rpms/ocaml-camlimages/EL-5 camlimages-oversized-png-check-CVE-2009-2295.patch, 1.1, 1.2
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20504/EL-5
Modified Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
Log Message:
Updated patch from https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
camlimages-oversized-png-check-CVE-2009-2295.patch:
Index: camlimages-oversized-png-check-CVE-2009-2295.patch
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-5/camlimages-oversized-png-check-CVE-2009-2295.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 13:59:10 -0000 1.1
+++ camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 18:28:47 -0000 1.2
@@ -1,6 +1,15 @@
---- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
-+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
-@@ -26,6 +26,12 @@
+--- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
++++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100
+@@ -15,6 +15,8 @@
+ #include "config.h"
+ #endif
+
++#include <limits.h>
++
+ #include <png.h>
+
+ #include <caml/mlvalues.h>
+@@ -26,6 +28,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
@@ -8,12 +17,12 @@
+ * arithmetic overflow.
+ */
+#define oversized(x, y) \
-+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
value read_png_file_as_rgb24( name )
value name;
{
-@@ -81,6 +87,9 @@
+@@ -81,6 +89,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -23,7 +32,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -102,6 +111,9 @@
+@@ -102,10 +113,16 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -33,7 +42,14 @@
{
int i;
png_bytep *row_pointers;
-@@ -235,6 +247,9 @@
+
++ if (oversized (sizeof (png_bytep), height))
++ failwith ("png error: image contains oversized or bogus height");
++
+ row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
+
+ res = alloc_tuple(3);
+@@ -235,6 +252,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -43,7 +59,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -251,6 +266,9 @@
+@@ -251,6 +271,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -53,3 +69,13 @@
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
+@@ -259,6 +282,9 @@
+ png_bytep *row_pointers;
+ char mesg[256];
+
++ if (oversized (sizeof (png_bytep), height))
++ failwith ("png error: image contains oversized or bogus height");
++
+ row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
+ res = alloc_tuple(3);
+
14 years, 10 months
rpms/ocaml-camlimages/EL-4 camlimages-oversized-png-check-CVE-2009-2295.patch, 1.1, 1.2
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-4
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20504/EL-4
Modified Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
Log Message:
Updated patch from https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
camlimages-oversized-png-check-CVE-2009-2295.patch:
Index: camlimages-oversized-png-check-CVE-2009-2295.patch
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-4/camlimages-oversized-png-check-CVE-2009-2295.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 13:59:36 -0000 1.1
+++ camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 18:28:47 -0000 1.2
@@ -1,6 +1,15 @@
---- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
-+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
-@@ -26,6 +26,12 @@
+--- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
++++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100
+@@ -15,6 +15,8 @@
+ #include "config.h"
+ #endif
+
++#include <limits.h>
++
+ #include <png.h>
+
+ #include <caml/mlvalues.h>
+@@ -26,6 +28,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
@@ -8,12 +17,12 @@
+ * arithmetic overflow.
+ */
+#define oversized(x, y) \
-+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
value read_png_file_as_rgb24( name )
value name;
{
-@@ -81,6 +87,9 @@
+@@ -81,6 +89,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -23,7 +32,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -102,6 +111,9 @@
+@@ -102,10 +113,16 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -33,7 +42,14 @@
{
int i;
png_bytep *row_pointers;
-@@ -235,6 +247,9 @@
+
++ if (oversized (sizeof (png_bytep), height))
++ failwith ("png error: image contains oversized or bogus height");
++
+ row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
+
+ res = alloc_tuple(3);
+@@ -235,6 +252,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -43,7 +59,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -251,6 +266,9 @@
+@@ -251,6 +271,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -53,3 +69,13 @@
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
+@@ -259,6 +282,9 @@
+ png_bytep *row_pointers;
+ char mesg[256];
+
++ if (oversized (sizeof (png_bytep), height))
++ failwith ("png error: image contains oversized or bogus height");
++
+ row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
+ res = alloc_tuple(3);
+
14 years, 10 months
rpms/ocaml-camlimages/devel camlimages-oversized-png-check-CVE-2009-2295.patch, 1.1, 1.2
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20504/devel
Modified Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
Log Message:
Updated patch from https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
camlimages-oversized-png-check-CVE-2009-2295.patch:
Index: camlimages-oversized-png-check-CVE-2009-2295.patch
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/devel/camlimages-oversized-png-check-CVE-2009-2295.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 13:52:16 -0000 1.1
+++ camlimages-oversized-png-check-CVE-2009-2295.patch 3 Jul 2009 18:28:48 -0000 1.2
@@ -1,6 +1,15 @@
---- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
-+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
-@@ -26,6 +26,12 @@
+--- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
++++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100
+@@ -15,6 +15,8 @@
+ #include "config.h"
+ #endif
+
++#include <limits.h>
++
+ #include <png.h>
+
+ #include <caml/mlvalues.h>
+@@ -26,6 +28,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
@@ -8,12 +17,12 @@
+ * arithmetic overflow.
