[Buildroot] [PATCH] imlib2: security bump to version 1.4.9

Gustavo Zacarias gustavo at zacarias.com.ar
Sun May 1 13:34:47 UTC 2016


It already includes the fixes for CVE-2016-3994 and CVE-2011-5326 so
drop the patches, and additionally fixes:
CVE-2016-4024 - integer overflow in imlib2, which result in insufficient
heap allocation.

Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
---
 package/imlib2/0001-fix-CVE-2016-3994.patch |  71 -------------------
 package/imlib2/0002-fix-CVE-2011-5326.patch | 104 ----------------------------
 package/imlib2/imlib2.hash                  |   6 +-
 package/imlib2/imlib2.mk                    |   2 +-
 4 files changed, 4 insertions(+), 179 deletions(-)
 delete mode 100644 package/imlib2/0001-fix-CVE-2016-3994.patch
 delete mode 100644 package/imlib2/0002-fix-CVE-2011-5326.patch

diff --git a/package/imlib2/0001-fix-CVE-2016-3994.patch b/package/imlib2/0001-fix-CVE-2016-3994.patch
deleted file mode 100644
index bf28905..0000000
--- a/package/imlib2/0001-fix-CVE-2016-3994.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 Mon Sep 17 00:00:00 2001
-From: Kim Woelders <kim at woelders.dk>
-Date: Sun, 3 Apr 2016 19:40:25 +0200
-Subject: [PATCH] GIF loader: Fix out-of-bound reads from colormap.
-
-Bug-Debian: http://bugs.debian.org/785369
-Note: removes all special-casing from the inner loop, optimize for common case.
-Author: Yuriy M. Kaminskiy <yumkam+debian at gmail.com>
-Reported-By: Jakub Wilk <jwilk at debian.org>
-
-Thanks to Bernhard U:belacker <bernhardu at vr-web.de> for analysis.
-
-Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
----
- src/modules/loaders/loader_gif.c | 31 +++++++++++++++++--------------
- 1 file changed, 17 insertions(+), 14 deletions(-)
-
-diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
-index 638df59..4f08d64 100644
---- a/src/modules/loaders/loader_gif.c
-+++ b/src/modules/loaders/loader_gif.c
-@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
- 
-    if (im->loader || immediate_load || progress)
-      {
-+        DATA32 colormap[256];
-+
-         bg = gif->SBackGroundColor;
-         cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
-+        memset (colormap, 0, sizeof(colormap));
-+        if (cmap != NULL)
-+           {
-+              for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
-+                 {
-+                    r = cmap->Colors[i].Red;
-+                    g = cmap->Colors[i].Green;
-+                    b = cmap->Colors[i].Blue;
-+                    colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
-+                 }
-+              /* if bg > cmap->ColorCount, it is transparent black already */
-+              if (transp >= 0 && transp < 256)
-+                 colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
-+           }
-         im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
-         if (!im->data)
-            goto quit;
-@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
-           {
-              for (j = 0; j < w; j++)
-                {
--                  if (rows[i][j] == transp)
--                    {
--                       r = cmap->Colors[bg].Red;
--                       g = cmap->Colors[bg].Green;
--                       b = cmap->Colors[bg].Blue;
--                       *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
--                    }
--                  else
--                    {
--                       r = cmap->Colors[rows[i][j]].Red;
--                       g = cmap->Colors[rows[i][j]].Green;
--                       b = cmap->Colors[rows[i][j]].Blue;
--                       *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
--                    }
-+                  *ptr++ = colormap[rows[i][j]];
-                   per += per_inc;
-                   if (progress && (((int)per) != last_per)
