diff options
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/amule-crypto-6.patch | 45 | ||||
| -rw-r--r-- | gnu/packages/patches/gegl-CVE-2012-4433.patch | 117 | ||||
| -rw-r--r-- | gnu/packages/patches/gimp-CVE-2017-17784.patch | 41 | ||||
| -rw-r--r-- | gnu/packages/patches/gimp-CVE-2017-17785.patch | 171 | ||||
| -rw-r--r-- | gnu/packages/patches/gimp-CVE-2017-17786.patch | 94 | ||||
| -rw-r--r-- | gnu/packages/patches/gimp-CVE-2017-17787.patch | 42 | ||||
| -rw-r--r-- | gnu/packages/patches/gimp-CVE-2017-17789.patch | 48 | ||||
| -rw-r--r-- | gnu/packages/patches/liboop-mips64-deplibs-fix.patch | 17 | ||||
| -rw-r--r-- | gnu/packages/patches/shadow-CVE-2018-7169.patch | 191 |
9 files changed, 45 insertions, 721 deletions
diff --git a/gnu/packages/patches/amule-crypto-6.patch b/gnu/packages/patches/amule-crypto-6.patch new file mode 100644 index 0000000000..21a86ab0fa --- /dev/null +++ b/gnu/packages/patches/amule-crypto-6.patch @@ -0,0 +1,45 @@ +From d1d1368c7909ffd8423730afaa811ce7b6a3a8aa Mon Sep 17 00:00:00 2001 +From: Tommy Jerry Mairo <tommy.mairo@gmail.com> +Date: Sun, 4 Feb 2018 12:42:00 -0800 +Subject: [PATCH 1/2] Bugfix: API mismatch with crypto++ 6.0.0 + +--- + src/ClientCreditsList.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ClientCreditsList.cpp b/src/ClientCreditsList.cpp +index 3bea9fe2d..a7ae1e34c 100644 +--- a/src/ClientCreditsList.cpp ++++ b/src/ClientCreditsList.cpp +@@ -312,7 +312,7 @@ void CClientCreditsList::InitalizeCrypting() + // calculate and store public key + CryptoPP::RSASSA_PKCS1v15_SHA_Verifier pubkey(*static_cast<CryptoPP::RSASSA_PKCS1v15_SHA_Signer *>(m_pSignkey)); + CryptoPP::ArraySink asink(m_abyMyPublicKey, 80); +- pubkey.DEREncode(asink); ++ pubkey.AccessMaterial().Save(asink); + m_nMyPublicKeyLen = asink.TotalPutLength(); + asink.MessageEnd(); + } catch (const CryptoPP::Exception& e) { + +From 88ba0ac952b78382445f2fff73c6792c0474dc62 Mon Sep 17 00:00:00 2001 +From: Tommy Jerry Mairo <tommy.mairo@gmail.com> +Date: Wed, 21 Mar 2018 11:56:28 -0700 +Subject: [PATCH 2/2] Update: Change AccessMaterial to GetMaterial + +--- + src/ClientCreditsList.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/ClientCreditsList.cpp b/src/ClientCreditsList.cpp +index a7ae1e34c..69e881fd8 100644 +--- a/src/ClientCreditsList.cpp ++++ b/src/ClientCreditsList.cpp +@@ -312,7 +312,7 @@ void CClientCreditsList::InitalizeCrypting() + // calculate and store public key + CryptoPP::RSASSA_PKCS1v15_SHA_Verifier pubkey(*static_cast<CryptoPP::RSASSA_PKCS1v15_SHA_Signer *>(m_pSignkey)); + CryptoPP::ArraySink asink(m_abyMyPublicKey, 80); +- pubkey.AccessMaterial().Save(asink); ++ pubkey.GetMaterial().Save(asink); + m_nMyPublicKeyLen = asink.TotalPutLength(); + asink.MessageEnd(); + } catch (const CryptoPP::Exception& e) { diff --git a/gnu/packages/patches/gegl-CVE-2012-4433.patch b/gnu/packages/patches/gegl-CVE-2012-4433.patch deleted file mode 100644 index 7352b78dba..0000000000 --- a/gnu/packages/patches/gegl-CVE-2012-4433.patch +++ /dev/null @@ -1,117 +0,0 @@ -From: Michael Gilbert <mgilbert@debian.org> -Date: Mon, 9 Sep 2013 17:34:32 +0200 -Subject: Fix_CVE-2012-4433 - -Multiple buffer overflow issues. - -Closes: #692435 ---- - operations/external/ppm-load.c | 62 ++++++++++++++++++++++++++++++++++++------ - 1 file changed, 53 insertions(+), 9 deletions(-) - -diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c -index efe6d56..465096d 100644 ---- a/operations/external/ppm-load.c -+++ b/operations/external/ppm-load.c -@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load.")) - #include "gegl-chant.h" - #include <stdio.h> - #include <stdlib.h> -+#include <errno.h> - - typedef enum { - PIXMAP_ASCII = 51, -@@ -44,8 +45,8 @@ typedef enum { - - typedef struct { - map_type type; -- gint width; -- gint height; -+ glong width; -+ glong height; - gsize numsamples; /* width * height * channels */ - gsize bpc; /* bytes per channel */ - guchar *data; -@@ -82,12 +83,33 @@ ppm_load_read_header(FILE *fp, - } - - /* Get Width and Height */ -- img->width = strtol (header,&ptr,0); -- img->height = atoi (ptr); -- img->numsamples = img->width * img->height * CHANNEL_COUNT; -+ errno = 0; -+ img->width = strtol (header,&ptr,10); -+ if (errno) -+ { -+ g_warning ("Error reading width: %s", strerror(errno)); -+ return FALSE; -+ } -+ else if (img->width < 0) -+ { -+ g_warning ("Error: width is negative"); -+ return FALSE; -+ } -+ -+ img->height = strtol (ptr,&ptr,10); -+ if (errno) -+ { -+ g_warning ("Error reading height: %s", strerror(errno)); -+ return FALSE; -+ } -+ else if (img->width < 0) -+ { -+ g_warning ("Error: height is negative"); -+ return FALSE; -+ } - - fgets (header,MAX_CHARS_IN_ROW,fp); -- maxval = strtol (header,&ptr,0); -+ maxval = strtol (header,&ptr,10); - - if ((maxval != 255) && (maxval != 65535)) - { -@@ -109,6 +131,16 @@ ppm_load_read_header(FILE *fp, - g_warning ("%s: Programmer stupidity error", G_STRLOC); - } - -+ /* Later on, img->numsamples is multiplied with img->bpc to allocate -+ * memory. Ensure it doesn't overflow. */ -+ if (!img->width || !img->height || -+ G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc) -+ { -+ g_warning ("Illegal width/height: %ld/%ld", img->width, img->height); -+ return FALSE; -+ } -+ img->numsamples = img->width * img->height * CHANNEL_COUNT; -+ - return TRUE; - } - -@@ -229,12 +261,24 @@ process (GeglOperation *operation, - if (!ppm_load_read_header (fp, &img)) - goto out; - -- rect.height = img.height; -- rect.width = img.width; -- - /* Allocating Array Size */ -+ -+ /* Should use g_try_malloc(), but this causes crashes elsewhere because the -+ * error signalled by returning FALSE isn't properly acted upon. Therefore -+ * g_malloc() is used here which aborts if the requested memory size can't be -+ * allocated causing a controlled crash. */ - img.data = (guchar*) g_malloc (img.numsamples * img.bpc); - -+ /* No-op without g_try_malloc(), see above. */ -+ if (! img.data) -+ { -+ g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc)); -+ goto out; -+ } -+ -+ rect.height = img.height; -+ rect.width = img.width; -+ - switch (img.bpc) - { - case 1: diff --git a/gnu/packages/patches/gimp-CVE-2017-17784.patch b/gnu/packages/patches/gimp-CVE-2017-17784.patch deleted file mode 100644 index c791772fb5..0000000000 --- a/gnu/packages/patches/gimp-CVE-2017-17784.patch +++ /dev/null @@ -1,41 +0,0 @@ -Fix CVE-2017-17784: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784 -https://bugzilla.gnome.org/show_bug.cgi?id=790784 - -Patch copied from upstream source repository: - -https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270 - -From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001 -From: Jehan <jehan@girinstud.io> -Date: Thu, 21 Dec 2017 12:25:32 +0100 -Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / - load_image. - -We were assuming the input name was well formed, hence was -nul-terminated. As any data coming from external input, this has to be -thorougly checked. -Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted -to older gimp-2-8 code. ---- - plug-ins/common/file-gbr.