Author: rjones Update of /cvs/pkgs/rpms/ocaml-camlimages/F-11 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv760 Modified Files: ocaml-camlimages.spec Added Files: camlimages-oversized-png-check-CVE-2009-2295.patch Log Message: - ocaml-camlimages: PNG reader multiple integer overflows (CVE 2009-2295 / RHBZ#509531). camlimages-oversized-png-check-CVE-2009-2295.patch: --- NEW FILE camlimages-oversized-png-check-CVE-2009-2295.patch --- --- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000 +++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100 @@ -26,6 +26,12 @@ #define PNG_TAG_INDEX16 2 #define PNG_TAG_INDEX4 3 +/* Test if x or y are negative, or if multiplying x * y would cause an + * arithmetic overflow. + */ +#define oversized(x, y) \ + ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y)) + value read_png_file_as_rgb24( name ) value name; { @@ -81,6 +87,9 @@ png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_type, NULL, NULL); + if (oversized (width, height)) + failwith ("png error: image contains oversized or bogus width and height"); + if ( color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { png_set_gray_to_rgb(png_ptr); @@ -102,6 +111,9 @@ rowbytes = png_get_rowbytes(png_ptr, info_ptr); + if (oversized (rowbytes, height)) + failwith ("png error: image contains oversized or bogus rowbytes and height"); + { int i; png_bytep *row_pointers; @@ -235,6 +247,9 @@ png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_type, NULL, NULL); + if (oversized (width, height)) + failwith ("png error: image contains oversized or bogus width and height"); + if ( color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { png_set_gray_to_rgb(png_ptr); @@ -251,6 +266,9 @@ rowbytes = png_get_rowbytes(png_ptr, info_ptr); + if (oversized (rowbytes, height)) + failwith ("png error: image contains oversized or bogus rowbytes and height"); + /* fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); */ Index: ocaml-camlimages.spec =================================================================== RCS file: /cvs/pkgs/rpms/ocaml-camlimages/F-11/ocaml-camlimages.spec,v retrieving revision 1.14 retrieving revision 1.15 diff -u -p -r1.14 -r1.15 --- ocaml-camlimages.spec 26 Feb 2009 06:51:27 -0000 1.14 +++ ocaml-camlimages.spec 3 Jul 2009 13:52:51 -0000 1.15 @@ -4,7 +4,7 @@ Name: ocaml-camlimages Version: 3.0.1 -Release: 7%{?dist} +Release: 7%{?dist}.1 Summary: OCaml image processing library Group: Development/Libraries @@ -16,6 +16,9 @@ BuildRoot: %{_tmppath}/%{name}-%{ve Patch0: camlimages-3.0.1-display-module.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4 +Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch + BuildRequires: ocaml >= 3.10.1 BuildRequires: ocaml-lablgtk-devel BuildRequires: ocaml-x11 @@ -62,6 +65,7 @@ Includes documentation provided by ocaml # Gdk.Display submodule clashes with the Display module in # the examples/liv directory, so rename it: %patch0 -p1 +%patch1 -p1 aclocal -I . automake autoconf @@ -107,6 +111,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jul 3 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 3.0.1-7.fc11.1 +- ocaml-camlimages: PNG reader multiple integer overflows + (CVE 2009-2295 / RHBZ#509531). + * Wed Feb 25 2009 Fedora Release Engineering <rel-eng@xxxxxxxxxxxxxxxxxxxxxxx> - 3.0.1-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild _______________________________________________ Fedora-ocaml-list mailing list Fedora-ocaml-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-ocaml-list