rpms/OpenEXR/EL-4 openexr-1.4.0-CVE-2009-1722.patch, NONE, 1.1 openexr-1.4.0-gcc43.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-1.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-2.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1721.patch, NONE, 1.1 OpenEXR.spec, 1.13, 1.14
Rex Dieter
rdieter at fedoraproject.org
Thu Jul 30 19:15:41 UTC 2009
- Previous message (by thread): rpms/OpenEXR/EL-5 openexr-1.4.0-CVE-2009-1722.patch, NONE, 1.1 openexr-1.4.0-gcc43.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-1.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-2.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1721.patch, NONE, 1.1 OpenEXR.spec, 1.13, 1.14
- Next message (by thread): rpms/qgis/devel qgis.spec,1.37,1.38
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rdieter
Update of /cvs/pkgs/rpms/OpenEXR/EL-4
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1897
Modified Files:
OpenEXR.spec
Added Files:
openexr-1.4.0-CVE-2009-1722.patch openexr-1.4.0-gcc43.patch
openexr-1.6.1-CVE-2009-1720-1.patch
openexr-1.6.1-CVE-2009-1720-2.patch
openexr-1.6.1-CVE-2009-1721.patch
Log Message:
* Thu Jul 30 2009 Rex Dieter <rdieter at fedoraproject.org> 1.4.0a-5
- CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995)
- CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression (#514003)
- CVE-2009-1722 OpenEXR: Integer overflow in decompression of range of values
in the pixel data (#514016)
openexr-1.4.0-CVE-2009-1722.patch:
ImfHeader.cpp | 73 ++++++++++++++++++++++++++++++++++++++++++++++++---
ImfHeader.h | 20 +++++++++++++
ImfPizCompressor.cpp | 7 ++++
3 files changed, 96 insertions(+), 4 deletions(-)
--- NEW FILE openexr-1.4.0-CVE-2009-1722.patch ---
diff -up openexr-1.4.0/IlmImf/ImfHeader.cpp.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfHeader.cpp
--- openexr-1.4.0/IlmImf/ImfHeader.cpp.CVE-2009-1722 2006-06-04 21:04:52.000000000 -0500
+++ openexr-1.4.0/IlmImf/ImfHeader.cpp 2009-07-30 14:01:07.213632289 -0500
@@ -80,6 +80,12 @@ using IlmThread::Lock;
namespace {
+int maxImageWidth = 0;
+int maxImageHeight = 0;
+int maxTileWidth = 0;
+int maxTileHeight = 0;
+
+
void
initialize (Header &header,
const Box2i &displayWindow,
@@ -514,21 +520,50 @@ void
Header::sanityCheck (bool isTiled) const
{
//
- // The display window and the data window
- // must contain at least one pixel each.
+ // The display window and the data window must each
+ // contain at least one pixel. In addition, the
+ // coordinates of the window corners must be small
+ // enough to keep expressions like max-min+1 or
+ // max+min from overflowing.
//
const Box2i &displayWindow = this->displayWindow();
if (displayWindow.min.x > displayWindow.max.x ||
- displayWindow.min.y > displayWindow.max.y)
+ displayWindow.min.y > displayWindow.max.y ||
+ displayWindow.min.x <= -(INT_MAX / 2) ||
+ displayWindow.min.y <= -(INT_MAX / 2) ||
+ displayWindow.max.x >= (INT_MAX / 2) ||
+ displayWindow.max.y >= (INT_MAX / 2))
+ {
throw Iex::ArgExc ("Invalid display window in image header.");
+ }
const Box2i &dataWindow = this->dataWindow();
if (dataWindow.min.x > dataWindow.max.x ||
- dataWindow.min.y > dataWindow.max.y)
+ dataWindow.min.y > dataWindow.max.y ||
+ dataWindow.min.x <= -(INT_MAX / 2) ||
+ dataWindow.min.y <= -(INT_MAX / 2) ||
+ dataWindow.max.x >= (INT_MAX / 2) ||
+ dataWindow.max.y >= (INT_MAX / 2))
+ {
throw Iex::ArgExc ("Invalid data window in image header.");
+ }
+
+ if (maxImageWidth > 0 &&
+ maxImageWidth < dataWindow.max.x - dataWindow.min.x + 1)
+ {
+ THROW (Iex::ArgExc, "The width of the data window exceeds the "
+ "maximum width of " << maxImageWidth << "pixels.");
+ }
+
+ if (maxImageHeight > 0 &&
+ maxImageHeight < dataWindow.max.y - dataWindow.min.y + 1)
+ {
+ THROW (Iex::ArgExc, "The width of the data window exceeds the "
+ "maximum width of " << maxImageHeight << "pixels.");
+ }
//
// The pixel aspect ratio must be greater than 0.