+ */
+#define oversized(x, y) \
-+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
value read_png_file_as_rgb24( name )
value name;
{
-@@ -81,6 +87,9 @@
+@@ -81,6 +89,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -23,7 +32,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -102,6 +111,9 @@
+@@ -102,10 +113,16 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -33,7 +42,14 @@
{
int i;
png_bytep *row_pointers;
-@@ -235,6 +247,9 @@
+
++ if (oversized (sizeof (png_bytep), height))
++ failwith ("png error: image contains oversized or bogus height");
++
+ row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
+
+ res = alloc_tuple(3);
+@@ -235,6 +252,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
@@ -43,7 +59,7 @@
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
-@@ -251,6 +266,9 @@
+@@ -251,6 +271,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
@@ -53,3 +69,13 @@
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
+@@ -259,6 +282,9 @@
+ png_bytep *row_pointers;
+ char mesg[256];
+
++ if (oversized (sizeof (png_bytep), height))
++ failwith ("png error: image contains oversized or bogus height");
++
+ row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
+ res = alloc_tuple(3);
+
14 years, 10 months
rpms/ocaml-camlimages/EL-5 ocaml-camlimages.spec,1.3,1.4
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4448
Modified Files:
ocaml-camlimages.spec
Log Message:
lablgtk -> ocaml-lablgtk
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-5/ocaml-camlimages.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- ocaml-camlimages.spec 3 Jul 2009 14:00:01 -0000 1.3
+++ ocaml-camlimages.spec 3 Jul 2009 14:06:49 -0000 1.4
@@ -1,6 +1,6 @@
Name: ocaml-camlimages
Version: 2.2.0
-Release: 9%{?dist}
+Release: 10%{?dist}
Summary: OCaml image processing library
Group: Development/Libraries
@@ -15,7 +15,7 @@ Patch1: camlimages-oversized-png
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: lablgtk libpng-devel libjpeg-devel ocaml
+BuildRequires: ocaml-lablgtk libpng-devel libjpeg-devel ocaml
BuildRequires: libXpm-devel ghostscript-devel freetype-devel
BuildRequires: giflib-devel
Requires: ocaml
@@ -79,9 +79,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
-* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-9
+* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-10
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
+- Changed dep from 'lablgtk' to 'ocaml-lablgtk'.
* Fri May 04 2007 Nigel Jones <dev(a)nigelj.com> 2.2.0-7
- Change to Makefile patch to move .so files to stublibs
14 years, 10 months
rpms/ocaml-camlimages/EL-5 ocaml-camlimages.spec,1.2,1.3
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3140
Modified Files:
ocaml-camlimages.spec
Log Message:
Bump spec to rebuild.
