Fri Aug 28 21:33:08 2009 UTC ()
Add patches for CVE-2009-1720 (multiple integer overflows in OpenEXR) and
CVE-2009-1721 (denial of service (application crash) or possibly execute
arbitrary code in the Imf::hufUncompress function). Bump PKGREVISION.
(hasso)
diff -r1.21 -r1.22 pkgsrc/graphics/openexr/Makefile
diff -r1.12 -r1.13 pkgsrc/graphics/openexr/distinfo
diff -r0 -r1.1 pkgsrc/graphics/openexr/patches/patch-ae
diff -r0 -r1.1 pkgsrc/graphics/openexr/patches/patch-af
diff -r0 -r1.1 pkgsrc/graphics/openexr/patches/patch-ag
diff -r0 -r1.1 pkgsrc/graphics/openexr/patches/patch-ah
diff -r0 -r1.1 pkgsrc/graphics/openexr/patches/patch-ai
--- pkgsrc/graphics/openexr/Makefile 2009/01/28 13:14:55 1.21
+++ pkgsrc/graphics/openexr/Makefile 2009/08/28 21:33:07 1.22
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
1 | # $NetBSD: Makefile,v 1.21 2009/01/28 13:14:55 tron Exp $ | | 1 | # $NetBSD: Makefile,v 1.22 2009/08/28 21:33:07 hasso Exp $ |
2 | | | 2 | |
3 | DISTNAME= openexr-1.6.1 | | 3 | DISTNAME= openexr-1.6.1 |
| | | 4 | PKGREVISION= 1 |
4 | CATEGORIES= graphics | | 5 | CATEGORIES= graphics |
5 | MASTER_SITES= http://savannah.nongnu.org/download/openexr/ | | 6 | MASTER_SITES= http://savannah.nongnu.org/download/openexr/ |
6 | | | 7 | |
7 | MAINTAINER= adam@NetBSD.org | | 8 | MAINTAINER= adam@NetBSD.org |
8 | HOMEPAGE= http://www.openexr.com/ | | 9 | HOMEPAGE= http://www.openexr.com/ |
9 | COMMENT= High dynamic-range (HDR) image file format library and tools | | 10 | COMMENT= High dynamic-range (HDR) image file format library and tools |
10 | | | 11 | |
11 | PKG_DESTDIR_SUPPORT= user-destdir | | 12 | PKG_DESTDIR_SUPPORT= user-destdir |
12 | | | 13 | |
13 | USE_TOOLS+= gmake pkg-config | | 14 | USE_TOOLS+= gmake pkg-config |
14 | USE_LANGUAGES= c c++ | | 15 | USE_LANGUAGES= c c++ |
15 | USE_LIBTOOL= yes | | 16 | USE_LIBTOOL= yes |
16 | GNU_CONFIGURE= yes | | 17 | GNU_CONFIGURE= yes |
--- pkgsrc/graphics/openexr/distinfo 2009/07/21 11:50:35 1.12
+++ pkgsrc/graphics/openexr/distinfo 2009/08/28 21:33:08 1.13
| @@ -1,9 +1,14 @@ | | | @@ -1,9 +1,14 @@ |
1 | $NetBSD: distinfo,v 1.12 2009/07/21 11:50:35 tnn Exp $ | | 1 | $NetBSD: distinfo,v 1.13 2009/08/28 21:33:08 hasso Exp $ |
2 | | | 2 | |
3 | SHA1 (openexr-1.6.1.tar.gz) = b3650e6542f0e09daadb2d467425530bc8eec333 | | 3 | SHA1 (openexr-1.6.1.tar.gz) = b3650e6542f0e09daadb2d467425530bc8eec333 |
4 | RMD160 (openexr-1.6.1.tar.gz) = 3670633be841628e9d4c11981661e9d94a9b2711 | | 4 | RMD160 (openexr-1.6.1.tar.gz) = 3670633be841628e9d4c11981661e9d94a9b2711 |
5 | Size (openexr-1.6.1.tar.gz) = 13632660 bytes | | 5 | Size (openexr-1.6.1.tar.gz) = 13632660 bytes |
6 | SHA1 (patch-aa) = d1b9c2d817d875c30fa15cbbea5d1226b03b62d8 | | 6 | SHA1 (patch-aa) = d1b9c2d817d875c30fa15cbbea5d1226b03b62d8 |
7 | SHA1 (patch-ab) = 7d4fdf8d36f58ea5126b8c72dae901d1d68e6a60 | | 7 | SHA1 (patch-ab) = 7d4fdf8d36f58ea5126b8c72dae901d1d68e6a60 |
8 | SHA1 (patch-ac) = fa5735431b7168dfc8b4643a976fd7f95cbcb5e7 | | 8 | SHA1 (patch-ac) = fa5735431b7168dfc8b4643a976fd7f95cbcb5e7 |
