From d84052e6dcec584028408faf722e2df82cc50231 Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Aug 11 2010 04:08:02 +0000 Subject: - CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995) - CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression (#514003) --- diff --git a/.gitignore b/.gitignore index 5692496..6e23733 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -openexr-1.6.1.tar.gz -openexr-1.6.1.tar.gz.sig +openexr-1.7.0.tar.gz +openexr-1.7.0.tar.gz.sig diff --git a/OpenEXR.spec b/OpenEXR.spec index e61b937..0d29342 100644 --- a/OpenEXR.spec +++ b/OpenEXR.spec @@ -1,12 +1,8 @@ -%if 0%{?fedora} > 7 || 0%{?rhel} > 5 -# make -libs subpkg -%define libs 1 -%endif Name: OpenEXR -Version: 1.6.1 -Release: 8%{?dist} +Version: 1.7.0 +Release: 1%{?dist} Summary: A high dynamic-range (HDR) image file format Group: System Environment/Libraries @@ -19,25 +15,19 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Obsoletes: openexr < %{version}-%{release} Provides: openexr = %{version}-%{release} -Patch1: OpenEXR-1.6.1-pkgconfig.patch -Patch2: openexr-1.6.1-gcc43.patch +## upstreamable patches +Patch50: OpenEXR-1.6.1-pkgconfig.patch +# missing #include +Patch51: openexr-1.7.0-cstring.patch ## upstream patches -Patch100: openexr-1.6.1-CVE-2009-1720-1.patch -Patch101: openexr-1.6.1-CVE-2009-1720-2.patch -Patch102: openexr-1.6.1-CVE-2009-1721.patch BuildRequires: automake libtool -BuildRequires: ilmbase-devel +BuildRequires: ilmbase-devel BuildRequires: zlib-devel BuildRequires: pkgconfig -%if 0%{?libs} -Requires: %{name}-libs = %{version}-%{release} -%else -Obsoletes: %{name}-libs < %{version}-%{release} -Provides: %{name}-libs = %{version}-%{release} -%endif +Requires: %{name}-libs%{?_isa} = %{version}-%{release} %description OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial @@ -65,25 +55,23 @@ Group: System Environment/Libraries %prep %setup -q -n openexr-%{version} -%patch1 -p1 -b .pkgconfig -%patch2 -p1 -b .gcc43 - -%patch100 -p1 -b .CVE-2009-1720-1 -%patch101 -p1 -b .CVE-2009-1720-2 -%patch102 -p1 -b .CVE-2009-1721 +%patch50 -p1 -b .pkgconfig +%patch51 -p1 -b .cstring +%if 0 # work to remove rpaths, recheck on new releases aclocal -Im4 libtoolize --force rm -f configure autoconf +%endif %build %configure --disable-static # hack to omit unused-direct-shlib-dependencies -sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool +#sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool make %{?_smp_mflags} @@ -104,27 +92,26 @@ rm -rf rpmdocs/examples/.deps %check -# Not enabled, by default, takes a *very* long time. -- Rex -%{?_with_check:make check} +export PKG_CONFIG_PATH=%{buildroot}%{_datadir}/pkgconfig:%{buildroot}%{_libdir}/pkgconfig +test "$(pkg-config --modversion OpenEXR)" = "%{version}" +#make check %clean rm -rf $RPM_BUILD_ROOT -%post %{?libs:libs} -p /sbin/ldconfig +%post libs -p /sbin/ldconfig -%postun %{?libs:libs} -p /sbin/ldconfig +%postun libs -p /sbin/ldconfig %files %defattr(-,root,root,-) %{_bindir}/* -%if 0%{?libs} %files libs %defattr(-,root,root,-) -%endif %doc AUTHORS ChangeLog LICENSE NEWS README %{_libdir}/libIlmImf.so.6* diff --git a/openexr-1.6.1-CVE-2009-1720-1.patch b/openexr-1.6.1-CVE-2009-1720-1.patch deleted file mode 100644 index 32a653c..0000000 --- a/openexr-1.6.1-CVE-2009-1720-1.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.cpp ---- openexr-1.6.1/IlmImf/ImfPreviewImage.cpp.CVE-2009-1720-1 2006-06-06 00:58:16.000000000 -0500 -+++ openexr-1.6.1/IlmImf/ImfPreviewImage.cpp 2009-07-29 13:27:39.087038617 -0500 -@@ -41,6 +41,7 @@ - - #include - #include "Iex.h" -+#include - - namespace Imf { - -@@ -51,6 +52,9 @@ PreviewImage::PreviewImage (unsigned int - { - _width = width; - _height = height; -+ if (_height && _width > UINT_MAX / _height || _width * _height > UINT_MAX / sizeof(PreviewRgba)) { -+ throw Iex::ArgExc ("Invalid height and width."); -+ } - _pixels = new PreviewRgba [_width * _height]; - - if (pixels) -diff -up openexr-1.6.1/IlmImf/ImfPreviewImage.h.CVE-2009-1720-1 openexr-1.6.1/IlmImf/ImfPreviewImage.h diff --git a/openexr-1.6.1-CVE-2009-1720-2.patch b/openexr-1.6.1-CVE-2009-1720-2.patch deleted file mode 100644 index 934f988..0000000 --- a/openexr-1.6.1-CVE-2009-1720-2.