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-5/ocaml-camlimages.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- ocaml-camlimages.spec 3 Jul 2009 13:59:11 -0000 1.2
+++ ocaml-camlimages.spec 3 Jul 2009 14:00:01 -0000 1.3
@@ -1,6 +1,6 @@
Name: ocaml-camlimages
Version: 2.2.0
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: OCaml image processing library
Group: Development/Libraries
@@ -79,7 +79,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog
-* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-8
+* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-9
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
14 years, 10 months
rpms/ocaml-camlimages/EL-4 camlimages-oversized-png-check-CVE-2009-2295.patch, NONE, 1.1 ocaml-camlimages.spec, 1.2, 1.3
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-4
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3049
Modified Files:
ocaml-camlimages.spec
Added Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
Log Message:
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
camlimages-oversized-png-check-CVE-2009-2295.patch:
--- NEW FILE camlimages-oversized-png-check-CVE-2009-2295.patch ---
--- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
@@ -26,6 +26,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
+
value read_png_file_as_rgb24( name )
value name;
{
@@ -81,6 +87,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -102,6 +111,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
{
int i;
png_bytep *row_pointers;
@@ -235,6 +247,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -251,6 +266,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-4/ocaml-camlimages.spec,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- ocaml-camlimages.spec 9 May 2007 02:53:13 -0000 1.2
+++ ocaml-camlimages.spec 3 Jul 2009 13:59:36 -0000 1.3
@@ -1,6 +1,6 @@
Name: ocaml-camlimages
Version: 2.2.0
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: OCaml image processing library
Group: Development/Libraries
@@ -9,6 +9,10 @@ URL: http://pauillac.inria.fr
Source0: ftp://ftp.inria.fr/INRIA/Projects/cristal/caml-light/bazar-ocaml/camlimages-%{version}.tgz
Source1: camlimages-2.2.0-htmlref.tar.gz
Patch0: camlimages-2.2.0-stubdest.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
+Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# Excluding on ppc64 due to missing dependencies (Bug #239518)
@@ -43,7 +47,12 @@ Includes documentation provided by ocaml
%prep
%setup -q -n camlimages-2.2 -a 1
-%patch -p1
+%patch0 -p1
+
+pushd png
+%patch1 -p2
+popd
+
sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in
%build
@@ -73,6 +82,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-8
+- ocaml-camlimages: PNG reader multiple integer overflows
+ (CVE 2009-2295 / RHBZ#509531).
+
* Wed May 09 2007 Nigel Jones <dev(a)nigelj.com> 2.2.0-8
- Exclude ppc64 builds due to missing ocaml
14 years, 10 months
rpms/ocaml-camlimages/EL-5 camlimages-oversized-png-check-CVE-2009-2295.patch, NONE, 1.1 ocaml-camlimages.spec, 1.1, 1.2
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2932
Modified Files:
ocaml-camlimages.spec
Added Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
Log Message:
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
camlimages-oversized-png-check-CVE-2009-2295.patch:
--- NEW FILE camlimages-oversized-png-check-CVE-2009-2295.patch ---
--- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
@@ -26,6 +26,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
+
value read_png_file_as_rgb24( name )
value name;
{
@@ -81,6 +87,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -102,6 +111,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
{
int i;
png_bytep *row_pointers;
@@ -235,6 +247,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -251,6 +266,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/EL-5/ocaml-camlimages.spec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- ocaml-camlimages.spec 5 May 2007 23:23:12 -0000 1.1
+++ ocaml-camlimages.spec 3 Jul 2009 13:59:11 -0000 1.2
@@ -1,6 +1,6 @@
Name: ocaml-camlimages
Version: 2.2.0
-Release: 7%{?dist}
+Release: 8%{?dist}
Summary: OCaml image processing library
Group: Development/Libraries
@@ -9,6 +9,10 @@ URL: http://pauillac.inria.fr
Source0: ftp://ftp.inria.fr/INRIA/Projects/cristal/caml-light/bazar-ocaml/camlimages-%{version}.tgz
Source1: camlimages-2.2.0-htmlref.tar.gz
Patch0: camlimages-2.2.0-stubdest.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
+Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: lablgtk libpng-devel libjpeg-devel ocaml
@@ -40,7 +44,12 @@ Includes documentation provided by ocaml
%prep
%setup -q -n camlimages-2.2 -a 1
-%patch -p1
+%patch0 -p1
+
+pushd png
+%patch1 -p2
+popd
+
sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in
%build
@@ -70,6 +79,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 2.2.0-8
+- ocaml-camlimages: PNG reader multiple integer overflows
+ (CVE 2009-2295 / RHBZ#509531).
