From 0fa9f29a5100f19a8494521659a1fa3baaa7fd0e Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Wed, 4 Dec 2019 22:18:43 +0100 Subject: gnu: libjpeg-turbo: Fix CVE-2019-13960 and CVE-2019-2201. * gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch: New file. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/image.scm (libjpeg-turbo/fixed): New variable. (libjpeg-turbo)[replacement]: New field. --- .../patches/libjpeg-turbo-CVE-2019-2201.patch | 31 ++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch new file mode 100644 index 0000000000..35f2bf5963 --- /dev/null +++ b/gnu/packages/patches/libjpeg-turbo-CVE-2019-2201.patch @@ -0,0 +1,31 @@ +Fix integer overflow which can potentially lead to RCE. + +https://www.openwall.com/lists/oss-security/2019/11/11/1 +https://nvd.nist.gov/vuln/detail/CVE-2019-2201 + +The problem was partially fixed in 2.0.3. This patch is a follow-up. +https://github.com/libjpeg-turbo/libjpeg-turbo/issues/388 +https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad + +diff --git a/tjbench.c b/tjbench.c +index a7d397318..13a5bde62 100644 +--- a/tjbench.c ++++ b/tjbench.c +@@ -171,7 +171,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf, + } + /* Set the destination buffer to gray so we know whether the decompressor + attempted to write to it */ +- memset(dstBuf, 127, pitch * scaledh); ++ memset(dstBuf, 127, (size_t)pitch * scaledh); + + if (doYUV) { + int width = doTile ? tilew : scaledw; +@@ -193,7 +193,7 @@ static int decomp(unsigned char *srcBuf, unsigned char **jpegBuf, + double start = getTime(); + + for (row = 0, dstPtr = dstBuf; row < ntilesh; +- row++, dstPtr += pitch * tileh) { ++ row++, dstPtr += (size_t)pitch * tileh) { + for (col = 0, dstPtr2 = dstPtr; col < ntilesw; + col++, tile++, dstPtr2 += ps * tilew) { + int width = doTile ? min(tilew, w - col * tilew) : scaledw; -- cgit v1.2.3