diff --git a/camlimages-oversized-png-check-CVE-2009-2295.patch b/camlimages-oversized-png-check-CVE-2009-2295.patch new file mode 100644 index 0000000..88014d5 --- /dev/null +++ b/camlimages-oversized-png-check-CVE-2009-2295.patch @@ -0,0 +1,55 @@ +--- camlimages-3.0.1/src/pngread.c 2007-01-18 10:29:57.000000000 +0000 ++++ camlimages-3.0.1-oversized-png-checks/src/pngread.c 2009-07-03 14:19:42.000000000 +0100 +@@ -26,6 +26,12 @@ + #define PNG_TAG_INDEX16 2 + #define PNG_TAG_INDEX4 3 + ++/* Test if x or y are negative, or if multiplying x * y would cause an ++ * arithmetic overflow. ++ */ ++#define oversized(x, y) \ ++ ((x) < 0 || (y) < 0 || (x) * (y) < (x) || (x) * (y) < (y)) ++ + value read_png_file_as_rgb24( name ) + value name; + { +@@ -81,6 +87,9 @@ + png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); + ++ if (oversized (width, height)) ++ failwith ("png error: image contains oversized or bogus width and height"); ++ + if ( color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { + png_set_gray_to_rgb(png_ptr); +@@ -102,6 +111,9 @@ + + rowbytes = png_get_rowbytes(png_ptr, info_ptr); + ++ if (oversized (rowbytes, height)) ++ failwith ("png error: image contains oversized or bogus rowbytes and height"); ++ + { + int i; + png_bytep *row_pointers; +@@ -235,6 +247,9 @@ + png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); + ++ if (oversized (width, height)) ++ failwith ("png error: image contains oversized or bogus width and height"); ++ + if ( color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { + png_set_gray_to_rgb(png_ptr); +@@ -251,6 +266,9 @@ + + rowbytes = png_get_rowbytes(png_ptr, info_ptr); + ++ if (oversized (rowbytes, height)) ++ failwith ("png error: image contains oversized or bogus rowbytes and height"); ++ + /* + fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); + */ diff --git a/ocaml-camlimages.spec b/ocaml-camlimages.spec index 157eca2..2a745ed 100644 --- a/ocaml-camlimages.spec +++ b/ocaml-camlimages.spec @@ -1,6 +1,6 @@ Name: ocaml-camlimages Version: 2.2.0 -Release: 7%{?dist} +Release: 8%{?dist} Summary: OCaml image processing library Group: Development/Libraries @@ -9,6 +9,10 @@ URL: http://pauillac.inria.fr/camlimages/ Source0: ftp://ftp.inria.fr/INRIA/Projects/cristal/caml-light/bazar-ocaml/camlimages-%{version}.tgz Source1: camlimages-2.2.0-htmlref.tar.gz Patch0: camlimages-2.2.0-stubdest.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4 +Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: lablgtk libpng-devel libjpeg-devel ocaml @@ -40,7 +44,12 @@ Includes documentation provided by ocamldoc %prep %setup -q -n camlimages-2.2 -a 1 -%patch -p1 +%patch0 -p1 + +pushd png +%patch1 -p2 +popd + sed -i -e 's|LIBRARYDIRS=ppm bmp xvthumb jpeg tiff gif png xpm ps graphics freetype|LIBRARYDIRS=%buildlibs|' Makefile.build.in %build @@ -70,6 +79,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Fri Jul 3 2009 Richard W.M. Jones - 2.2.0-8 +- ocaml-camlimages: PNG reader multiple integer overflows + (CVE 2009-2295 / RHBZ#509531). + * Fri May 04 2007 Nigel Jones 2.2.0-7 - Change to Makefile patch to move .so files to stublibs - Rename to ocaml-camlimages