rpms/OpenEXR/F-10 openexr-1.6.1-CVE-2009-1720-1.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-2.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1721.patch, NONE, 1.1 OpenEXR.spec, 1.24, 1.25

Rex Dieter rdieter at fedoraproject.org
Wed Jul 29 18:45:54 UTC 2009 

Author: rdieter

Update of /cvs/pkgs/rpms/OpenEXR/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10174

Modified Files:
	OpenEXR.spec 
Added Files:
	openexr-1.6.1-CVE-2009-1720-1.patch 
	openexr-1.6.1-CVE-2009-1720-2.patch 
	openexr-1.6.1-CVE-2009-1721.patch 
Log Message:
* Wed Jul 29 2009 Rex Dieter <rdieter at fedoraproject.org> 1.6.1-8
- CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995)
- CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression (#514003)


openexr-1.6.1-CVE-2009-1720-1.patch:
 ImfPreviewImage.cpp |    4 ++++
 1 file changed, 4 insertions(+)

--- NEW FILE openexr-1.6.1-CVE-2009-1720-1.patch ---
diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.cpp
--- openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1	2006-06-06 00:58:16.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfPreviewImage.cpp	2009-07-29 13:27:39.087038617 -0500
@@ -41,6 +41,7 @@
 
 #include <ImfPreviewImage.h>
 #include "Iex.h"
+#include <limits.h>
 
 namespace Imf {
 
@@ -51,6 +52,9 @@ PreviewImage::PreviewImage (unsigned int
 {
     _width = width;
     _height = height;
+    if (_height && _width > UINT_MAX / _height || _width * _height > UINT_MAX / sizeof(PreviewRgba)) {
+        throw Iex::ArgExc ("Invalid height and width.");
+    }
     _pixels = new PreviewRgba [_width * _height];
 
     if (pixels)
diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.h.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.h

openexr-1.6.1-CVE-2009-1720-2.patch:
 ImfPizCompressor.cpp |    3 +++
 ImfRleCompressor.cpp |    3 +++
 ImfZipCompressor.cpp |    3 +++
 3 files changed, 9 insertions(+)

--- NEW FILE openexr-1.6.1-CVE-2009-1720-2.patch ---
diff -up openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfPizCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2	2007-09-20 23:17:46.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfPizCompressor.cpp	2009-07-29 13:15:41.883288491 -0500
@@ -181,6 +181,9 @@ PizCompressor::PizCompressor
     _channels (hdr.channels()),
     _channelData (0)
 {
+    if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192)  / (unsigned) numScanLines) {
+        throw InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+    }
     _tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
     _outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
 
diff -up openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfRleCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2	2006-10-13 22:06:39.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfRleCompressor.cpp	2009-07-29 13:17:39.505037955 -0500
@@ -164,6 +164,9 @@ RleCompressor::RleCompressor (const Head
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / 3) {
+        throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow.");
+    }
     _tmpBuffer = new char [maxScanLineSize];
     _outBuffer = new char [maxScanLineSize * 3 / 2];
 }
diff -up openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfZipCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2	2006-10-13 22:07:17.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfZipCompressor.cpp	2009-07-29 13:18:25.223038291 -0500
@@ -58,6 +58,9 @@ ZipCompressor::ZipCompressor
     _tmpBuffer (0),
     _outBuffer (0)
 {
+    if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) {
+        throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+    }
     _tmpBuffer =
 	new char [maxScanLineSize * numScanLines];
 

openexr-1.6.1-CVE-2009-1721.patch:
 ImfAutoArray.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE openexr-1.6.1-CVE-2009-1721.patch ---
diff -up openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721 openexr-1.6.1/IlmImf/ImfAutoArray.h
--- openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721	2007-04-23 20:26:56.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfAutoArray.h	2009-07-29 13:22:08.309288375 -0500
@@ -57,7 +57,7 @@ namespace Imf {
     {
       public:
 
