Mail archive
alpine-aports

[alpine-aports] [PATCH v3.4] main/lcms2: security upgrade to 2.8 - fixes #6779

From: Sergei Lukin <sergej.lukin_at_gmail.com>
Date: Wed, 1 Feb 2017 06:51:38 +0000

CVE-2016-10165: Out-of-bounds read in Type_MLU_Read()
---
It looks that there were no major changes made in 2.7 vs 2.8
https://github.com/mm2/Little-CMS/blob/master/ChangeLog
 main/lcms2/APKBUILD             | 21 +++++++++++++++------
 main/lcms2/CVE-2016-10165.patch | 20 ++++++++++++++++++++
 2 files changed, 35 insertions(+), 6 deletions(-)
 create mode 100644 main/lcms2/CVE-2016-10165.patch
diff --git a/main/lcms2/APKBUILD b/main/lcms2/APKBUILD
index 1a05aac..940960f 100644
--- a/main/lcms2/APKBUILD
+++ b/main/lcms2/APKBUILD
_at_@ -1,6 +1,7 @@
+# Contributor: Sergei Lukin <sergej.lukin_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=lcms2
-pkgver=2.7
+pkgver=2.8
 pkgrel=0
 pkgdesc="Color Management Engine"
 url="http://www.littlecms.com/"
_at_@ -11,13 +12,18 @@ depends_dev="libjpeg-turbo-dev tiff-dev zlib-dev"
 makedepends="$depends_dev"
 install=""
 subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
-source="http://www.littlecms.com/lcms2-$pkgver.tar.gz"
+source="http://www.littlecms.com/lcms2-$pkgver.tar.gz
+	CVE-2016-10165.patch
+	"
+
+# secfixes:
+#  2.8-r0:
+#  - CVE-2016-10165
 
 _builddir="$srcdir"/lcms2-$pkgver
 prepare() {
 	local i
 	cd "$_builddir"
-	update_config_sub || return 1
 	for i in $source; do
 		case $i in
 		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
_at_@ -51,6 +57,9 @@ utils() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-md5sums="06c1626f625424a811fb4b5eb070839d  lcms2-2.7.tar.gz"
-sha256sums="4524234ae7de185e6b6da5d31d6875085b2198bc63b1211f7dde6e2d197d6a53  lcms2-2.7.tar.gz"
-sha512sums="9e69ec30efa9d50474808c6ae3d9afb0c5798eaabca0052f82d54efecdc2b58ab40434ee6dee9cd80028597d79a07f6b3b1a73f5293fc444343274eac3e32fd4  lcms2-2.7.tar.gz"
+md5sums="87a5913f1a52464190bb655ad230539c  lcms2-2.8.tar.gz
+bd143d366e5ad5d2b7da0b1a9255704d  CVE-2016-10165.patch"
+sha256sums="66d02b229d2ea9474e62c2b6cd6720fde946155cd1d0d2bffdab829790a0fb22  lcms2-2.8.tar.gz
+66d2b7e9ff6aa0896acf0a107e131b9d34d4d8fb7d4129f4eace3a84b17c9cd4  CVE-2016-10165.patch"
+sha512sums="a9478885b4892c79314a2ef9ab560e6655ac8f2d17abae0805e8b871138bb190e21f0e5c805398449f9dad528dc50baaf9e3cce8b8158eb8ff74179be5733f8f  lcms2-2.8.tar.gz
+f1e4ed19d6ab8135927d08da717b141df0f63053000a308a22a903fd4c65c1fd7aefc4508a759c737df4cd5ac4347bd1999157cdfc082930254f90a88b11026e  CVE-2016-10165.patch"
diff --git a/main/lcms2/CVE-2016-10165.patch b/main/lcms2/CVE-2016-10165.patch
new file mode 100644
index 0000000..f0e452f
--- /dev/null
+++ b/main/lcms2/CVE-2016-10165.patch
_at_@ -0,0 +1,20 @@
+commit 5ca71a7bc18b6897ab21d815d15e218e204581e2
+Author: Marti <marti.maria_at_tktbrainpower.com>
+Date:   Mon Aug 15 23:31:39 2016 +0200
+
+    Added an extra check to MLU bounds
+    
+    Thanks to Ibrahim el-sayed for spotting the bug
+
+diff --git a/src/cmstypes.c b/src/cmstypes.c
+index cb61860..c7328b9 100644
+--- a/src/cmstypes.c
++++ b/src/cmstypes.c
+_at_@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+ 
+         // Check for overflow
+         if (Offset < (SizeOfHeader + 8)) goto Error;
++        if ((Offset + Len) > SizeOfTag + 8) goto Error;
+ 
+         // True begin of the string
+         BeginOfThisString = Offset - SizeOfHeader - 8;
-- 
2.8.3
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Wed Feb 01 2017 - 06:51:38 GMT