From 56ac2bf442c0639f498cdea2db4f3e57cdb49140 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 16 Nov 2016 02:14:28 -0500 Subject: gnu: pixman: Add fix for CVE-2016-5296. * gnu/packages/patches/pixman-CVE-2016-5296.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xdisorg.scm (pixman)[replacement]: New field. (pixman/fixed): New variable. --- gnu/local.mk | 1 + gnu/packages/patches/pixman-CVE-2016-5296.patch | 19 +++++++++++++++++++ gnu/packages/xdisorg.scm | 10 +++++++++- 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/pixman-CVE-2016-5296.patch diff --git a/gnu/local.mk b/gnu/local.mk index 08f99c4836..8a8b7434ad 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -785,6 +785,7 @@ dist_patch_DATA = \ %D%/packages/patches/pinball-src-deps.patch \ %D%/packages/patches/pinball-system-ltdl.patch \ %D%/packages/patches/pingus-sdl-libs-config.patch \ + %D%/packages/patches/pixman-CVE-2016-5296.patch \ %D%/packages/patches/plink-1.07-unclobber-i.patch \ %D%/packages/patches/plink-endian-detection.patch \ %D%/packages/patches/plotutils-libpng-jmpbuf.patch \ diff --git a/gnu/packages/patches/pixman-CVE-2016-5296.patch b/gnu/packages/patches/pixman-CVE-2016-5296.patch new file mode 100644 index 0000000000..21942326ae --- /dev/null +++ b/gnu/packages/patches/pixman-CVE-2016-5296.patch @@ -0,0 +1,19 @@ +Fix CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 +Adapted for upstream pixman based on: + + https://hg.mozilla.org/releases/mozilla-esr45/rev/5e39c1c2fded + +--- pixman-0.34.0/pixman/pixman-edge-imp.h.orig 2015-06-30 05:48:31.000000000 -0400 ++++ pixman-0.34.0/pixman/pixman-edge-imp.h 2016-11-16 01:09:34.046335106 -0500 +@@ -55,8 +55,9 @@ + * + * (The AA case does a similar adjustment in RENDER_SAMPLES_X) + */ +- lx += X_FRAC_FIRST(1) - pixman_fixed_e; +- rx += X_FRAC_FIRST(1) - pixman_fixed_e; ++ /* we cast to unsigned to get defined behaviour for overflow */ ++ lx = (unsigned)lx + X_FRAC_FIRST(1) - pixman_fixed_e; ++ rx = (unsigned)rx + X_FRAC_FIRST(1) - pixman_fixed_e; + #endif + /* clip X */ + if (lx < 0) diff --git a/gnu/packages/xdisorg.scm b/gnu/packages/xdisorg.scm index a26c716866..53048e0607 100644 --- a/gnu/packages/xdisorg.scm +++ b/gnu/packages/xdisorg.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014 Andreas Enge -;;; Copyright © 2014, 2015 Mark H Weaver +;;; Copyright © 2014, 2015, 2016 Mark H Weaver ;;; Copyright © 2014 Eric Bavier ;;; Copyright © 2014, 2015, 2016 Alex Kost ;;; Copyright © 2013, 2015 Ludovic Courtès @@ -241,6 +241,7 @@ following the mouse.") (package (name "pixman") (version "0.34.0") + (replacement pixman/fixed) (source (origin (method url-fetch) (uri (string-append @@ -262,6 +263,13 @@ manipulation, providing features such as image compositing and trapezoid rasterisation.") (license license:x11))) +(define pixman/fixed + (package + (inherit pixman) + (source (origin + (inherit (package-source pixman)) + (patches (search-patches "pixman-CVE-2016-5296.patch")))))) + (define-public libdrm (package -- cgit 1.4.1