[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: fr
From: |
Kei Kebreau |
Subject: |
Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.] |
Date: |
Sat, 15 Oct 2016 14:57:37 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Efraim Flashner <address@hidden> writes:
> On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
>> Leo Famulari <address@hidden> writes:
>>
>> > On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
>> >> efraim pushed a commit to branch master
>> >> in repository guix.
>> >>
>> >> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
>> >> Author: Efraim Flashner <address@hidden>
>> >> Date: Fri Oct 14 11:28:21 2016 +0300
>> >>
>> >> gnu: freeimage: Fix CVE-2016-5684.
>> >>
>> >> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> >> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
>> >> * gnu/local.mk (dist_patch_DATA): Register it.
>> >> ---
>> >> gnu/local.mk | 1 +
>> >> gnu/packages/image.scm | 3 +-
>> >> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34
>> >> ++++++++++++++++++++
>> >> 3 files changed, 37 insertions(+), 1 deletion(-)
>> >
>> > Efraim pointed out on IRC that our freeimage packages bundles many
>> > 3rd-party libraries:
>> >
>> > $ ls -1 FreeImage/Source
>> > CacheFile.h
>> > DeprecationManager
>> > FreeImage
>> > FreeImage.h
>> > FreeImageIO.h
>> > FreeImageLib
>> > FreeImageToolkit
>> > LibJPEG
>> > LibJXR
>> > LibOpenJPEG
>> > LibPNG
>> > LibRawLite
>> > LibTIFF4
>> > LibWebP
>> > MapIntrospector.h
>> > Metadata
>> > OpenEXR
>> > Plugin.h
>> > Quantizers.h
>> > ToneMapping.h
>> > Utilities.h
>> > ZLib
>> >
>> > Debian has a patch to make it use "system" copies of the libraries:
>> >
>> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
>> >
>> > For now, our freeimage package is probably vulnerable to many publicly
>> > disclosed security bugs.
>> >
>> > Who volunteers to try fixing this?
>>
>> The patch is attached. I've removed the bit from Debian that disables JPEG
>> transformation functions, as seen below. JPEGTransform.cpp (in
>> Source/FreeImageToolkit) gave me some trouble when I left that part of
>> the patch alone.
>>
>> @@ -473,6 +477,9 @@ FI_ENUM(FREE_IMAGE_DITHER) {
>> FID_BAYER16x16 = 6 //! Bayer ordered dispersed dot
>> dithering (order 4 dithering matrix)
>> };
>>
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our
>> build
>> + of FreeImage, since they require usage of the vendored copy of libjpeg.
>> */
>> +#if 0
>> /** Lossless JPEG transformations
>> Constants used in FreeImage_JPEGTransform
>> */
>> @@ -486,6 +493,7 @@ FI_ENUM(FREE_IMAGE_JPEG_OPERATION) {
>> FIJPEG_OP_ROTATE_180 = 6, //! 180-degree rotation
>> FIJPEG_OP_ROTATE_270 = 7 //! 270-degree clockwise (or 90
>> ccw)
>> };
>> +#endif
>>
>> /** Tone mapping operators.
>> Constants used in FreeImage_ToneMapping.
>> @@ -1076,7 +1084,9 @@ DLL_API const char* DLL_CALLCONV
>> FreeImage_TagToString(FREE_IMAGE_MDMODEL model,
>> //
>> --------------------------------------------------------------------------
>> // JPEG lossless transformation routines
>> //
>> --------------------------------------------------------------------------
>> -
>> +/* Debian: The JPEGTransform functions are deliberately disabled in our
>> build
>> + of FreeImage, since they require usage of the vendored copy of libjpeg.
>> */
>> +#if 0
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransform(const char *src_file,
>> const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect
>> FI_DEFAULT(TRUE));
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformU(const wchar_t *src_file,
>> const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation, BOOL perfect
>> FI_DEFAULT(TRUE));
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGCrop(const char *src_file, const
>> char *dst_file, int left, int top, int right, int bottom);
>> @@ -1085,6 +1095,7 @@ DLL_API BOOL DLL_CALLCONV
>> FreeImage_JPEGTransformFromHandle(FreeImageIO* src_io,
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombined(const char
>> *src_file, const char *dst_file, FREE_IMAGE_JPEG_OPERATION operation, int*
>> left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>> DLL_API BOOL DLL_CALLCONV FreeImage_JPEGTransformCombinedU(const wchar_t
>> *src_file, const wchar_t *dst_file, FREE_IMAGE_JPEG_OPERATION operation,
>> int* left, int* top, int* right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>> DLL_API BOOL DLL_CALLCONV
>> FreeImage_JPEGTransformCombinedFromMemory(FIMEMORY* src_stream, FIMEMORY*
>> dst_stream, FREE_IMAGE_JPEG_OPERATION operation, int* left, int* top, int*
>> right, int* bottom, BOOL perfect FI_DEFAULT(TRUE));
>> +#endif
>
>> From 4ef0c85c769aa4bc7a528c13eee1c61705e61479 Mon Sep 17 00:00:00 2001
>> From: Kei Kebreau <address@hidden>
>> Date: Fri, 14 Oct 2016 18:09:45 -0400
>> Subject: [PATCH] gnu: freeimage: Disable in-tree third-party libraries.
>>
>> * gnu/packages/image.scm (freeimage)[source]: Add patch.
>> * gnu/packages/patches/freeimage-disable-vendored-dependencies.patch: New
>> file.
>> * gnu/local.mk (dist_patch_DATA): Register it.
>> ---
>> gnu/local.mk | 1 +
>> gnu/packages/image.scm | 6 +-
>> .../freeimage-disable-vendored-dependencies.patch | 398
>> +++++++++++++++++++++
>> 3 files changed, 404 insertions(+), 1 deletion(-)
>> create mode 100644
>> gnu/packages/patches/freeimage-disable-vendored-dependencies.patch
>
> I was looking at it and I thought it was going to be much more than 400
> lines in the end.
>
> Did we also need the other patch?
> https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
>
> On one hand we could carry a modified version of Debian's patch, on the
> other hand some of these look like they could be a series of substitute*
> commands. I started looking through the patch and thinking how to
> convert them from "../path/to/header.h" to <header.h> and realizing I
> myself wouldn't want to do that, so that could easily be an option for
> another time :).
Looking at its contents, adding that patch would make a lot of sense. :-)
signature.asc
Description: PGP signature