1 files changed, 109 insertions, 0 deletions
diff --git a/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-6311.patch b/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-6311.patch
new file mode 100644
index 0000000..25d55ad
--- /dev/null
+++ b/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-6311.patch
@@ -0,0 +1,109 @@
+From 725afb9a926553b664a1cb1270d38de133f659e1 Mon Sep 17 00:00:00 2001
+From: Andreas Wellving <andreas.wellving@enea.com>
+Date: Mon, 22 Oct 2018 12:21:56 +0200
+Subject: [PATCH] ico: Return an error when the ICO didn't load
+If we don't even read enough data to fill the header, return an
+error. This doesn't cover everything that could go wrong with
+the ICO incremental loader, but this is a good first throw.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/7586553]
+thumbnailer: Update skeleton to fix a possible crash
+If the loader returns a NULL pixbuf without returning an
+error, the skeleton would crash trying to print the error.
+Print that the thumbnailer is broken instead.
+https://bugzilla.gnome.org/show_bug.cgi?id=778204
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/57362ed]
+CVE: CVE-2017-6311
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ gdk-pixbuf/io-ico.c                      | 11 ++++++++++-
+ thumbnailer/gnome-thumbnailer-skeleton.c | 14 ++++++++++++--
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
+index 2b0441f..68295a3 100644
+--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
+@@ -605,6 +605,7 @@ gdk_pixbuf__ico_image_stop_load(gpointer data,
+ {
+        struct ico_progressive_state *context =
+            (struct ico_progressive_state *) data;
+       gboolean ret = TRUE;
+ 
+         /* FIXME this thing needs to report errors if
+          * we have unused image data
+@@ -612,8 +613,16 @@ gdk_pixbuf__ico_image_stop_load(gpointer data,
+ 
+        g_return_val_if_fail(context != NULL, TRUE);
+ 
+       if (context->HeaderDone < context->HeaderSize) {
+               g_set_error_literal (error,
+                                    GDK_PIXBUF_ERROR,
+                                    GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                    _("ICO image was truncated or incomplete."));
+               ret = FALSE;
+       }
+
+        context_free (context);
+-        return TRUE;
+        return ret;
+ }
+ 
+ static void
+diff --git a/thumbnailer/gnome-thumbnailer-skeleton.c b/thumbnailer/gnome-thumbnailer-skeleton.c
+index d686432..73da53e 100644
+--- a/thumbnailer/gnome-thumbnailer-skeleton.c
+++ b/thumbnailer/gnome-thumbnailer-skeleton.c
+@@ -37,6 +37,7 @@ static int output_size = 256;
+ static gboolean g_fatal_warnings = FALSE;
+ static char **filenames = NULL;
+ 
+#if !GDK_PIXBUF_CHECK_VERSION(2,36,5)
+ /**
+  * gnome_desktop_thumbnail_scale_down_pixbuf:
+  * @pixbuf: a #GdkPixbuf
+@@ -178,6 +179,7 @@ gnome_desktop_thumbnail_scale_down_pixbuf (GdkPixbuf *pixbuf,
+        
+        return dest_pixbuf;
+ }
+#endif
+ 
+ static char *
+ get_target_uri (GFile *file)
+@@ -291,9 +293,16 @@ int main (int argc, char **argv)
+ 
+                        scale = (double)output_size / MAX (width, height);
+ 
+#if !GDK_PIXBUF_CHECK_VERSION(2,36,5)
+                        scaled = gnome_desktop_thumbnail_scale_down_pixbuf (pixbuf,
+                                                                            floor (width * scale + 0.5),
+                                                                            floor (height * scale + 0.5));
+#else
+                       scaled = gdk_pixbuf_scale_simple (pixbuf,
+                                                         floor (width * scale + 0.5),
+                                                         floor (height * scale + 0.5),
+                                                         GDK_INTERP_HYPER);
+#endif
+                        gdk_pixbuf_copy_options (pixbuf, scaled);
+                        g_object_unref (pixbuf);
+                        pixbuf = scaled;
+@@ -316,8 +325,9 @@ int main (int argc, char **argv)
+        g_free (input_filename);
+ 
+        if (!pixbuf) {
+-               g_warning ("Could not thumbnail '%s': %s", filenames[0], error->message);
+-               g_error_free (error);
+               g_warning ("Could not thumbnail '%s': %s", filenames[0],
+                          error ? error->message : "Thumbnailer failed without returning an error");
+               g_clear_error (&error);
+                g_strfreev (filenames);
+                return 1;
+        }

diff --git a/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-6311.patch b/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-6311.patch new file mode 100644 index 0000000..25d55ad --- /dev/null +++ b/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-6311.patch
@@ -0,0 +1,109 @@
	1	From 725afb9a926553b664a1cb1270d38de133f659e1 Mon Sep 17 00:00:00 2001
	2	From: Andreas Wellving <andreas.wellving@enea.com>
	3	Date: Mon, 22 Oct 2018 12:21:56 +0200
	4	Subject: [PATCH] ico: Return an error when the ICO didn't load
	5
	6	If we don't even read enough data to fill the header, return an
	7	error. This doesn't cover everything that could go wrong with
	8	the ICO incremental loader, but this is a good first throw.