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfPizCompressor.cpp ---- openexr-1.6.1/IlmImf/ImfPizCompressor.cpp.CVE-2009-1720-2 2007-09-20 23:17:46.000000000 -0500 -+++ openexr-1.6.1/IlmImf/ImfPizCompressor.cpp 2009-07-29 13:15:41.883288491 -0500 -@@ -181,6 +181,9 @@ PizCompressor::PizCompressor - _channels (hdr.channels()), - _channelData (0) - { -+ if ((unsigned) maxScanLineSize > (INT_MAX - 65536 - 8192) / (unsigned) numScanLines) { -+ throw InputExc ("Error: maxScanLineSize * numScanLines would overflow."); -+ } - _tmpBuffer = new unsigned short [maxScanLineSize * numScanLines / 2]; - _outBuffer = new char [maxScanLineSize * numScanLines + 65536 + 8192]; - -diff -up openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfRleCompressor.cpp ---- openexr-1.6.1/IlmImf/ImfRleCompressor.cpp.CVE-2009-1720-2 2006-10-13 22:06:39.000000000 -0500 -+++ openexr-1.6.1/IlmImf/ImfRleCompressor.cpp 2009-07-29 13:17:39.505037955 -0500 -@@ -164,6 +164,9 @@ RleCompressor::RleCompressor (const Head - _tmpBuffer (0), - _outBuffer (0) - { -+ if ((unsigned) maxScanLineSize > INT_MAX / 3) { -+ throw Iex::InputExc ("Error: maxScanLineSize * 3 would overflow."); -+ } - _tmpBuffer = new char [maxScanLineSize]; - _outBuffer = new char [maxScanLineSize * 3 / 2]; - } -diff -up openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 openexr-1.6.1/IlmImf/ImfZipCompressor.cpp ---- openexr-1.6.1/IlmImf/ImfZipCompressor.cpp.CVE-2009-1720-2 2006-10-13 22:07:17.000000000 -0500 -+++ openexr-1.6.1/IlmImf/ImfZipCompressor.cpp 2009-07-29 13:18:25.223038291 -0500 -@@ -58,6 +58,9 @@ ZipCompressor::ZipCompressor - _tmpBuffer (0), - _outBuffer (0) - { -+ if ((unsigned) maxScanLineSize > INT_MAX / (unsigned) numScanLines) { -+ throw Iex::InputExc ("Error: maxScanLineSize * numScanLines would overflow."); -+ } - _tmpBuffer = - new char [maxScanLineSize * numScanLines]; - diff --git a/openexr-1.6.1-CVE-2009-1721.patch b/openexr-1.6.1-CVE-2009-1721.patch deleted file mode 100644 index 28f1084..0000000 --- a/openexr-1.6.1-CVE-2009-1721.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721 openexr-1.6.1/IlmImf/ImfAutoArray.h ---- openexr-1.6.1/IlmImf/ImfAutoArray.h.CVE-2009-1721 2007-04-23 20:26:56.000000000 -0500 -+++ openexr-1.6.1/IlmImf/ImfAutoArray.h 2009-07-29 13:22:08.309288375 -0500 -@@ -57,7 +57,7 @@ namespace Imf { - { - public: - -- AutoArray (): _data (new T [size]) {} -+ AutoArray (): _data (new T [size]) {memset(_data, 0, size * sizeof(T));} - ~AutoArray () {delete [] _data;} - - operator T * () {return _data;} diff --git a/openexr-1.6.1-gcc43.patch b/openexr-1.6.1-gcc43.patch deleted file mode 100644 index 4f03190..0000000 --- a/openexr-1.6.1-gcc43.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -up openexr-1.6.1/exrmaketiled/main.cpp.gcc43 openexr-1.6.1/exrmaketiled/main.cpp ---- openexr-1.6.1/exrmaketiled/main.cpp.gcc43 2007-04-24 20:08:45.000000000 -0500 -+++ openexr-1.6.1/exrmaketiled/main.cpp 2008-02-01 08:21:29.000000000 -0600 -@@ -44,7 +44,7 @@ - - #include - #include --#include -+#include - #include - - using namespace Imf; -diff -up openexr-1.6.1/exrenvmap/main.cpp.gcc43 openexr-1.6.1/exrenvmap/main.cpp ---- openexr-1.6.1/exrenvmap/main.cpp.gcc43 2007-04-24 20:07:51.000000000 -0500 -+++ openexr-1.6.1/exrenvmap/main.cpp 2008-02-01 08:22:10.000000000 -0600 -@@ -45,6 +45,7 @@ - #include - #include - #include -+#include - - using namespace Imf; - using namespace std; diff --git a/openexr-1.7.0-cstring.patch b/openexr-1.7.0-cstring.patch new file mode 100644 index 0000000..f861321 --- /dev/null +++ b/openexr-1.7.0-cstring.patch @@ -0,0 +1,11 @@ +diff -up openexr-1.7.0/exrenvmap/blurImage.cpp.cstring openexr-1.7.0/exrenvmap/blurImage.cpp +--- openexr-1.7.0/exrenvmap/blurImage.cpp.cstring 2009-02-25 17:39:27.000000000 -0600 ++++ openexr-1.7.0/exrenvmap/blurImage.cpp 2010-07-28 10:22:38.972704975 -0500 +@@ -43,6 +43,7 @@ + + #include + #include "Iex.h" ++#include + #include + #include + diff --git a/sources b/sources index 83177f0..4c8b019 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -11951f164f9c872b183df75e66de145a openexr-1.6.1.tar.gz -2a45771c4d95eadbdf462561a70c24bb openexr-1.6.1.tar.gz.sig +27113284f7d26a58f853c346e0851d7a openexr-1.7.0.tar.gz +1ffd9feb14c373ebae68228b0495ada0 openexr-1.7.0.tar.gz.sig