summary refs log tree commit diff
path: root/gnu/packages/patches/lcms-CVE-2016-10165.patch
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2017-04-03 00:13:06 +0200
committerLudovic Courtès <ludo@gnu.org>2017-04-03 00:13:06 +0200
commit2a0d5de5a9decd785b22dafa69aae5320231f1b7 (patch)
tree6c532e278025fb46a94f4cb3c3a68063b7011fe1 /gnu/packages/patches/lcms-CVE-2016-10165.patch
parent41f6d18fb6ae7adebe72793c625ad4574991fa6d (diff)
parent245575eaf33801753ac8290e077c4397b2568540 (diff)
downloadguix-2a0d5de5a9decd785b22dafa69aae5320231f1b7.tar.gz
Merge branch 'core-updates'
Diffstat (limited to 'gnu/packages/patches/lcms-CVE-2016-10165.patch')
-rw-r--r--gnu/packages/patches/lcms-CVE-2016-10165.patch36
1 files changed, 36 insertions, 0 deletions
diff --git a/gnu/packages/patches/lcms-CVE-2016-10165.patch b/gnu/packages/patches/lcms-CVE-2016-10165.patch
new file mode 100644
index 0000000000..fa4d75c9ee
--- /dev/null
+++ b/gnu/packages/patches/lcms-CVE-2016-10165.patch
@@ -0,0 +1,36 @@
+Fix CVE-2016-10165, an out-of-bounds heap read in Type_MLU_Read():
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10165
+http://seclists.org/oss-sec/2016/q3/288
+https://bugzilla.redhat.com/show_bug.cgi?id=1367357
+https://security-tracker.debian.org/tracker/CVE-2016-10165
+
+Patch copied from upstream source repository:
+
+https://github.com/mm2/Little-CMS/commit/5ca71a7bc18b6897ab21d815d15e218e204581e2
+
+From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001
+From: Marti <marti.maria@tktbrainpower.com>
+Date: Mon, 15 Aug 2016 23:31:39 +0200
+Subject: [PATCH] Added an extra check to MLU bounds
+
+Thanks to Ibrahim el-sayed for spotting the bug
+---
+ src/cmstypes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cmstypes.c b/src/cmstypes.c
+index cb61860..c7328b9 100644
+--- a/src/cmstypes.c
++++ b/src/cmstypes.c
+@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+ 
+         // Check for overflow
+         if (Offset < (SizeOfHeader + 8)) goto Error;
++        if ((Offset + Len) > SizeOfTag + 8) goto Error;
+ 
+         // True begin of the string
+         BeginOfThisString = Offset - SizeOfHeader - 8;
+-- 
+2.11.0
+