-	 AutoArray (): _data (new T [size]) {}
+	 AutoArray (): _data (new T [size]) {memset(_data, 0, size * sizeof(T));}
 	~AutoArray () {delete [] _data;}
 
 	operator T * ()			{return _data;}


Index: OpenEXR.spec
===================================================================
RCS file: /cvs/pkgs/rpms/OpenEXR/F-10/OpenEXR.spec,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -p -r1.24 -r1.25
--- OpenEXR.spec	9 May 2008 16:52:15 -0000	1.24
+++ OpenEXR.spec	29 Jul 2009 18:45:54 -0000	1.25
@@ -6,7 +6,7 @@
 
 Name:	 OpenEXR
 Version: 1.6.1
-Release: 4%{?dist}
+Release: 8%{?dist}
 Summary: A high dynamic-range (HDR) image file format
 
 Group:	 System Environment/Libraries
@@ -22,9 +22,15 @@ Provides:  openexr = %{version}-%{releas
 Patch1: OpenEXR-1.6.1-pkgconfig.patch
 Patch2: openexr-1.6.1-gcc43.patch
 
+## upstream patches
+Patch100: openexr-1.6.1-CVE-2009-1720-1.patch 
+Patch101: openexr-1.6.1-CVE-2009-1720-2.patch
+Patch102: openexr-1.6.1-CVE-2009-1721.patch
+
 BuildRequires:  automake libtool
 BuildRequires:  ilmbase-devel
 BuildRequires:  zlib-devel
+BuildRequires:  pkgconfig
 
 %if 0%{?libs}
 Requires: %{name}-libs = %{version}-%{release}
@@ -43,7 +49,7 @@ Summary: Headers and libraries for build
 Group:	 Development/Libraries
 Obsoletes: openexr-devel < %{version}-%{release}
 Provides:  openexr-devel = %{version}-%{release}
-Requires: %{name}-libs = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires: ilmbase-devel
 Requires: pkgconfig
 %description devel
@@ -62,6 +68,10 @@ Group:   System Environment/Libraries
 %patch1 -p1 -b .pkgconfig
 %patch2 -p1 -b .gcc43
 
+%patch100 -p1 -b .CVE-2009-1720-1
+%patch101 -p1 -b .CVE-2009-1720-2
+%patch102 -p1 -b .CVE-2009-1721
+
 # work to remove rpaths, recheck on new releases
 aclocal -Im4
 libtoolize --force
@@ -102,15 +112,9 @@ rm -rf rpmdocs/examples/.deps
 rm -rf $RPM_BUILD_ROOT
 
 
-%if 0%{?libs}
-%post libs -p /sbin/ldconfig
+%post %{?libs:libs} -p /sbin/ldconfig
 
-%postun libs -p /sbin/ldconfig
-%else
-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
-%endif
+%postun %{?libs:libs}  -p /sbin/ldconfig
 
 
 %files
@@ -122,19 +126,32 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-,root,root,-)
 %endif
 %doc AUTHORS ChangeLog LICENSE NEWS README
-%{_libdir}/lib*.so.*
+%{_libdir}/libIlmImf.so.6*
 
 %files devel
 %defattr(-,root,root,-)
 #omit for now, they're mostly useless, and include multilib conflicts (#342781)
 #doc rpmdocs/examples 
-%{_datadir}/aclocal/*
+%{_datadir}/aclocal/openexr.m4
 %{_includedir}/OpenEXR/*
-%{_libdir}/lib*.so
-%{_libdir}/pkgconfig/*
+%{_libdir}/libIlmImf.so
+%{_libdir}/pkgconfig/OpenEXR.pc
 
 
 %changelog
+* Wed Jul 29 2009 Rex Dieter <rdieter at fedoraproject.org> 1.6.1-8
+- CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995)
+- CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression (#514003)
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.6.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Feb 23 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.6.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Dec 12 2008 Caolán McNamara <caolanm at redhat.com> 1.6.1-5
+- rebuild to get provides pkgconfig(OpenEXR)
+
 * Fri May 09 2008 Rex Dieter <rdieter at fedoraproject.org> 1.6.1-4
 - drop: Obsoletes: OpenEXR-utils (see OpenEXR_Viewers review, bug #428228c3)

More information about the fedora-extras-commits mailing list