summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch66
-rw-r--r--gnu/packages/patches/exiv2-CVE-2017-14860.patch48
-rw-r--r--gnu/packages/patches/wget-CVE-2017-6508.patch45
-rw-r--r--gnu/packages/patches/wget-fix-504-test-timeout.patch160
-rw-r--r--gnu/packages/patches/wget-perl-5.26.patch96
5 files changed, 114 insertions, 301 deletions
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch
new file mode 100644
index 0000000000..69e65aeb6b
--- /dev/null
+++ b/gnu/packages/patches/exiv2-CVE-2017-14859-14862-14864.patch
@@ -0,0 +1,66 @@
+Fix CVE-2017-14859, CVE-2017-14862 and CVE-2017-14864.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14859
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14862
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14864
+
+Copied from upstream:
+
+https://github.com/Exiv2/exiv2/commit/8a586c74bbe3fbca64e86e42a42282c73f427607
+
+From 8a586c74bbe3fbca64e86e42a42282c73f427607 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Sat, 7 Oct 2017 23:08:36 +0200
+Subject: [PATCH] Fix for CVE-2017-14864, CVE-2017-14862 and CVE-2017-14859
+
+The invalid memory dereference in
+Exiv2::getULong()/Exiv2::StringValueBase::read()/Exiv2::DataValue::read()
+is caused further up the call-stack, by
+v->read(pData, size, byteOrder) in TiffReader::readTiffEntry()
+passing an invalid pData pointer (pData points outside of the Tiff
+file). pData can be set out of bounds in the (size > 4) branch where
+baseOffset() and offset are added to pData_ without checking whether
+the result is still in the file. As offset comes from an untrusted
+source, an attacker can craft an arbitrarily large offset into the
+file.
+
+This commit adds a check into the problematic branch, whether the
+result of the addition would be out of bounds of the Tiff
+file. Furthermore the whole operation is checked for possible
+overflows.
+---
+ src/tiffvisitor.cpp | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/tiffvisitor.cpp b/src/tiffvisitor.cpp
+index 4ab733d4..ef13542e 100644
+--- a/src/tiffvisitor.cpp
++++ b/src/tiffvisitor.cpp
+@@ -47,6 +47,7 @@ EXIV2_RCSID("@(#) $Id$")
+ #include <iostream>
+ #include <iomanip>
+ #include <cassert>
++#include <limits>
+ 
+ // *****************************************************************************
+ namespace {
+@@ -1517,7 +1518,19 @@ namespace Exiv2 {
+                 size = 0;
+         }
+         if (size > 4) {
++            // setting pData to pData_ + baseOffset() + offset can result in pData pointing to invalid memory,
++            // as offset can be arbitrarily large
++            if ((static_cast<uintptr_t>(baseOffset()) > std::numeric_limits<uintptr_t>::max() - static_cast<uintptr_t>(offset))
++             || (static_cast<uintptr_t>(baseOffset() + offset) > std::numeric_limits<uintptr_t>::max() - reinterpret_cast<uintptr_t>(pData_)))
++            {
++                throw Error(59);
++            }
++            if (pData_ + static_cast<uintptr_t>(baseOffset()) + static_cast<uintptr_t>(offset) > pLast_) {
++                throw Error(58);
++            }
+             pData = const_cast<byte*>(pData_) + baseOffset() + offset;
++
++	    // check for size being invalid
+             if (size > static_cast<uint32_t>(pLast_ - pData)) {
+ #ifndef SUPPRESS_WARNINGS
+                 EXV_ERROR << "Upper boundary of data for "
diff --git a/gnu/packages/patches/exiv2-CVE-2017-14860.patch b/gnu/packages/patches/exiv2-CVE-2017-14860.patch
new file mode 100644
index 0000000000..43e6076b71
--- /dev/null
+++ b/gnu/packages/patches/exiv2-CVE-2017-14860.patch
@@ -0,0 +1,48 @@
+Fix CVE-2017-14860.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14860
+https://nvd.nist.gov/vuln/detail/CVE-2017-14860
+
+Copied from upstream:
+
+https://github.com/Exiv2/exiv2/commit/ff18fec24b119579df26fd2ebb8bb012cde102ce
+
+From ff18fec24b119579df26fd2ebb8bb012cde102ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dan.cermak@cgc-instruments.com>
+Date: Fri, 6 Oct 2017 23:09:08 +0200
+Subject: [PATCH] Fix for CVE-2017-14860
+
+A heap buffer overflow could occur in memcpy when icc.size_ is larger
+than data.size_ - pad, as then memcpy would read out of bounds of data.