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c -index b028100bef..d3f01d9c56 100644 ---- a/plug-ins/common/file-gbr.c -+++ b/plug-ins/common/file-gbr.c -@@ -443,7 +443,8 @@ load_image (const gchar *filename, - { - gchar *temp = g_new (gchar, bn_size); - -- if ((read (fd, temp, bn_size)) < bn_size) -+ if ((read (fd, temp, bn_size)) < bn_size || -+ temp[bn_size - 1] != '\0') - { - g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, - _("Error in GIMP brush file '%s'"), --- -2.15.1 - diff --git a/gnu/packages/patches/gimp-CVE-2017-17785.patch b/gnu/packages/patches/gimp-CVE-2017-17785.patch deleted file mode 100644 index 939b01f214..0000000000 --- a/gnu/packages/patches/gimp-CVE-2017-17785.patch +++ /dev/null @@ -1,171 +0,0 @@ -Fix CVE-2017-17785: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17785 -https://bugzilla.gnome.org/show_bug.cgi?id=739133 - -Patch copied from upstream source repository: - -https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54 - -From 1882bac996a20ab5c15c42b0c5e8f49033a1af54 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann <tobias@stoeckmann.org> -Date: Sun, 29 Oct 2017 15:19:41 +0100 -Subject: [PATCH] Bug 739133 - (CVE-2017-17785) Heap overflow while parsing FLI - files. - -It is possible to trigger a heap overflow while parsing FLI files. The -RLE decoder is vulnerable to out of boundary writes due to lack of -boundary checks. - -The variable "framebuf" points to a memory area which was allocated -with fli_header->width * fli_header->height bytes. The RLE decoder -therefore must never write beyond that limit. - -If an illegal frame is detected, the parser won't stop, which means -that the next valid sequence is properly parsed again. This should -allow GIMP to parse FLI files as good as possible even if they are -broken by an attacker or by accident. - -While at it, I changed the variable xc to be of type size_t, because -the multiplication of width and height could overflow a 16 bit type. - -Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> -(cherry picked from commit edb251a7ef1602d20a5afcbf23f24afb163de63b) ---- - plug-ins/file-fli/fli.c | 50 ++++++++++++++++++++++++++++++++++--------------- - 1 file changed, 35 insertions(+), 15 deletions(-) - -diff --git a/plug-ins/file-fli/fli.c b/plug-ins/file-fli/fli.c -index 313efeb977..ffb651e2af 100644 ---- a/plug-ins/file-fli/fli.c -+++ b/plug-ins/file-fli/fli.c -@@ -25,6 +25,8 @@ - - #include "config.h" - -+#include <glib/gstdio.h> -+ - #include <string.h> - #include <stdio.h> - -@@ -461,23 +463,27 @@ void fli_read_brun(FILE *f, s_fli_header *fli_header, unsigned char *framebuf) - unsigned short yc; - unsigned char *pos; - for (yc=0; yc < fli_header->height; yc++) { -- unsigned short xc, pc, pcnt; -+ unsigned short pc, pcnt; -+ size_t n, xc; - pc=fli_read_char(f); - xc=0; - pos=framebuf+(fli_header->width * yc); -+ n=(size_t)fli_header->width * (fli_header->height-yc); - for (pcnt=pc; pcnt>0; pcnt--) { - unsigned short ps; - ps=fli_read_char(f); - if (ps & 0x80) { - unsigned short len; -- for (len=-(signed char)ps; len>0; len--) { -+ for (len=-(signed char)ps; len>0 && xc<n; len--) { - pos[xc++]=fli_read_char(f); - } - } else { - unsigned char val; -+ size_t len; -+ len=MIN(n-xc,ps); - val=fli_read_char(f); -- memset(&(pos[xc]), val, ps); -- xc+=ps; -+ memset(&(pos[xc]), val, len); -+ xc+=len; - } - } - } -@@ -564,25 +570,34 @@ void fli_read_lc(FILE *f, s_fli_header *fli_header, unsigned char *old_framebuf, - memcpy(framebuf, old_framebuf, fli_header->width * fli_header->height); - firstline = fli_read_short(f); - numline = fli_read_short(f); -+ if (numline > fli_header->height || fli_header->height-numline < firstline) -+ return; -+ - for (yc=0; yc < numline; yc++) { -- unsigned short xc, pc, pcnt; -+ unsigned short pc, pcnt; -+ size_t n, xc; - pc=fli_read_char(f); - xc=0; - pos=framebuf+(fli_header->width * (firstline+yc)); -+ n=(size_t)fli_header->width * (fli_header->height-firstline-yc); - for (pcnt=pc; pcnt>0; pcnt--) { - unsigned short ps,skip; - skip=fli_read_char(f); - ps=fli_read_char(f); -- xc+=skip; -+ xc+=MIN(n-xc,skip); - if (ps & 0x80) { - unsigned char val; -+ size_t len; - ps=-(signed char)ps; - val=fli_read_char(f); -- memset(&(pos[xc]), val, ps); -- xc+=ps; -+ len=MIN(n-xc,ps); -+ memset(&(pos[xc]), val, len); -+ xc+=len; - } else { -- fread(&(pos[xc]), ps, 1, f); -- xc+=ps; -+ size_t len; -+ len=MIN(n-xc,ps); -+ fread(&(pos[xc]), len, 1, f); -+ xc+=len; - } - } - } -@@ -689,7 +704,8 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu - yc=0; - numline = fli_read_short(f); - for (lc=0; lc < numline; lc++) { -- unsigned short xc, pc, pcnt, lpf, lpn; -+ unsigned short pc, pcnt, lpf, lpn; -+ size_t n, xc; - pc=fli_read_short(f); - lpf=0; lpn=0; - while (pc & 0x8000) { -@@ -700,26 +716,30 @@ void fli_read_lc_2(FILE *f, s_fli_header *fli_header, unsigned char *old_framebu - } - pc=fli_read_short(f); - } -+ yc=MIN(yc, fli_header->height); - xc=0; - pos=framebuf+(fli_header->width * yc); -+ n=(size_t)fli_header->width * (fli_header->height-yc); - for (pcnt=pc; pcnt>0; pcnt--) { - unsigned short ps,skip; - skip=fli_read_char(f); - ps=fli_read_char(f); -- xc+=skip; -+ xc+=MIN(n-xc,skip); - if (ps & 0x80) { - unsigned char v1,v2; - ps=-(signed char)ps; - v1=fli_read_char(f); - v2=fli_read_char(f); -- while (ps>0) { -+ while (ps>0 && xc+1<n) { - pos[xc++]=v1; - pos[xc++]=v2; - ps--; - } - } else { -- fread(&(pos[xc]), ps, 2, f); -- xc+=ps << 1; -+ size_t len; -+ len=MIN((n-xc)/2,ps); -+ fread(&(pos[xc]), len, 2, f); -+ xc+=len << 1; - } - } - if (lpf) pos[xc]=lpn; --- -2.15.1 - diff --git a/gnu/packages/patches/gimp-CVE-2017-17786.patch b/gnu/packages/patches/gimp-CVE-2017-17786.patch deleted file mode 100644 index 851227ac1d..0000000000 --- a/gnu/packages/patches/gimp-CVE-2017-17786.patch +++ /dev/null @@ -1,94 +0,0 @@ -Fix CVE-2017-17786: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17786 -https://bugzilla.gnome.org/show_bug.cgi?id=739134 - -Both patches copied from upstream source repository: - -https://git.gnome.org/browse/gimp/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12 -https://git.gnome.org/browse/gimp/commit/?id=22e2571c25425f225abdb11a566cc281fca6f366 - -From ef9c821fff8b637a2178eab1c78cae6764c50e12 Mon Sep 17 00:00:00 2001 -From: Jehan <jehan@girinstud.io> -Date: Wed, 20 Dec 2017 13:02:38 +0100 -Subject: [PATCH] Bug 739134 - (CVE-2017-17786) Out of bounds read / heap - overflow in... -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -... TGA importer. - -Be more thorough on valid TGA RGB and RGBA images. -In particular current TGA plug-in can import RGBA as 32 bits (8 bits per -channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and -RGB as 15 and 24 bits. -Maybe there exist more variants, but if they do exist, we simply don't -support them yet. - -Thanks to Hanno Böck for the report and a first patch attempt. - -(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b) ---- - plug-ins/common/file-tga.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c -index aef98702d4..426acc2925 100644 ---- a/plug-ins/common/file-tga.c -+++ b/plug-ins/common/file-tga.c -@@ -564,12 +564,16 @@ load_image (const gchar *filename, - } - break; - case TGA_TYPE_COLOR: -- if (info.bpp != 15 && info.bpp != 16 && -- info.bpp != 24 && info.bpp != 32) -+ if ((info.bpp != 15 && info.bpp != 16 && -+ info.bpp != 24 && info.bpp != 32) || -+ ((info.bpp == 15 || info.bpp == 24) && -+ info.alphaBits != 0) || -+ (info.bpp == 16 && info.alphaBits != 1) || -+ (info.bpp == 32 && info.alphaBits != 8)) - { -- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)", -+ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)", - gimp_filename_to_utf8 (filename), -- info.imageType, info.bpp); -+ info.imageType, info.bpp, info.alphaBits); - return -1; - } - break; --- -2.15.1 - -From 22e2571c25425f225abdb11a566cc281fca6f366 Mon Sep 17 00:00:00 2001 -From: Jehan <jehan@girinstud.io> -Date: Wed, 20 Dec 2017 13:26:26 +0100 -Subject: [PATCH] plug-ins: TGA 16-bit RGB (without alpha bit) is also valid. - -According to some spec on the web, 16-bit RGB is also valid. In this -case, the last bit is simply ignored (at least that's how it is -implemented right now). - -(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077) ---- - plug-ins/common/file-tga.