-                       && (((int)per) % progress_granularity == 0))
--- 
-2.7.3
-
diff --git a/package/imlib2/0002-fix-CVE-2011-5326.patch b/package/imlib2/0002-fix-CVE-2011-5326.patch
deleted file mode 100644
index ed9c9b2..0000000
--- a/package/imlib2/0002-fix-CVE-2011-5326.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-From c94d83ccab15d5ef02f88d42dce38ed3f0892882 Mon Sep 17 00:00:00 2001
-From: Kim Woelders <kim at woelders.dk>
-Date: Wed, 6 Apr 2016 17:42:17 +0200
-Subject: [PATCH] Fix potential divide-by-zero in imlib_image_draw_ellipse().
-
-Attempting to draw a 2x1 ellipse with e.g. imlib_image_draw_ellipse(x, y, 2, 1)
-causes a divide-by-zero.
-It seems happy enough to draw 1x1, 1x2 and 2x2, but not 2x1.
-
-Patch by Simon Lees.
-
-https://bugs.debian.org/639414
-Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
----
- src/lib/ellipse.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/src/lib/ellipse.c b/src/lib/ellipse.c
-index cd90268..ddb410b 100644
---- a/src/lib/ellipse.c
-+++ b/src/lib/ellipse.c
-@@ -71,6 +71,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(color, bp + len);
- 
-+        if (dx < 1)
-+           dx = 1;
-+
-         dy += b2;
-         yy -= ((dy << 16) / dx);
-         lx--;
-@@ -123,6 +126,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(color, bp + len);
- 
-+        if (dy < 1)
-+           dy = 1;
-+
-         dx -= a2;
-         xx += ((dx << 16) / dy);
-         ty++;
-@@ -222,6 +228,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(col1, bp + len);
- 
-+        if (dx < 1)
-+           dx = 1;
-+
-         dy += b2;
-         yy -= ((dy << 16) / dx);
-         lx--;
-@@ -295,6 +304,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(col1, bp + len);
- 
-+        if (dy < 1)
-+           dy = 1;
-+
-         dx -= a2;
-         xx += ((dx << 16) / dy);
-         ty++;
-@@ -395,6 +407,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(color, bp + len);
- 
-+        if (dx < 1)
-+           dx = 1;
-+
-         dy += b2;
-         yy -= ((dy << 16) / dx);
-         lx--;
-@@ -453,6 +468,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
-         if (((unsigned)by < (unsigned)clh) && (len > 0))
-            sfunc(color, bpp, len);
- 
-+        if (dy < 1)
-+           dy = 1;
-+
-         dx -= a2;
-         xx += ((dx << 16) / dy);
-         ty++;
-@@ -556,6 +574,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(col1, bp + len);
- 
-+        if (dx < 1)
-+           dx = 1;
-+
-         dy += b2;
-         yy -= ((dy << 16) / dx);
-         lx--;
-@@ -629,6 +650,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(col1, bp + len);
- 
-+        if (dy < 1)
-+           dy = 1;
-+
-         dx -= a2;
-         xx += ((dx << 16) / dy);
-         ty++;
--- 
-2.7.3
-
diff --git a/package/imlib2/imlib2.hash b/package/imlib2/imlib2.hash
index b5c2d38..6e1faaf 100644
--- a/package/imlib2/imlib2.hash
+++ b/package/imlib2/imlib2.hash
@@ -1,3 +1,3 @@
-# From https://sourceforge.net/projects/enlightenment/files/imlib2-src/1.4.8/
-md5	97cf1007b0339102974ce20c8f17c249	imlib2-1.4.8.tar.bz2
-sha1	09759f9cd0bb530a738032d06b29edf0038f2052	imlib2-1.4.8.tar.bz2
+# From https://sourceforge.net/projects/enlightenment/files/imlib2-src/1.4.9/
+md5	23ef8b49f2793bc63b16839a2062298b	imlib2-1.4.9.tar.bz2
+sha1	f389d67c337b604a365e620b0083b2d342dd724e	imlib2-1.4.9.tar.bz2
diff --git a/package/imlib2/imlib2.mk b/package/imlib2/imlib2.mk
index 92dcd6c..9781777 100644
--- a/package/imlib2/imlib2.mk
+++ b/package/imlib2/imlib2.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-IMLIB2_VERSION = 1.4.8
+IMLIB2_VERSION = 1.4.9
 IMLIB2_SOURCE = imlib2-$(IMLIB2_VERSION).tar.bz2
 IMLIB2_SITE = http://downloads.sourceforge.net/project/enlightenment/imlib2-src/$(IMLIB2_VERSION)
 IMLIB2_LICENSE = imlib2 license
-- 
2.7.3



More information about the buildroot mailing list