Merge remote-tracking branch 'origin/master' into core-updates

4 files changed, 51 insertions, 111 deletions

diff --git a/gnu/packages/patches/gimp-CVE-2016-4994.patch b/gnu/packages/patches/gimp-CVE-2016-4994.patch
deleted file mode 100644
index 6c81c63386..0000000000
--- a/gnu/packages/patches/gimp-CVE-2016-4994.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-Fix CVE-2016-4994:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
-
-Copied from upstream repository:
-https://git.gnome.org/browse/gimp/patch/?id=e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f
-
-From e82aaa4b4ee0703c879e35ea9321fff6be3e9b6f Mon Sep 17 00:00:00 2001
-From: Shmuel H <shmuelgimp@gmail.com>
-Date: Mon, 20 Jun 2016 17:14:41 +0300
-Subject: Bug 767873 - (CVE-2016-4994) Multiple Use-After-Free when parsing...
-
-...XCF channel and layer properties
-
-The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION,
-PROP_ACTIVE_CHANNEL saves the current object pointer the @info
-structure. Others like PROP_SELECTION (for channel) and
-PROP_GROUP_ITEM (for layer) will delete the current object and create
-a new object, leaving the pointers in @info invalid (dangling).
-
-Therefore, if a property from the first type will come before the
-second, the result will be an UaF in the last lines of xcf_load_image
-(when it actually using the pointers from @info).
-
-I wasn't able to exploit this bug because that
-g_object_instance->c_class gets cleared by the last g_object_unref and
-GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE.
-
-(cherry picked from commit 6d804bf9ae77bc86a0a97f9b944a129844df9395)
----
- app/xcf/xcf-load.c | 29 +++++++++++++++++++++++++++++
- 1 file changed, 29 insertions(+)
-
-diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
-index b180377..67cc6d4 100644
---- a/app/xcf/xcf-load.c
-+++ b/app/xcf/xcf-load.c
-@@ -904,6 +904,18 @@ xcf_load_layer_props (XcfInfo    *info,
-         case PROP_GROUP_ITEM:
-           {
-             GimpLayer *group;
-+            gboolean   is_active_layer;
-+
-+            /* We're going to delete *layer, Don't leave its pointers
-+             * in @info.  After that, we'll restore them back with the
-+             * new pointer. See bug #767873.
-+             */
-+            is_active_layer = (*layer == info->active_layer);
-+            if (is_active_layer)
-+              info->active_layer = NULL;
-+
-+            if (*layer == info->floating_sel)
-+              info->floating_sel = NULL;
- 
-             group = gimp_group_layer_new (image);
- 
-@@ -916,6 +928,13 @@ xcf_load_layer_props (XcfInfo    *info,
-             g_object_ref_sink (*layer);
-             g_object_unref (*layer);
-             *layer = group;
-+
-+            if (is_active_layer)
-+              info->active_layer = *layer;
-+
-+            /* Don't restore info->floating_sel because group layers
-+             * can't be floating selections
-+             */
-           }
-           break;
- 
-@@ -986,6 +1005,12 @@ xcf_load_channel_props (XcfInfo      *info,
-           {
-             GimpChannel *mask;
- 
-+            /* We're going to delete *channel, Don't leave its pointer
-+             * in @info. See bug #767873.