+
* Fri May 04 2007 Nigel Jones <dev(a)nigelj.com> 2.2.0-7
- Change to Makefile patch to move .so files to stublibs
- Rename to ocaml-camlimages
14 years, 10 months
rpms/ocaml-camlimages/F-10 camlimages-oversized-png-check-CVE-2009-2295.patch, NONE, 1.1 ocaml-camlimages.spec, 1.10, 1.11
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1237
Modified Files:
ocaml-camlimages.spec
Added Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
Log Message:
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
camlimages-oversized-png-check-CVE-2009-2295.patch:
--- NEW FILE camlimages-oversized-png-check-CVE-2009-2295.patch ---
--- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
@@ -26,6 +26,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
+
value read_png_file_as_rgb24( name )
value name;
{
@@ -81,6 +87,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -102,6 +111,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
{
int i;
png_bytep *row_pointers;
@@ -235,6 +247,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -251,6 +266,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/F-10/ocaml-camlimages.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- ocaml-camlimages.spec 3 Nov 2008 18:10:10 -0000 1.10
+++ ocaml-camlimages.spec 3 Jul 2009 13:54:53 -0000 1.11
@@ -4,7 +4,7 @@
Name: ocaml-camlimages
Version: 3.0.1
-Release: 3%{?dist}
+Release: 3%{?dist}.1
Summary: OCaml image processing library
Group: Development/Libraries
@@ -16,6 +16,9 @@ BuildRoot: %{_tmppath}/%{name}-%{ve
Patch0: camlimages-3.0.1-display-module.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
+Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+
BuildRequires: ocaml >= 3.10.1
BuildRequires: ocaml-lablgtk-devel
BuildRequires: ocaml-x11
@@ -62,6 +65,7 @@ Includes documentation provided by ocaml
# Gdk.Display submodule clashes with the Display module in
# the examples/liv directory, so rename it:
%patch0 -p1
+%patch1 -p1
aclocal -I .
automake
autoconf
@@ -107,6 +111,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-3.fc10.1
+- ocaml-camlimages: PNG reader multiple integer overflows
+ (CVE 2009-2295 / RHBZ#509531).
+
* Mon Nov 3 2008 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-3
- +BR gtk2-devel.
- +BR ocaml-x11.
14 years, 10 months
rpms/ocaml-camlimages/F-11 camlimages-oversized-png-check-CVE-2009-2295.patch, NONE, 1.1 ocaml-camlimages.spec, 1.14, 1.15
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv760
Modified Files:
ocaml-camlimages.spec
Added Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
Log Message:
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
camlimages-oversized-png-check-CVE-2009-2295.patch:
--- NEW FILE camlimages-oversized-png-check-CVE-2009-2295.patch ---
--- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
@@ -26,6 +26,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
+
value read_png_file_as_rgb24( name )
value name;
{
@@ -81,6 +87,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -102,6 +111,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
{
int i;
png_bytep *row_pointers;
@@ -235,6 +247,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -251,6 +266,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
Index: ocaml-camlimages.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ocaml-camlimages/F-11/ocaml-camlimages.spec,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -p -r1.14 -r1.15
--- ocaml-camlimages.spec 26 Feb 2009 06:51:27 -0000 1.14
+++ ocaml-camlimages.spec 3 Jul 2009 13:52:51 -0000 1.15
@@ -4,7 +4,7 @@
Name: ocaml-camlimages
Version: 3.0.1
-Release: 7%{?dist}
+Release: 7%{?dist}.1
Summary: OCaml image processing library
Group: Development/Libraries
@@ -16,6 +16,9 @@ BuildRoot: %{_tmppath}/%{name}-%{ve
Patch0: camlimages-3.0.1-display-module.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
+Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
+
BuildRequires: ocaml >= 3.10.1
BuildRequires: ocaml-lablgtk-devel
BuildRequires: ocaml-x11
@@ -62,6 +65,7 @@ Includes documentation provided by ocaml
# Gdk.Display submodule clashes with the Display module in
# the examples/liv directory, so rename it:
%patch0 -p1
+%patch1 -p1
aclocal -I .
automake
autoconf
@@ -107,6 +111,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Jul 3 2009 Richard W.M. Jones <rjones(a)redhat.com> - 3.0.1-7.fc11.1
+- ocaml-camlimages: PNG reader multiple integer overflows
+ (CVE 2009-2295 / RHBZ#509531).
+
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng(a)lists.fedoraproject.org> - 3.0.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
14 years, 10 months
rpms/ocaml-camlimages/devel camlimages-oversized-png-check-CVE-2009-2295.patch, NONE, 1.1
by Richard W.M. Jones
Author: rjones
Update of /cvs/pkgs/rpms/ocaml-camlimages/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv604
Added Files:
camlimages-oversized-png-check-CVE-2009-2295.patch
Log Message:
Add patch.
camlimages-oversized-png-check-CVE-2009-2295.patch:
--- NEW FILE camlimages-oversized-png-check-CVE-2009-2295.patch ---
--- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100
@@ -26,6 +26,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y))
+
value read_png_file_as_rgb24( name )
value name;
{
@@ -81,6 +87,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -102,6 +111,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
{
int i;
png_bytep *row_pointers;
@@ -235,6 +247,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -251,6 +266,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
14 years, 10 months