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c -index 426acc2925..eb14a1dadc 100644 ---- a/plug-ins/common/file-tga.c -+++ b/plug-ins/common/file-tga.c -@@ -568,7 +568,8 @@ load_image (const gchar *filename, - info.bpp != 24 && info.bpp != 32) || - ((info.bpp == 15 || info.bpp == 24) && - info.alphaBits != 0) || -- (info.bpp == 16 && info.alphaBits != 1) || -+ (info.bpp == 16 && info.alphaBits != 1 && -+ info.alphaBits != 0) || - (info.bpp == 32 && info.alphaBits != 8)) - { - g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)", --- -2.15.1 - diff --git a/gnu/packages/patches/gimp-CVE-2017-17787.patch b/gnu/packages/patches/gimp-CVE-2017-17787.patch deleted file mode 100644 index b5310d33d9..0000000000 --- a/gnu/packages/patches/gimp-CVE-2017-17787.patch +++ /dev/null @@ -1,42 +0,0 @@ -Fix CVE-2017-17787: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17787 -https://bugzilla.gnome.org/show_bug.cgi?id=790853 - -Patch copied from upstream source repository: - -https://git.gnome.org/browse/gimp/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d - -From 87ba505fff85989af795f4ab6a047713f4d9381d Mon Sep 17 00:00:00 2001 -From: Jehan <jehan@girinstud.io> -Date: Thu, 21 Dec 2017 12:49:41 +0100 -Subject: [PATCH] Bug 790853 - (CVE-2017-17787) heap overread in psp importer. - -As any external data, we have to check that strings being read at fixed -length are properly nul-terminated. - -(cherry picked from commit eb2980683e6472aff35a3117587c4f814515c74d) ---- - plug-ins/common/file-psp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c -index 4cbafe37b1..e350e4d88d 100644 ---- a/plug-ins/common/file-psp.c -+++ b/plug-ins/common/file-psp.c -@@ -890,6 +890,12 @@ read_creator_block (FILE *f, - g_free (string); - return -1; - } -+ if (string[length - 1] != '\0') -+ { -+ g_message ("Creator keyword data not nul-terminated"); -+ g_free (string); -+ return -1; -+ } - switch (keyword) - { - case PSP_CRTR_FLD_TITLE: --- -2.15.1 - diff --git a/gnu/packages/patches/gimp-CVE-2017-17789.patch b/gnu/packages/patches/gimp-CVE-2017-17789.patch deleted file mode 100644 index 6dfa435fd0..0000000000 --- a/gnu/packages/patches/gimp-CVE-2017-17789.patch +++ /dev/null @@ -1,48 +0,0 @@ -Fix CVE-2017-17789: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789 -https://bugzilla.gnome.org/show_bug.cgi?id=790849 - -Patch copied from upstream source repository: - -https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f - -From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001 -From: Jehan <jehan@girinstud.io> -Date: Wed, 20 Dec 2017 16:44:20 +0100 -Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer - overflow... - -... in PSP importer. -Check if declared block length is valid (i.e. within the actual file) -before going further. -Consider the file as broken otherwise and fail loading it. - -(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8) ---- - plug-ins/common/file-psp.