+
+This commit adds a sanity check to iccLength (= icc.size_): if it is
+larger than data.size_ - pad (i.e. an overflow would be caused) an
+exception is thrown.
+
+This fixes #71.
+---
+ src/jp2image.cpp | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/jp2image.cpp b/src/jp2image.cpp
+index 747145cf..748d39b5 100644
+--- a/src/jp2image.cpp
++++ b/src/jp2image.cpp
+@@ -269,10 +269,15 @@ namespace Exiv2
+                             std::cout << "Exiv2::Jp2Image::readMetadata: "
+                                      << "Color data found" << std::endl;
+ #endif
+-                            long pad = 3 ; // 3 padding bytes 2 0 0
++                            const long pad = 3 ; // 3 padding bytes 2 0 0
+                             DataBuf data(subBox.length+8);
+                             io_->read(data.pData_,data.size_);
+-                            long    iccLength = getULong(data.pData_+pad, bigEndian);
++                            const long    iccLength = getULong(data.pData_+pad, bigEndian);
++                            // subtracting pad from data.size_ is safe:
++                            // size_ is at least 8 and pad = 3
++                            if (iccLength > data.size_ - pad) {
++                                throw Error(58);
++			    }
+                             DataBuf icc(iccLength);
+                             ::memcpy(icc.pData_,data.pData_+pad,icc.size_);
+ #ifdef DEBUG
diff --git a/gnu/packages/patches/wget-CVE-2017-6508.patch b/gnu/packages/patches/wget-CVE-2017-6508.patch
deleted file mode 100644
index 0218fceaad..0000000000
--- a/gnu/packages/patches/wget-CVE-2017-6508.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Fix CVE-2017-6508:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6508
-
-Patch copied from upstream source repository:
-
-https://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4
-
-From 4d729e322fae359a1aefaafec1144764a54e8ad4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
-Date: Mon, 6 Mar 2017 10:04:22 +0100
-Subject: [PATCH] Fix CRLF injection in Wget host part
-
-* src/url.c (url_parse): Reject control characters in host part of URL
-
-Reported-by: Orange Tsai
----
- src/url.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/src/url.c b/src/url.c
-index 8f8ff0b8..7d36b27d 100644
---- a/src/url.c
-+++ b/src/url.c
-@@ -925,6 +925,17 @@ url_parse (const char *url, int *error, struct iri *iri, bool percent_encode)
-       url_unescape (u->host);
-       host_modified = true;
- 
-+      /* check for invalid control characters in host name */
-+      for (p = u->host; *p; p++)
-+        {
-+          if (c_iscntrl(*p))
-+            {
-+              url_free(u);
-+              error_code = PE_INVALID_HOST_NAME;
-+              goto error;
-+            }
-+        }
-+
-       /* Apply IDNA regardless of iri->utf8_encode status */
-       if (opt.enable_iri && iri)
-         {
--- 
-2.12.0
-
diff --git a/gnu/packages/patches/wget-fix-504-test-timeout.patch b/gnu/packages/patches/wget-fix-504-test-timeout.patch
deleted file mode 100644
index d9bf154103..0000000000
--- a/gnu/packages/patches/wget-fix-504-test-timeout.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-This patch is from upstream. If a machine is too slow it can cause
-test-504.py to fail.
-http://git.savannah.gnu.org/cgit/wget.git/patch/?id=ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de
-
-From ac4fed32204e9ec1874e7cb5ecc55f1b35c1c8de Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
-Date: Tue, 14 Feb 2017 16:20:26 +0100
-Subject: Fix 504 status handling
-
-* src/http.c (gethttp): Move 504 handling to correct place.
-  (http_loop): Fix memeory leak.
-* testenv/server/http/http_server.py: Add Content-Length header on non-2xx
-  status codes with a body
-
-Reported-by: Adam Sampson
----
- src/http.c                         | 30 +++++++++++-------------------
- testenv/server/http/http_server.py |  9 +++++----
- 2 files changed, 16 insertions(+), 23 deletions(-)
-
-diff --git a/src/http.c b/src/http.c
-index 898e184..d2c5c77 100644
---- a/src/http.c
-+++ b/src/http.c
-@@ -3476,7 +3476,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
- 
- #ifdef HAVE_METALINK
-   /* We need to check for the Metalink data in the very first response
--     we get from the server (before redirectionrs, authorization, etc.).  */
-+     we get from the server (before redirections, authorization, etc.).  */
-   if (metalink)
-     {
-       hs->metalink = metalink_from_http (resp, hs, u);
-@@ -3496,7 +3496,7 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
-       uerr_t auth_err = RETROK;
-       bool retry;
-       /* Normally we are not interested in the response body.