9 | SHA1 (patch-ad) = b44ccc8a9ff32ebe7cc42f5c53778ebf050b4de6 | | 9 | SHA1 (patch-ad) = b44ccc8a9ff32ebe7cc42f5c53778ebf050b4de6 |
| | | 10 | SHA1 (patch-ae) = aa70c907718f975c32698906edc9f6ca66b42e23 |
| | | 11 | SHA1 (patch-af) = ed02cf7091bfe490f33f4c8101ce84fab453b556 |
| | | 12 | SHA1 (patch-ag) = 6eebed2f16f02ba0f5b019f0f45c0f26ced0ba92 |
| | | 13 | SHA1 (patch-ah) = c7070ac42bc1c0cfb940f0aa53e04f93e887c590 |
| | | 14 | SHA1 (patch-ai) = 9bf08eb6e092848e6b194989e03320a334eff640 |
$NetBSD: patch-ae,v 1.1 2009/08/28 21:33:08 hasso Exp $
--- IlmImf/ImfPreviewImage.cpp.orig 2006-06-06 00:58:16.000000000 -0500
+++ IlmImf/ImfPreviewImage.cpp 2009-07-29 13:27:39.087038617 -0500
@@ -41,6 +41,7 @@
#include <ImfPreviewImage.h>
#include "Iex.h"
+#include <limits.h>
namespace Imf {
@@ -51,6 +52,9 @@ PreviewImage::PreviewImage (unsigned int
{
_width = width;
_height = height;
+ if (_height && _width > UINT_MAX / _height || _width * _height > UINT_MAX / sizeof(PreviewRgba)) {
+ throw Iex::ArgExc ("Invalid height and width.");
+ }
_pixels = new PreviewRgba [_width * _height];
if (pixels)
diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.h.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.h
$NetBSD: patch-af,v 1.1 2009/08/28 21:33:08 hasso Exp $
--- IlmImf/ImfPizCompressor.cpp.orig 2007-09-20 23:17:46.000000000 -0500
+++ IlmImf/ImfPizCompressor.cpp 2009-07-29 13:15:41.883288491 -0500
@@ -181,6 +181,9 @@ PizCompressor::PizCompressor
_channels (hdr.channels()),
_channelData (0)
{
+ if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192) / (unsigned) numScanLines) {
+ throw InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+ }
_tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2];
_outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192];
$NetBSD: patch-ag,v 1.1 2009/08/28 21:33:08 hasso Exp $
--- IlmImf/ImfRleCompressor.cpp.orig 2006-10-13 22:06:39.000000000 -0500
+++ IlmImf/ImfRleCompressor.cpp 2009-07-29 13:17:39.505037955 -0500
@@ -164,6 +164,9 @@ RleCompressor::RleCompressor (const Head
_tmpBuffer (0),
_outBuffer (0)
{
+ if ((unsigned) maxScanLineSize > INT_MAX / 3) {
+ throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow.");
+ }
_tmpBuffer = new char [maxScanLineSize];
_outBuffer = new char [maxScanLineSize * 3 / 2];
}
$NetBSD: patch-ah,v 1.1 2009/08/28 21:33:08 hasso Exp $
--- IlmImf/ImfZipCompressor.cpp.orig 2006-10-13 22:07:17.000000000 -0500
+++ IlmImf/ImfZipCompressor.cpp 2009-07-29 13:18:25.223038291 -0500
@@ -58,6 +58,9 @@ ZipCompressor::ZipCompressor
_tmpBuffer (0),
_outBuffer (0)
{
+ if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) {
+ throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow.");
+ }
_tmpBuffer =
new char [maxScanLineSize * numScanLines];
$NetBSD: patch-ai,v 1.1 2009/08/28 21:33:08 hasso Exp $
--- IlmImf/ImfAutoArray.h.orig 2007-04-23 20:26:56.000000000 -0500
+++ IlmImf/ImfAutoArray.h 2009-07-29 13:22:08.309288375 -0500
@@ -57,7 +57,7 @@ namespace Imf {
{
public:
- AutoArray (): _data (new T [size]) {}
+ AutoArray (): _data (new T [size]) {memset(_data, 0, size * sizeof(T));}
~AutoArray () {delete [] _data;}
operator T * () {return _data;}