-+             */
-+            if (*channel == info->active_channel)
-+              info->active_channel = NULL;
-+
-             mask =
-               gimp_selection_new (image,
-                                   gimp_item_get_width  (GIMP_ITEM (*channel)),
-@@ -1000,6 +1025,10 @@ xcf_load_channel_props (XcfInfo      *info,
-             *channel = mask;
-             (*channel)->boundary_known = FALSE;
-             (*channel)->bounds_known   = FALSE;
-+
-+            /* Don't restore info->active_channel because the
-+             * selection can't be the active channel
-+             */
-           }
-           break;
- 
--- 
-cgit v0.12
-
diff --git a/gnu/packages/patches/mupdf-CVE-2016-6265.patch b/gnu/packages/patches/mupdf-CVE-2016-6265.patch
new file mode 100644
index 0000000000..58f5c3726c
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-6265.patch
@@ -0,0 +1,30 @@
+Fix CVE-2016-6265 (use after free in pdf_load_xref()).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6265
+https://security-tracker.debian.org/tracker/CVE-2016-6265
+
+Patch copied from upstream source repository:
+
+http://git.ghostscript.com/?p=mupdf.git;h=fa1936405b6a84e5c9bb440912c23d532772f958
+
+diff --git a/source/pdf/pdf-xref.c b/source/pdf/pdf-xref.c
+index 576c315..3222599 100644
+--- a/source/pdf/pdf-xref.c
++++ b/source/pdf/pdf-xref.c
+@@ -1184,8 +1184,14 @@ pdf_load_xref(fz_context *ctx, pdf_document *doc, pdf_lexbuf *buf)
+ 				fz_throw(ctx, FZ_ERROR_GENERIC, "object offset out of range: %d (%d 0 R)", (int)entry->ofs, i);
+ 		}
+ 		if (entry->type == 'o')
+-			if (entry->ofs <= 0 || entry->ofs >= xref_len || pdf_get_xref_entry(ctx, doc, entry->ofs)->type != 'n')
+-				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)entry->ofs, i);
++		{
++			/* Read this into a local variable here, because pdf_get_xref_entry
++			 * may solidify the xref, hence invalidating "entry", meaning we
++			 * need a stashed value for the throw. */
++			fz_off_t ofs = entry->ofs;
++			if (ofs <= 0 || ofs >= xref_len || pdf_get_xref_entry(ctx, doc, ofs)->type != 'n')
++				fz_throw(ctx, FZ_ERROR_GENERIC, "invalid reference to an objstm that does not exist: %d (%d 0 R)", (int)ofs, i);
++		}
+ 	}
+ }
+ 
diff --git a/gnu/packages/patches/mupdf-CVE-2016-6525.patch b/gnu/packages/patches/mupdf-CVE-2016-6525.patch
new file mode 100644
index 0000000000..370af5ade6
--- /dev/null
+++ b/gnu/packages/patches/mupdf-CVE-2016-6525.patch
@@ -0,0 +1,21 @@
+Fix CVE-2016-6525 (heap overflow in pdf_load_mesh_params()).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6525
+https://security-tracker.debian.org/tracker/CVE-2016-6525
+
+Patch copied from upstream source repository:
+http://git.ghostscript.com/?p=mupdf.git;h=39b0f07dd960f34e7e6bf230ffc3d87c41ef0f2e
+
+diff --git a/source/pdf/pdf-shade.c b/source/pdf/pdf-shade.c
+index 7815b3c..6e25efa 100644
+--- a/source/pdf/pdf-shade.c
++++ b/source/pdf/pdf-shade.c
+@@ -206,7 +206,7 @@ pdf_load_mesh_params(fz_context *ctx, pdf_document *doc, fz_shade *shade, pdf_ob
+ 	obj = pdf_dict_get(ctx, dict, PDF_NAME_Decode);
+ 	if (pdf_array_len(ctx, obj) >= 6)
+ 	{
+-		n = (pdf_array_len(ctx, obj) - 4) / 2;
++		n = fz_mini(FZ_MAX_COLORS, (pdf_array_len(ctx, obj) - 4) / 2);
+ 		shade->u.m.x0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 0));
+ 		shade->u.m.x1 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 1));
+ 		shade->u.m.y0 = pdf_to_real(ctx, pdf_array_get(ctx, obj, 2));
diff --git a/gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch b/gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch
deleted file mode 100644
index 4ed7ab00bf..0000000000
--- a/gnu/packages/patches/xf86-video-openchrome-glibc-2.20.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Allow builds with glibc 2.20.
-Based on a patch by Peter Hutterer <peter.hutterer@who-t.net>.
-See <https://raw.githubusercontent.com/openembedded/oe-core/master/meta/recipes-graphics/xorg-driver/xf86-input-synaptics/always_include_xorg_server.h.patch>.
-
---- xf86-video-openchrome-0.3.3/src/via_3d.h.~1~	2013-05-23 11:11:28.000000000 -0400
-+++ xf86-video-openchrome-0.3.3/src/via_3d.h	2014-12-19 01:17:04.000953259 -0500
-@@ -24,6 +24,8 @@
- #ifndef VIA_3D_H
- #define VIA_3D_H
- 
-+#include <xorg-server.h>
-+
- #include "xf86.h"
- #include "via_dmabuffer.h"
-