@@ -587,6 +622,20 @@ Header::sanityCheck (bool isTiled) const
if (tileDesc.xSize <= 0 || tileDesc.ySize <= 0)
throw Iex::ArgExc ("Invalid tile size in image header.");
+ if (maxTileWidth > 0 &&
+ maxTileWidth < tileDesc.xSize)
+ {
+ THROW (Iex::ArgExc, "The width of the tiles exceeds the maximum "
+ "width of " << maxTileWidth << "pixels.");
+ }
+
+ if (maxTileHeight > 0 &&
+ maxTileHeight < tileDesc.ySize)
+ {
+ THROW (Iex::ArgExc, "The width of the tiles exceeds the maximum "
+ "width of " << maxTileHeight << "pixels.");
+ }
+
if (tileDesc.mode != ONE_LEVEL &&
tileDesc.mode != MIPMAP_LEVELS &&
tileDesc.mode != RIPMAP_LEVELS)
@@ -725,6 +774,22 @@ Header::sanityCheck (bool isTiled) const
}
+void
+Header::setMaxImageSize (int maxWidth, int maxHeight)
+{
+ maxImageWidth = maxWidth;
+ maxImageHeight = maxHeight;
+}
+
+
+void
+Header::setMaxTileSize (int maxWidth, int maxHeight)
+{
+ maxTileWidth = maxWidth;
+ maxTileHeight = maxHeight;
+}
+
+
Int64
Header::writeTo (OStream &os, bool isTiled) const
{
diff -up openexr-1.4.0/IlmImf/ImfHeader.h.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfHeader.h
--- openexr-1.4.0/IlmImf/ImfHeader.h.CVE-2009-1722 2006-06-04 21:04:52.000000000 -0500
+++ openexr-1.4.0/IlmImf/ImfHeader.h 2009-07-30 14:01:07.213632289 -0500
@@ -299,6 +299,26 @@ class Header
void sanityCheck (bool isTiled = false) const;
+ //----------------------------------------------------------------
+ // Maximum image size and maximim tile size:
+ //
+ // sanityCheck() will throw an exception if the width or height of
+ // the data window exceeds the maximum image width or height, or
+ // if the size of a tile exceeds the maximum tile width or height.
+ //
+ // At program startup the maximum image and tile width and height
+ // are set to zero, meaning that width and height are unlimited.
+ //
+ // Limiting image and tile width and height limits how much memory
+ // will be allocated when a file is opened. This can help protect
+ // applications from running out of memory while trying to read
+ // a damaged image file.
+ //----------------------------------------------------------------
+
+ static void setMaxImageSize (int maxWidth, int maxHeight);
+ static void setMaxTileSize (int maxWidth, int maxHeight);
+
+
//------------------------------------------------------------------
// Input and output:
//
diff -up openexr-1.4.0/IlmImf/ImfPizCompressor.cpp.CVE-2009-1722 openexr-1.4.0/IlmImf/ImfPizCompressor.cpp
--- openexr-1.4.0/IlmImf/ImfPizCompressor.cpp.CVE-2009-1722 2009-07-30 14:01:07.205616394 -0500
+++ openexr-1.4.0/IlmImf/ImfPizCompressor.cpp 2009-07-30 14:01:07.214632487 -0500
@@ -60,6 +60,7 @@ using Imath::divp;
using Imath::modp;
using Imath::Box2i;
using Imath::V2i;
+using Iex::InputExc;
namespace {
@@ -556,6 +557,12 @@ PizCompressor::uncompress (const char *i
Xdr::read <CharPtrIO> (inPtr, minNonZero);
Xdr::read <CharPtrIO> (inPtr, maxNonZero);
+ if (maxNonZero >= BITMAP_SIZE)
+ {
+ throw InputExc ("Error in header for PIZ-compressed data "
+ "(invalid bitmap size).");
+ }
+
if (minNonZero <= maxNonZero)
{
Xdr::read <CharPtrIO> (inPtr, (char *) &bitmap[0] + minNonZero,
openexr-1.4.0-gcc43.patch:
exrenvmap/main.cpp | 3 ++-
exrmaketiled/main.cpp | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE openexr-1.4.0-gcc43.patch ---
diff -up openexr-1.4.0/exrenvmap/main.cpp.gcc43 openexr-1.4.0/exrenvmap/main.cpp
--- openexr-1.4.0/exrenvmap/main.cpp.gcc43 2004-03-22 22:23:39.000000000 -0600
+++ openexr-1.4.0/exrenvmap/main.cpp 2009-07-30 14:08:20.174867457 -0500
@@ -42,9 +42,10 @@