--         But if we are writing a WARC file we are: we like to keep everyting.  */
-+         But if we are writing a WARC file we are: we like to keep everything.  */
-       if (warc_enabled)
-         {
-           int _err;
-@@ -3556,20 +3556,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
-         pconn.authorized = true;
-     }
- 
--  if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
--    {
--      hs->len = 0;
--      hs->res = 0;
--      hs->restval = 0;
--
--      CLOSE_FINISH (sock);
--      xfree (hs->message);
--
--      retval = GATEWAYTIMEOUT;
--      goto cleanup;
--    }
--
--
-   {
-     uerr_t ret = check_file_output (u, hs, resp, hdrval, sizeof hdrval);
-     if (ret != RETROK)
-@@ -3910,8 +3896,8 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
-               retval = _err;
-               goto cleanup;
-             }
--          else
--            CLOSE_FINISH (sock);
-+
-+          CLOSE_FINISH (sock);
-         }
-       else
-         {
-@@ -3934,7 +3920,11 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
-             CLOSE_INVALIDATE (sock);
-         }
- 
--      retval = RETRFINISHED;
-+      if (statcode == HTTP_STATUS_GATEWAY_TIMEOUT)
-+        retval = GATEWAYTIMEOUT;
-+      else
-+        retval = RETRFINISHED;
-+
-       goto cleanup;
-     }
- 
-@@ -4208,6 +4198,8 @@ http_loop (const struct url *u, struct url *original_url, char **newloc,
-              bring them to "while" statement at the end, to judge
-              whether the number of tries was exceeded.  */
-           printwhat (count, opt.ntry);
-+          xfree (hstat.message);
-+          xfree (hstat.error);
-           continue;
-         case FWRITEERR: case FOPENERR:
-           /* Another fatal error.  */
-diff --git a/testenv/server/http/http_server.py b/testenv/server/http/http_server.py
-index e96f6e8..b222df0 100644
---- a/testenv/server/http/http_server.py
-+++ b/testenv/server/http/http_server.py
-@@ -204,7 +204,6 @@ class _Handler(BaseHTTPRequestHandler):
- 
-     def Response(self, resp_obj):
-         self.send_response(resp_obj.response_code)
--        self.finish_headers()
-         if resp_obj.response_code == 304:
-             raise NoBodyServerError("Conditional get falling to head")
-         raise ServerError("Custom Response code sent.")
-@@ -329,7 +328,6 @@ class _Handler(BaseHTTPRequestHandler):
-         except AuthError as se:
-             self.send_response(401, "Authorization Required")
-             self.send_challenge(auth_rule.auth_type, auth_rule.auth_parm)
--            self.finish_headers()
-             raise se
- 
-     def handle_auth(self, auth_rule):
-@@ -362,7 +360,6 @@ class _Handler(BaseHTTPRequestHandler):
-             if header_recd is None or header_recd != exp_headers[header_line]:
-                 self.send_error(400, "Expected Header %s not found" %
-                                 header_line)
--                self.finish_headers()
-                 raise ServerError("Header " + header_line + " not found")
- 
-     def RejectHeader(self, header_obj):
-@@ -372,7 +369,6 @@ class _Handler(BaseHTTPRequestHandler):
-             if header_recd and header_recd == rej_headers[header_line]:
-                 self.send_error(400, 'Blacklisted Header %s received' %
-                                 header_line)
--                self.finish_headers()
-                 raise ServerError("Header " + header_line + ' received')
- 
-     def __log_request(self, method):
-@@ -400,6 +396,7 @@ class _Handler(BaseHTTPRequestHandler):
- 
-             content = self.server.fileSys.get(path)
-             content_length = len(content)
-+
-             for rule_name in self.rules:
-                 try:
-                     assert hasattr(self, rule_name)
-@@ -410,12 +407,16 @@ class _Handler(BaseHTTPRequestHandler):
-                     return(None, None)
-                 except AuthError as ae:
-                     print(ae.__str__())
-+                    self.finish_headers()
-                     return(None, None)
-                 except NoBodyServerError as nbse:
-                     print(nbse.__str__())
-+                    self.finish_headers()
-                     return(None, None)
-                 except ServerError as se:
-                     print(se.__str__())
-+                    self.add_header("Content-Length", content_length)
-+                    self.finish_headers()
-                     return(content, None)
- 
-             try:
--- 
-cgit v1.0-41-gc330
-
diff --git a/gnu/packages/patches/wget-perl-5.26.patch b/gnu/packages/patches/wget-perl-5.26.patch
deleted file mode 100644
index ee3a984daa..0000000000
--- a/gnu/packages/patches/wget-perl-5.26.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-This upstream commit adjusts tests for Perl 5.26.