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c -index ac0fff78f0..4cbafe37b1 100644 ---- a/plug-ins/common/file-psp.c -+++ b/plug-ins/common/file-psp.c -@@ -1771,6 +1771,15 @@ load_image (const gchar *filename, - { - block_start = ftell (f); - -+ if (block_start + block_total_len > st.st_size) -+ { -+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, -+ _("Could not open '%s' for reading: %s"), -+ gimp_filename_to_utf8 (filename), -+ _("invalid block size")); -+ goto error; -+ } -+ - if (id == PSP_IMAGE_BLOCK) - { - if (block_number != 0) --- -2.15.1 - diff --git a/gnu/packages/patches/liboop-mips64-deplibs-fix.patch b/gnu/packages/patches/liboop-mips64-deplibs-fix.patch deleted file mode 100644 index b91754a8cc..0000000000 --- a/gnu/packages/patches/liboop-mips64-deplibs-fix.patch +++ /dev/null @@ -1,17 +0,0 @@ -Patch configure script to choose pass_all deplibs check method for -linux-gnu* systems on mips64. This is a temporary hack until liboop -bootstraps their build system with a newer libtool. - -Patch by Mark H Weaver <mhw@netris.org>. - ---- liboop/configure.orig 2003-10-26 11:41:19.000000000 -0500 -+++ liboop/configure 2013-11-02 18:09:11.079995796 -0400 -@@ -3395,7 +3395,7 @@ - # This must be Linux ELF. - linux*) - case $host_cpu in -- alpha* | hppa* | i*86 | ia64* | m68* | mips | mipsel | powerpc* | sparc* | s390* | sh*) -+ alpha* | hppa* | i*86 | ia64* | m68* | mips | mipsel | mips64 | mips64el | powerpc* | sparc* | s390* | sh*) - lt_cv_deplibs_check_method=pass_all ;; - *) - # glibc up to 2.1.1 does not perform some relocations on ARM diff --git a/gnu/packages/patches/shadow-CVE-2018-7169.patch b/gnu/packages/patches/shadow-CVE-2018-7169.patch deleted file mode 100644 index eeae5b9b71..0000000000 --- a/gnu/packages/patches/shadow-CVE-2018-7169.patch +++ /dev/null @@ -1,191 +0,0 @@ -Fix CVE-2018-7169: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7169 - -Patch copied from upstream source repository: - -https://github.com/shadow-maint/shadow/commit/fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 - -From fb28c99b8a66ff2605c5cb96abc0a4d975f92de0 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai <asarai@suse.de> -Date: Thu, 15 Feb 2018 23:49:40 +1100 -Subject: [PATCH] newgidmap: enforce setgroups=deny if self-mapping a group - -This is necessary to match the kernel-side policy of "self-mapping in a -user namespace is fine, but you cannot drop groups" -- a policy that was -created in order to stop user namespaces from allowing trivial privilege -escalation by dropping supplementary groups that were "blacklisted" from -certain paths. - -This is the simplest fix for the underlying issue, and effectively makes -it so that unless a user has a valid mapping set in /etc/subgid (which -only administrators can modify) -- and they are currently trying to use -that mapping -- then /proc/$pid/setgroups will be set to deny. This -workaround is only partial, because ideally it should be possible to set -an "allow_setgroups" or "deny_setgroups" flag in /etc/subgid to allow -administrators to further restrict newgidmap(1). - -We also don't write anything in the "allow" case because "allow" is the -default, and users may have already written "deny" even if they -technically are allowed to use setgroups. And we don't write anything if -the setgroups policy is already "deny". - -Ref: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 -Fixes: CVE-2018-7169 -Reported-by: Craig Furman <craig.furman89@gmail.com> -Signed-off-by: Aleksa Sarai <asarai@suse.de> ---- - src/newgidmap.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 80 insertions(+), 9 deletions(-) - -diff --git a/src/newgidmap.c b/src/newgidmap.c -index b1e33513..59a2e75c 100644 ---- a/src/newgidmap.c -+++ b/src/newgidmap.c -@@ -46,32 +46,37 @@ - */ - const char *Prog; - --static bool verify_range(struct passwd *pw, struct map_range *range) -+ -+static bool verify_range(struct passwd *pw, struct map_range *range, bool *allow_setgroups) - { - /* An empty range is invalid */ - if (range->count == 0) - return false; - -- /* Test /etc/subgid */ -- if (have_sub_gids(pw->pw_name, range->lower, range->count)) -+ /* Test /etc/subgid. If the mapping is valid then we allow setgroups. */ -+ if (have_sub_gids(pw->pw_name, range->lower, range->count)) { -+ *allow_setgroups = true; - return true; -+ } - -- /* Allow a process to map its own gid */ -- if ((range->count == 1) && (pw->pw_gid == range->lower)) -+ /* Allow a process to map its own gid. */ -+ if ((range->count == 1) && (pw->pw_gid == range->lower)) { -+ /* noop -- if setgroups is enabled already we won't disable it. */ - return true; -+ } - - return false; - } - - static void verify_ranges(struct passwd *pw, int ranges, -- struct map_range *mappings) -+ struct map_range *mappings, bool *allow_setgroups) - { - struct map_range *mapping; - int idx; - - mapping = mappings; - for (idx = 0; idx < ranges; idx++, mapping++) { -- if (!verify_range(pw, mapping)) { -+ if (!verify_range(pw, mapping, allow_setgroups)) { - fprintf(stderr, _( "%s: gid range [%lu-%lu) -> [%lu-%lu) not allowed\n"), - Prog, - mapping->upper, -@@ -89,6 +94,70 @@ static void usage(void) - exit(EXIT_FAILURE); - } - -+void write_setgroups(int proc_dir_fd, bool allow_setgroups) -+{ -+ int setgroups_fd; -+ char *policy, policy_buffer[4096]; -+ -+ /* -+ * Default is "deny", and any "allow" will out-rank a "deny". We don't -+ * forcefully write an "allow" here because the process we are writing -+ * mappings for may have already set themselves to "deny" (and "allow" -+ * is the default anyway). So allow_setgroups == true is a noop. -+ */ -+ policy = "deny\n"; -+ if (allow_setgroups) -+ return; -+ -+ setgroups_fd = openat(proc_dir_fd, "setgroups", O_RDWR|O_CLOEXEC); -+ if (setgroups_fd < 0) { -+ /* -+ * If it's an ENOENT then we are on too old a kernel for the setgroups -+ * code to exist. Emit a warning and bail on this. -+ */ -+ if (ENOENT == errno) { -+ fprintf(stderr, _("%s: kernel doesn't support setgroups restrictions\n"), Prog); -+ goto out; -+ } -+ fprintf(stderr, _("%s: couldn't open process setgroups: %s\n"), -+ Prog, -+ strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ -+ /* -+ * Check whether the policy is already what we want. /proc/self/setgroups -+ * is write-once, so attempting to write after it's already written to will -+ * fail. -+ */ -+ if (read(setgroups_fd, policy_buffer, sizeof(policy_buffer)) < 0) { -+ fprintf(stderr, _("%s: failed to read setgroups: %s\n"), -+ Prog, -+ strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ if (!strncmp(policy_buffer, policy, strlen(policy))) -+ goto out; -+ -+ /* Write the policy. */ -+ if (lseek(setgroups_fd, 0, SEEK_SET) < 0) { -+ fprintf(stderr, _("%s: failed to seek setgroups: %s\n"), -+ Prog, -+ strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ if (dprintf(setgroups_fd, "%s", policy) < 0) { -+ fprintf(stderr, _("%s: failed to setgroups %s policy: %s\n"), -+ Prog, -+ policy, -+ strerror(errno)); -+ exit(EXIT_FAILURE); -+ } -+ -+out: -+ close(setgroups_fd); -+} -+ - /* - * newgidmap - Set the gid_map for the specified process - */ -@@ -103,6 +172,7 @@ int main(int argc, char **argv) - struct stat st; - struct passwd *pw; - int written; -+ bool allow_setgroups = false; - - Prog = Basename (argv[0]); - -@@ -145,7 +215,7 @@ int main(int argc, char **argv) - (unsigned long) getuid ())); - return EXIT_FAILURE; - } -- -+ - /* Get the effective uid and effective gid of the target process */ - if (fstat(proc_dir_fd, &st) < 0) { - fprintf(stderr, _("%s: Could not stat directory for target %u\n"), -@@ -177,8 +247,9 @@ int main(int argc, char **argv) - if (!mappings) - usage(); - -- verify_ranges(pw, ranges, mappings); -+ verify_ranges(pw, ranges, mappings, &allow_setgroups); - -+ write_setgroups(proc_dir_fd, allow_setgroups); - write_mapping(proc_dir_fd, ranges, mappings, "gid_map"); - sub_gid_close(); - --- -2.16.2 - |