#include <makeCubeMap.h>
#include <makeLatLongMap.h>
#include <ImfEnvmap.h>
+#include <cstring>
#include <iostream>
#include <exception>
-#include <stdlib.h>
+#include <cstdlib>
using namespace Imf;
using namespace std;
diff -up openexr-1.4.0/exrmaketiled/main.cpp.gcc43 openexr-1.4.0/exrmaketiled/main.cpp
--- openexr-1.4.0/exrmaketiled/main.cpp.gcc43 2004-12-06 19:49:33.000000000 -0600
+++ openexr-1.4.0/exrmaketiled/main.cpp 2009-07-30 14:07:38.338618026 -0500
@@ -44,7 +44,7 @@
#include <iostream>
#include <exception>
-#include <string>
+#include <cstring>
#include <stdlib.h>
using namespace Imf;
openexr-1.6.1-CVE-2009-1720-1.patch:
ImfPreviewImage.cpp | 4 ++++
1 file changed, 4 insertions(+)
--- NEW FILE openexr-1.6.1-CVE-2009-1720-1.patch ---
diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.cpp
--- openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1 2006-06-06 00:58:16.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfPreviewImage.cpp 2009-07-29 13:27:39.087038617 -0500
@@ -41,6 +41,7 @@
#include <ImfPreviewImage.h>
#include "Iex.h"
+#include <limits.h>
namespace Imf {
@@ -51,6 +52,9 @@ PreviewImage::PreviewImage (unsigned int
{
_width = width;
_height = height;
+ if (_height && _width > UINT_MAX / _height || _width * _height > UINT_MAX / sizeof(PreviewRgba)) {
+ throw Iex::ArgExc ("Invalid height and width.");
+ }
_pixels = new PreviewRgba [_width * _height];
if (pixels)
diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.h.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.h
openexr-1.6.1-CVE-2009-1720-2.patch:
ImfPizCompressor.cpp | 3 +++
ImfRleCompressor.cpp | 3 +++
ImfZipCompressor.cpp | 3 +++
3 files changed, 9 insertions(+)
--- NEW FILE openexr-1.6.1-CVE-2009-1720-2.patch ---
diff -up openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfPizCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 2007-09-20 23:17:46.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfPizCompressor.cpp 2009-07-29 13:15:41.883288491 -0500
@@ -181,6 +181,9 @@ PizCompressor::PizCompressor
_channels (hdr.channels()),
_channelData (0)
{
+ if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192) / (unsigned) numScanLines) {
+ throw InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+ }
_tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
_outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
diff -up openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfRleCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 2006-10-13 22:06:39.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfRleCompressor.cpp 2009-07-29 13:17:39.505037955 -0500
@@ -164,6 +164,9 @@ RleCompressor::RleCompressor (const Head
_tmpBuffer (0),
_outBuffer (0)
{
+ if ((unsigned) maxScanLineSize > INT_MAX / 3) {
+ throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow.");
+ }
_tmpBuffer = new char [maxScanLineSize];
_outBuffer = new char [maxScanLineSize * 3 / 2];
}
diff -up openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfZipCompressor.cpp
--- openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 2006-10-13 22:07:17.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfZipCompressor.cpp 2009-07-29 13:18:25.223038291 -0500
@@ -58,6 +58,9 @@ ZipCompressor::ZipCompressor
_tmpBuffer (0),
_outBuffer (0)
{
+ if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) {
+ throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+ }
_tmpBuffer =
new char [maxScanLineSize * numScanLines];
openexr-1.6.1-CVE-2009-1721.patch:
ImfAutoArray.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE openexr-1.6.1-CVE-2009-1721.patch ---
