent.") -@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler): - except AuthError as se: - self.send_response(401, "Authorization Required") - self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm) -- self.finish_headers() - raise se - - def handle_auth(self, auth_rule): -@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler): - if header_recd is None or header_recd != exp_headers[header_line]: - self.send_error(400, "Expected Header %s not found" % - header_line) -- self.finish_headers() - raise ServerError("Header " + header_line + " not found") - - def RejectHeader(self, header_obj): -@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler): - if header_recd and header_recd == rej_headers[header_line]: - self.send_error(400, 'Blacklisted Header %s received' % - header_line) -- self.finish_headers() - raise ServerError("Header " + header_line + ' received') - - def __log_request(self, method): -@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler): - - content = self.server.fileSys.get(path) - content_length = len(content) -+ - for rule_name in self.rules: - try: - assert hasattr(self, rule_name) -@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler): - return(None, None) - except AuthError as ae: - print(ae.__str__()) -+ self.finish_headers() - return(None, None) - except NoBodyServerError as nbse: - print(nbse.__str__()) -+ self.finish_headers() - return(None, None) - except ServerError as se: - print(se.__str__()) -+ self.add_header("Content-Length", content_length) -+ self.finish_headers() - return(content, None) - - try: --- -cgit v1.0-41-gc330 - diff --git a/gnu/packages/patches/wget-perl-5.26.patch b/gnu/packages/patches/wget-perl-5.26.patch deleted file mode 100644 index ee3a984daa..0000000000 --- a/gnu/packages/patches/wget-perl-5.26.patch +++ /dev/null @@ -1,96 +0,0 @@ -This upstream commit adjusts tests for Perl 5.26. - -commit 7ffe93cabb181f39ad5091c31ab9f61bd940a55f -Author: Anton Yuzhaninov <citrin+github@citrin.ru> -Date: Wed Apr 5 19:06:42 2017 +0300 - - Fix perl warnings in tests - - * tests/FTPServer.pm: Escape '{' in RE to fix warnings - * tests/FTPTest.pm: Likewise - * tests/HTTPServer.pm: Likewise - * tests/HTTPTest.pm: Likewise - * tests/Test-proxied-https-auth-keepalive.px: Likewise - * tests/Test-proxied-https-auth.px: Likewise - Escape '{' in RE to fix warnings: - Unescaped left brace in regex is deprecated, passed through in regex; - marked by <-- HERE in m/{{ <-- HERE port}}/ - -diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm -index a5185d66..cac80942 100644 ---- a/tests/FTPServer.pm -+++ b/tests/FTPServer.pm -@@ -589,7 +589,7 @@ sub new - foreach my $file (keys %{$self->{_input}}) - { - my $ref = \$self->{_input}{$file}{content}; -- $$ref =~ s/{{port}}/$self->sockport/eg; -+ $$ref =~ s/\Q{{port}}/$self->sockport/eg; - } - - return $self; -diff --git a/tests/FTPTest.pm b/tests/FTPTest.pm -index 50385ad0..0a1c768c 100644 ---- a/tests/FTPTest.pm -+++ b/tests/FTPTest.pm -@@ -53,7 +53,7 @@ sub _substitute_port - { - my $self = shift; - my $ret = shift; -- $ret =~ s/{{port}}/$self->{_server}->sockport/eg; -+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg; - return $ret; - } - -diff --git a/tests/HTTPServer.pm b/tests/HTTPServer.pm -index dd8ec043..78609f65 100644 ---- a/tests/HTTPServer.pm -+++ b/tests/HTTPServer.pm -@@ -310,7 +310,7 @@ sub _substitute_port - { - my $self = shift; - my $ret = shift; -- $ret =~ s/{{port}}/$self->sockport/eg; -+ $ret =~ s/\Q{{port}}/$self->sockport/eg; - return $ret; - } - -diff --git a/tests/HTTPTest.pm b/tests/HTTPTest.pm -index 00f079f8..6225c7f1 100644 ---- a/tests/HTTPTest.pm -+++ b/tests/HTTPTest.pm -@@ -47,7 +47,7 @@ sub _substitute_port - { - my $self = shift; - my $ret = shift; -- $ret =~ s/{{port}}/$self->{_server}->sockport/eg; -+ $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg; - return $ret; - } - -diff --git a/tests/Test-proxied-https-auth-keepalive.px b/tests/Test-proxied-https-auth-keepalive.px -index 049bebec..2a18ccfd 100755 ---- a/tests/Test-proxied-https-auth-keepalive.px -+++ b/tests/Test-proxied-https-auth-keepalive.px -@@ -153,7 +153,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee" - . " --password=Dodgson -e https_proxy=localhost:{{port}}" - . " --no-check-certificate" - . " https://no.such.domain/needs-auth.txt"; --$cmdline =~ s/{{port}}/$SOCKET->sockport()/e; -+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e; - - if (defined $srcdir) { - $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl'; -diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px -index ce4e736c..878114e7 100755 ---- a/tests/Test-proxied-https-auth.px -+++ b/tests/Test-proxied-https-auth.px -@@ -152,7 +152,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee" - . " --password=Dodgson -e https_proxy=localhost:{{port}}" - . " --no-check-certificate" - . " https://no.such.domain/needs-auth.txt"; --$cmdline =~ s/{{port}}/$SOCKET->sockport()/e; -+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e; - - if (defined $srcdir) { - $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl'; |