-
-commit 7ffe93cabb181f39ad5091c31ab9f61bd940a55f
-Author: Anton Yuzhaninov <citrin+github@citrin.ru>
-Date:   Wed Apr 5 19:06:42 2017 +0300
-
-    Fix perl warnings in tests
-    
-    * tests/FTPServer.pm: Escape '{' in RE to fix warnings
-    * tests/FTPTest.pm: Likewise
-    * tests/HTTPServer.pm: Likewise
-    * tests/HTTPTest.pm: Likewise
-    * tests/Test-proxied-https-auth-keepalive.px: Likewise
-    * tests/Test-proxied-https-auth.px: Likewise
-    Escape '{' in RE to fix warnings:
-    Unescaped left brace in regex is deprecated, passed through in regex;
-    marked by <-- HERE in m/{{ <-- HERE port}}/
-
-diff --git a/tests/FTPServer.pm b/tests/FTPServer.pm
-index a5185d66..cac80942 100644
---- a/tests/FTPServer.pm
-+++ b/tests/FTPServer.pm
-@@ -589,7 +589,7 @@ sub new
-     foreach my $file (keys %{$self->{_input}})
-     {
-         my $ref = \$self->{_input}{$file}{content};
--        $$ref =~ s/{{port}}/$self->sockport/eg;
-+        $$ref =~ s/\Q{{port}}/$self->sockport/eg;
-     }
- 
-     return $self;
-diff --git a/tests/FTPTest.pm b/tests/FTPTest.pm
-index 50385ad0..0a1c768c 100644
---- a/tests/FTPTest.pm
-+++ b/tests/FTPTest.pm
-@@ -53,7 +53,7 @@ sub _substitute_port
- {
-     my $self = shift;
-     my $ret  = shift;
--    $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
-+    $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
-     return $ret;
- }
- 
-diff --git a/tests/HTTPServer.pm b/tests/HTTPServer.pm
-index dd8ec043..78609f65 100644
---- a/tests/HTTPServer.pm
-+++ b/tests/HTTPServer.pm
-@@ -310,7 +310,7 @@ sub _substitute_port
- {
-     my $self = shift;
-     my $ret  = shift;
--    $ret =~ s/{{port}}/$self->sockport/eg;
-+    $ret =~ s/\Q{{port}}/$self->sockport/eg;
-     return $ret;
- }
- 
-diff --git a/tests/HTTPTest.pm b/tests/HTTPTest.pm
-index 00f079f8..6225c7f1 100644
---- a/tests/HTTPTest.pm
-+++ b/tests/HTTPTest.pm
-@@ -47,7 +47,7 @@ sub _substitute_port
- {
-     my $self = shift;
-     my $ret  = shift;
--    $ret =~ s/{{port}}/$self->{_server}->sockport/eg;
-+    $ret =~ s/\Q{{port}}/$self->{_server}->sockport/eg;
-     return $ret;
- }
- 
-diff --git a/tests/Test-proxied-https-auth-keepalive.px b/tests/Test-proxied-https-auth-keepalive.px
-index 049bebec..2a18ccfd 100755
---- a/tests/Test-proxied-https-auth-keepalive.px
-+++ b/tests/Test-proxied-https-auth-keepalive.px
-@@ -153,7 +153,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
-     . " --password=Dodgson -e https_proxy=localhost:{{port}}"
-     . " --no-check-certificate"
-     . " https://no.such.domain/needs-auth.txt";
--$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
-+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
- 
- if (defined $srcdir) {
-     $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';
-diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px
-index ce4e736c..878114e7 100755
---- a/tests/Test-proxied-https-auth.px
-+++ b/tests/Test-proxied-https-auth.px
-@@ -152,7 +152,7 @@ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
-     . " --password=Dodgson -e https_proxy=localhost:{{port}}"
-     . " --no-check-certificate"
-     . " https://no.such.domain/needs-auth.txt";
--$cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
-+$cmdline =~ s/\Q{{port}}/$SOCKET->sockport()/e;
- 
- if (defined $srcdir) {
-     $VALGRIND_SUPP_FILE = $srcdir . '/valgrind-suppressions-ssl';