diff -up openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721 openexr-1.6.1/IlmImf/ImfAutoArray.h
--- openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721 2007-04-23 20:26:56.000000000 -0500
+++ openexr-1.6.1/IlmImf/ImfAutoArray.h 2009-07-29 13:22:08.309288375 -0500
@@ -57,7 +57,7 @@ namespace Imf {
{
public:
- AutoArray (): _data (new T [size]) {}
+ AutoArray (): _data (new T [size]) {memset(_data, 0, size * sizeof(T));}
~AutoArray () {delete [] _data;}
operator T * () {return _data;}
Index: OpenEXR.spec
===================================================================
RCS file: /cvs/pkgs/rpms/OpenEXR/EL-4/OpenEXR.spec,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -p -r1.13 -r1.14
--- OpenEXR.spec 11 Dec 2006 23:46:19 -0000 1.13
+++ OpenEXR.spec 30 Jul 2009 19:15:41 -0000 1.14
@@ -4,7 +4,7 @@
Name: OpenEXR
Version: %{ver}%{?beta}
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: A high dynamic-range (HDR) image file format
Group: System Environment/Libraries
@@ -20,6 +20,13 @@ Provides: openexr = %{version}-%{releas
Patch1: openexr-1.4.0-no_undefined.patch
# Use Libs.private
Patch2: openexr-1.4.0-pkgconfig.patch
+Patch3: openexr-1.4.0-gcc43.patch
+
+## upstream patches
+Patch100: openexr-1.6.1-CVE-2009-1720-1.patch
+Patch101: openexr-1.6.1-CVE-2009-1720-2.patch
+Patch102: openexr-1.6.1-CVE-2009-1721.patch
+Patch103: openexr-1.4.0-CVE-2009-1722.patch
BuildRequires: fltk-devel >= 1.1
BuildRequires: zlib-devel
@@ -38,8 +45,7 @@ Provides: openexr-devel = %{version}-%{
Requires: %{name} = %{version}-%{release}
Requires: pkgconfig
%description devel
-This package contains headers and libraries required to build applications that
-use the %{name} format.
+%{summary}.
%prep
@@ -47,6 +53,12 @@ use the %{name} format.
%patch1 -p1 -b .no_undefined
%patch2 -p1 -b .pkgconfig
+%patch3 -p1 -b .gcc43
+
+%patch100 -p1 -b .CVE-2009-1720-1
+%patch101 -p1 -b .CVE-2009-1720-2
+%patch102 -p1 -b .CVE-2009-1721
+%patch103 -p1 -b .CVE-2009-1722
# for patch1
./bootstrap
@@ -90,18 +102,29 @@ rm -rf $RPM_BUILD_ROOT
%defattr(-,root,root,-)
%doc AUTHORS ChangeLog LICENSE NEWS README
%{_bindir}/*
-%{_libdir}/lib*.so.*
+%{_libdir}/libHalf.so.4*
+%{_libdir}/libIex.so.4*
+%{_libdir}/libIlmImf.so.4*
+%{_libdir}/libIlmThread.so.4*
+%{_libdir}/libImath.so.4*
%files devel
%defattr(-,root,root,-)
-%doc rpmdocs/examples
-%{_datadir}/aclocal/*
+#omit for now, they're mostly useless, and include multilib conflicts (#342781)
+#doc rpmdocs/examples
+%{_datadir}/aclocal/openexr.m4
%{_includedir}/OpenEXR/
%{_libdir}/lib*.so
-%{_libdir}/pkgconfig/*
+%{_libdir}/pkgconfig/OpenEXR.pc
%changelog
+* Thu Jul 30 2009 Rex Dieter <rdieter at fedoraproject.org> 1.4.0a-5
+- CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995)
+- CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression (#514003)
+- CVE-2009-1722 OpenEXR: Integer overflow in decompression of range of values
+ in the pixel data (#514016)
+
* Sat Oct 28 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.4.0a-4
- Obsoletes/Provides: openexr(-devel) (rpmforge compatibility)
- Previous message (by thread): rpms/OpenEXR/EL-5 openexr-1.4.0-CVE-2009-1722.patch, NONE, 1.1 openexr-1.4.0-gcc43.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-1.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1720-2.patch, NONE, 1.1 openexr-1.6.1-CVE-2009-1721.patch, NONE, 1.1 OpenEXR.spec, 1.13, 1.14
- Next message (by thread): rpms/qgis/devel qgis.spec,1.37,1.38
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list