diff options
author | Tobias Geerinckx-Rice <me@tobias.gr> | 2019-02-28 20:28:33 +0100 |
---|---|---|
committer | Tobias Geerinckx-Rice <me@tobias.gr> | 2019-02-28 22:35:41 +0100 |
commit | 2a18b57222895b167522fcdecd7a0c37e64b5fbd (patch) | |
tree | 0ee9ecb4ab0934eb38d265c6355ebcf963d9dddf | |
parent | 13966cbd5e54c3da6129a021d77b299dbe6e6427 (diff) | |
download | guix-2a18b57222895b167522fcdecd7a0c37e64b5fbd.tar.gz |
gnu: netpbm: Fix CVE-2017-258[67].
* gnu/packages/netpbm.scm (netpbm)[source]: Add patches. * gnu/packages/patches/netpbm-CVE-2017-2586.patch, gnu/packages/patches/netpbm-CVE-2017-2587.patch: New files. * gnu/local.mk: Fix missing copyright year. (dist_patch_DATA): Add them.
-rw-r--r-- | gnu/local.mk | 4 | ||||
-rw-r--r-- | gnu/packages/netpbm.scm | 3 | ||||
-rw-r--r-- | gnu/packages/patches/netpbm-CVE-2017-2586.patch | 21 | ||||
-rw-r--r-- | gnu/packages/patches/netpbm-CVE-2017-2587.patch | 35 |
4 files changed, 62 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 198167310c..82050b90da 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -12,7 +12,7 @@ # Copyright © 2016, 2017, 2018, 2019 Alex Vong <alexvong1995@gmail.com> # Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> # Copyright © 2016, 2017 Jan Nieuwenhuizen <janneke@gnu.org> -# Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> +# Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice <me@tobias.gr> # Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org> # Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com> # Copyright © 2017, 2018 Gábor Boskovits <boskovits@gmail.com> @@ -1065,6 +1065,8 @@ dist_patch_DATA = \ %D%/packages/patches/m4-gnulib-libio.patch \ %D%/packages/patches/netcdf-date-time.patch \ %D%/packages/patches/netcdf-tst_h_par.patch \ + %D%/packages/patches/netpbm-CVE-2017-2586.patch \ + %D%/packages/patches/netpbm-CVE-2017-2587.patch \ %D%/packages/patches/netsurf-message-timestamp.patch \ %D%/packages/patches/netsurf-system-utf8proc.patch \ %D%/packages/patches/netsurf-y2038-tests.patch \ diff --git a/gnu/packages/netpbm.scm b/gnu/packages/netpbm.scm index 9c0e970257..7fe0503d6f 100644 --- a/gnu/packages/netpbm.scm +++ b/gnu/packages/netpbm.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2015, 2016 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr> ;;; ;;; This file is part of GNU Guix. ;;; @@ -52,6 +53,8 @@ (sha256 (base32 "1k7as9qi1942wyjxpvbf02wg0h4braw44m3m3vvi8sm9y5z1m967")) + (patches (search-patches "netpbm-CVE-2017-2586.patch" + "netpbm-CVE-2017-2587.patch")) (file-name (string-append name "-" version "-checkout")) (modules '((guix build utils))) (snippet diff --git a/gnu/packages/patches/netpbm-CVE-2017-2586.patch b/gnu/packages/patches/netpbm-CVE-2017-2586.patch new file mode 100644 index 0000000000..99921870af --- /dev/null +++ b/gnu/packages/patches/netpbm-CVE-2017-2586.patch @@ -0,0 +1,21 @@ +From: Tobias Geerinckx-Rice <me@tobias.gr> +Date: Thu, 28 Feb 2019 20:29:00 +0100 +Subject: [PATCH] netpbm: Fix CVE-2017-2586. + +Copied verbatim from Debian[0]. + +[0]: https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2586.patch + +--- +diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c +--- old/converter/other/svgtopam.c 2017-02-08 12:11:02.593690917 +0100 ++++ new/converter/other/svgtopam.c 2017-02-08 12:13:05.192846469 +0100 +@@ -676,7 +676,7 @@ stringToUint(const char * const string + + /* TODO: move this to nstring.c */ + +- if (strlen(string) == 0) ++ if (string == NULL || strlen(string) == 0) + pm_asprintf(errorP, "Value is a null string"); + else { + char * tailptr; diff --git a/gnu/packages/patches/netpbm-CVE-2017-2587.patch b/gnu/packages/patches/netpbm-CVE-2017-2587.patch new file mode 100644 index 0000000000..70fa508f60 --- /dev/null +++ b/gnu/packages/patches/netpbm-CVE-2017-2587.patch @@ -0,0 +1,35 @@ +From: Tobias Geerinckx-Rice <me@tobias.gr> +Date: Thu, 28 Feb 2019 20:29:00 +0100 +Subject: [PATCH] netpbm: Fix CVE-2017-2587. + +Copied verbatim from Debian[0]. + +[0]: https://sources.debian.org/data/main/n/netpbm-free/2:10.78.05-0.1/debian/patches/netpbm-CVE-2017-2587.patch + +--- +diff -urNp old/converter/other/svgtopam.c new/converter/other/svgtopam.c +--- old/converter/other/svgtopam.c 2017-02-08 12:11:02.593690917 +0100 ++++ new/converter/other/svgtopam.c 2017-02-08 13:49:38.319029371 +0100 +@@ -771,12 +771,17 @@ createCanvas(unsigned int const width, + + MALLOCVAR_NOFAIL(canvasP); + +- canvasP->width = width; +- canvasP->height = height; +- canvasP->pixels = ppm_allocarray(width, height); +- canvasP->maxval = maxval; ++ if(canvasP != NULL){ ++ canvasP->width = width; ++ canvasP->height = height; ++ canvasP->pixels = ppm_allocarray(width, height); ++ canvasP->maxval = maxval; ++ ++ *canvasPP = canvasP; ++ } else { ++ pm_error("can't allocate memory for canvas"); ++ } + +- *canvasPP = canvasP; + } + + |