	9
	10	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/7586553]
	11
	12	thumbnailer: Update skeleton to fix a possible crash
	13
	14	If the loader returns a NULL pixbuf without returning an
	15	error, the skeleton would crash trying to print the error.
	16	Print that the thumbnailer is broken instead.
	17
	18	https://bugzilla.gnome.org/show_bug.cgi?id=778204
	19
	20	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/57362ed]
	21
	22	CVE: CVE-2017-6311
	23	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	24	---
	25	gdk-pixbuf/io-ico.c \| 11 ++++++++++-
	26	thumbnailer/gnome-thumbnailer-skeleton.c \| 14 ++++++++++++--
	27	2 files changed, 22 insertions(+), 3 deletions(-)
	28
	29	diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
	30	index 2b0441f..68295a3 100644
	31	--- a/gdk-pixbuf/io-ico.c
	32	+++ b/gdk-pixbuf/io-ico.c
	33	@@ -605,6 +605,7 @@ gdk_pixbuf__ico_image_stop_load(gpointer data,
	34	{
	35	struct ico_progressive_state *context =
	36	(struct ico_progressive_state *) data;
	37	+ gboolean ret = TRUE;
	38
	39	/* FIXME this thing needs to report errors if
	40	* we have unused image data
	41	@@ -612,8 +613,16 @@ gdk_pixbuf__ico_image_stop_load(gpointer data,
	42
	43	g_return_val_if_fail(context != NULL, TRUE);
	44
	45	+ if (context->HeaderDone < context->HeaderSize) {
	46	+ g_set_error_literal (error,
	47	+ GDK_PIXBUF_ERROR,
	48	+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
	49	+ _("ICO image was truncated or incomplete."));
	50	+ ret = FALSE;
	51	+ }
	52	+
	53	context_free (context);
	54	- return TRUE;
	55	+ return ret;
	56	}
	57
	58	static void
	59	diff --git a/thumbnailer/gnome-thumbnailer-skeleton.c b/thumbnailer/gnome-thumbnailer-skeleton.c
	60	index d686432..73da53e 100644
	61	--- a/thumbnailer/gnome-thumbnailer-skeleton.c
	62	+++ b/thumbnailer/gnome-thumbnailer-skeleton.c
	63	@@ -37,6 +37,7 @@ static int output_size = 256;
	64	static gboolean g_fatal_warnings = FALSE;
	65	static char **filenames = NULL;
	66
	67	+#if !GDK_PIXBUF_CHECK_VERSION(2,36,5)
	68	/**
	69	* gnome_desktop_thumbnail_scale_down_pixbuf:
	70	* @pixbuf: a #GdkPixbuf
	71	@@ -178,6 +179,7 @@ gnome_desktop_thumbnail_scale_down_pixbuf (GdkPixbuf *pixbuf,
	72
	73	return dest_pixbuf;
	74	}
	75	+#endif
	76
	77	static char *
	78	get_target_uri (GFile *file)
	79	@@ -291,9 +293,16 @@ int main (int argc, char **argv)
	80
	81	scale = (double)output_size / MAX (width, height);
	82
	83	+#if !GDK_PIXBUF_CHECK_VERSION(2,36,5)
	84	scaled = gnome_desktop_thumbnail_scale_down_pixbuf (pixbuf,
	85	floor (width * scale + 0.5),
	86	floor (height * scale + 0.5));
	87	+#else
	88	+ scaled = gdk_pixbuf_scale_simple (pixbuf,
	89	+ floor (width * scale + 0.5),
	90	+ floor (height * scale + 0.5),
	91	+ GDK_INTERP_HYPER);
	92	+#endif
	93	gdk_pixbuf_copy_options (pixbuf, scaled);
	94	g_object_unref (pixbuf);
	95	pixbuf = scaled;
	96	@@ -316,8 +325,9 @@ int main (int argc, char **argv)
	97	g_free (input_filename);
	98
	99	if (!pixbuf) {
	100	- g_warning ("Could not thumbnail '%s': %s", filenames[0], error->message);
	101	- g_error_free (error);
	102	+ g_warning ("Could not thumbnail '%s': %s", filenames[0],
	103	+ error ? error->message : "Thumbnailer failed without returning an error");
	104	+ g_clear_error (&error);
	105	g_strfreev (filenames);
	106	return 1;
	107	}
	108
	109