Author: rjones Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-4 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3755 Modified Files: camlimages-oversized-png-check-CVE-2009-2295.patch ocaml-camlimages.spec Added Files: camlimages-oversized-tiff-check-CVE-2009-3296.patch Log Message: * Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 2.2.0-9 - ocaml-camlimages: TIFF reader multiple integer overflows (CVE 2009-3296 / RHBZ#528732). camlimages-oversized-tiff-check-CVE-2009-3296.patch: tiffread.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) --- NEW FILE camlimages-oversized-tiff-check-CVE-2009-3296.patch --- --- camlimages-2.2.orig/tiff/tiffread.c 2004-09-21 22:56:44.000000000 +0100 +++ camlimages-2.2.tiff/tiff/tiffread.c 2009-10-16 10:47:32.515257997 +0100 @@ -18,6 +18,13 @@ #include <caml/memory.h> #include <caml/fail.h> +#include <limits.h> +#define oversized(x, y) \ + ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) + +#define failwith_oversized(lib) \ + failwith("#lib error: image contains oversized or bogus width and height"); + #if HAVE_TIFF /* These are defined in caml/config.h */ @@ -68,6 +75,10 @@ TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres); TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric); + if (oversized (imagewidth, imagelength)) { + failwith_oversized("tiff"); + } + if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){ if( imagebits != 8 ){ failwith("Sorry, tiff rgb file must be 24bit-color"); @@ -156,6 +167,11 @@ TIFFGetField(tif, TIFFTAG_RESOLUTIONUNIT, &runit); TIFFGetField(tif, TIFFTAG_XRESOLUTION, &xres); TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres); + + if (oversized (imagewidth, imagelength)) { + failwith_oversized("tiff"); + } + if( imagesample != 3 || imagebits != 8 ) { failwith("tiff file is not in the 24 bit RGB format"); } camlimages-oversized-png-check-CVE-2009-2295.patch: pngread.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) Index: camlimages-oversized-png-check-CVE-2009-2295.patch =================================================================== RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-4/camlimages-oversized-png-check-CVE-2009-2295.patch,v retrieving revision 1.2 retrieving revision 1.3 diff -u -p -r1.2 -r1.3 --- camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 18:28:47 -0000 1.2 +++ camlimages-oversized-png-check-CVE-2009-2295.patch 16 Oct 2009 09:51:57 -0000 1.3 @@ -1,28 +1,28 @@ ---- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000 -+++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100 -@@ -15,6 +15,8 @@ - #include "config.h" - #endif +--- camlimages-2.2.orig/png/pngread.c 2002-03-26 13:15:10.000000000 +0000 ++++ camlimages-2.2.png/png/pngread.c 2009-10-16 10:46:07.759508515 +0100 +@@ -13,6 +13,8 @@ + /***********************************************************************/ + #include <config.h> +#include <limits.h> + + #if HAVE_PNG #include <png.h> - - #include <caml/mlvalues.h> -@@ -26,6 +28,12 @@ + #endif +@@ -33,6 +35,12 @@ #define PNG_TAG_INDEX16 2 #define PNG_TAG_INDEX4 3 +/* Test if x or y are negative, or if multiplying x * y would cause an + * arithmetic overflow. + */ -+#define oversized(x, y) \ ++#define oversized(x, y) \ + ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) + value read_png_file_as_rgb24( name ) value name; { -@@ -81,6 +89,9 @@ +@@ -88,6 +96,9 @@ png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_type, NULL, NULL); @@ -32,7 +32,7 @@ if ( color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { png_set_gray_to_rgb(png_ptr); -@@ -102,10 +113,16 @@ +@@ -109,10 +120,16 @@ rowbytes = png_get_rowbytes(png_ptr, info_ptr); @@ -49,7 +49,7 @@ row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); res = alloc_tuple(3); -@@ -235,6 +252,9 @@ +@@ -242,6 +259,9 @@ png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, &interlace_type, NULL, NULL); @@ -59,7 +59,7 @@ if ( color_type == PNG_COLOR_TYPE_GRAY || color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { png_set_gray_to_rgb(png_ptr); -@@ -251,6 +271,9 @@ +@@ -258,6 +278,9 @@ rowbytes = png_get_rowbytes(png_ptr, info_ptr); @@ -69,10 +69,12 @@ /* fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); */ -@@ -259,6 +282,9 @@ +@@ -265,7 +288,10 @@ + int i; png_bytep *row_pointers; char mesg[256]; - +- ++ + if (oversized (sizeof (png_bytep), height)) + failwith ("png error: image contains oversized or bogus height"); + Index: ocaml-camlimages.spec =================================================================== RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-4/ocaml-camlimages.spec,v retrieving revision 1.3 retrieving revision 1.4 diff -u -p -r1.3 -r1.4 --- ocaml-camlimages.spec 3 Jul 2009 13:59:36 -0000 1.3 +++ ocaml-camlimages.spec 16 Oct 2009 09:51:57 -0000 1.4 @@ -13,6 +13,9 @@ Patch0: camlimages-2.2.0-stubdes # https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4 Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=528732 +Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # Excluding on ppc64 due to missing dependencies (Bug #239518) @@ -48,10 +51,8 @@ Includes documentation provided by ocaml %prep %setup -q -n camlimages-2.2 -a 1 %patch0 -p1 - -pushd png -%patch1 -p2 -popd +%patch1 -p1 +%patch2 -p1 sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in @@ -82,6 +83,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Oct 16 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 2.2.0-9 +- ocaml-camlimages: TIFF reader multiple integer overflows + (CVE 2009-3296 / RHBZ#528732). + * Fri Jul 3 2009 Richard W.M. Jones <rjones@xxxxxxxxxx> - 2.2.0-8 - ocaml-camlimages: PNG reader multiple integer overflows (CVE 2009-2295 / RHBZ#509531). _______________________________________________ Fedora-ocaml-list mailing list Fedora-ocaml-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-ocaml-list