1 files changed, 223 insertions, 0 deletions
diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
new file mode 100644
index 0000000000..dd67ab768d
--- /dev/null
+++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
@@ -0,0 +1,223 @@
+From a51919f7e1ca9c535390a746fbf6e28c8402dc61 Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Wed, 7 Oct 2015 08:45:37 +0200
+Subject: [PATCH] rsvg: Add rsvg_acquire_node()
+This function does proper recursion checks when looking up resources
+from URLs and thereby helps avoiding infinite loops when cyclic
+references span multiple types of elements.
+Upstream-status: Backport
+https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61
+CVE: CVE-2015-7558
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ rsvg-base.c         | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ rsvg-cairo-draw.c   | 15 +++++++++++----
+ rsvg-cairo-render.c |  1 +
+ rsvg-filter.c       |  9 +++++++--
+ rsvg-private.h      |  5 +++++
+ 5 files changed, 79 insertions(+), 6 deletions(-)
+Index: librsvg-2.40.10/rsvg-base.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-base.c
+++ librsvg-2.40.10/rsvg-base.c
+@@ -1236,6 +1236,8 @@ rsvg_drawing_ctx_free (RsvgDrawingCtx *
+        g_slist_free (handle->drawsub_stack);
+ 
+     g_slist_free (handle->ptrs);
+    g_warn_if_fail (handle->acquired_nodes == NULL);
+    g_slist_free (handle->acquired_nodes);
+        
+     if (handle->base_uri)
+         g_free (handle->base_uri);
+@@ -2018,6 +2020,59 @@ rsvg_push_discrete_layer (RsvgDrawingCtx
+     ctx->render->push_discrete_layer (ctx);
+ }
+ 
+/*
+ * rsvg_acquire_node:
+ * @ctx: The drawing context in use
+ * @url: The IRI to lookup
+ *
+ * Use this function when looking up urls to other nodes. This
+ * function does proper recursion checking and thereby avoids
+ * infinite loops.
+ *
+ * Nodes acquired by this function must be released using
+ * rsvg_release_node() in reverse acquiring order.
+ *
+ * Returns: The node referenced by @url or %NULL if the @url
+ *          does not reference a node.
+ */
+RsvgNode *
+rsvg_acquire_node (RsvgDrawingCtx * ctx, const char *url)
+{
+  RsvgNode *node;
+
+  node = rsvg_defs_lookup (ctx->defs, url);
+  if (node == NULL)
+    return NULL;
+
+  if (g_slist_find (ctx->acquired_nodes, node))
+    return NULL;
+
+  ctx->acquired_nodes = g_slist_prepend (ctx->acquired_nodes, node);
+
+  return node;
+}
+
+/*
+ * rsvg_release_node:
+ * @ctx: The drawing context the node was acquired from
+ * @node: Node to release
+ *
+ * Releases a node previously acquired via rsvg_acquire_node().
+ *
+ * if @node is %NULL, this function does nothing.
+ */
+void
+rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node)
+{
+  if (node == NULL)
+    return;
+
+  g_return_if_fail (ctx->acquired_nodes != NULL);
+  g_return_if_fail (ctx->acquired_nodes->data == node);
+
+  ctx->acquired_nodes = g_slist_remove (ctx->acquired_nodes, node);
+}
+
+ void
+ rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path)
+ {
+Index: librsvg-2.40.10/rsvg-cairo-draw.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
+++ librsvg-2.40.10/rsvg-cairo-draw.c
+@@ -721,7 +721,7 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+ 
+     if (rsvg_current_state (ctx)->clip_path) {
+         RsvgNode *node;
+-        node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
+        node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
+         if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
+             RsvgClipPath *clip_path = (RsvgClipPath *) node;
+ 
+@@ -739,6 +739,8 @@ rsvg_cairo_push_render_stack (RsvgDrawin
+             }
+ 
+         }
+        
+        rsvg_release_node (ctx, node);
+     }
+ 
+     if (state->opacity == 0xFF
+@@ -798,10 +800,12 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+ 
+     if (rsvg_current_state (ctx)->clip_path) {
+         RsvgNode *node;
+-        node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
+        node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
+         if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
+             && ((RsvgClipPath *) node)->units == objectBoundingBox)
+             lateclip = (RsvgClipPath *) node;
+        else
+            rsvg_release_node (ctx, node);
+     }
+ 
+     if (state->opacity == 0xFF
+@@ -831,17 +835,20 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
+                               nest ? 0 : render->offset_x,
+                               nest ? 0 : render->offset_y);
+ 
+-    if (lateclip)
+    if (lateclip) {
+         rsvg_cairo_clip (ctx, lateclip, &render->bbox);
+        rsvg_release_node (ctx, (RsvgNode *) lateclip);
+    }
+ 
+     cairo_set_operator (render->cr, state->comp_op);
+ 
+     if (state->mask) {
+         RsvgNode *mask;
+ 
+-        mask = rsvg_defs_lookup (ctx->defs, state->mask);
+        mask = rsvg_acquire_node (ctx, state->mask);
+         if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
+           rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
+        rsvg_release_node (ctx, mask);
+     } else if (state->opacity != 0xFF)
+         cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
+     else
+Index: librsvg-2.40.10/rsvg-cairo-render.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-cairo-render.c
+++ librsvg-2.40.10/rsvg-cairo-render.c
+@@ -155,6 +155,7 @@ rsvg_cairo_new_drawing_ctx (cairo_t * cr
+     draw->pango_context = NULL;
+     draw->drawsub_stack = NULL;
+     draw->ptrs = NULL;
+    draw->acquired_nodes = NULL;
+ 
+     rsvg_state_push (draw);
+     state = rsvg_current_state (draw);
+Index: librsvg-2.40.10/rsvg-filter.c
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-filter.c
+++ librsvg-2.40.10/rsvg-filter.c
+@@ -3921,6 +3921,7 @@ rsvg_filter_primitive_image_render_in (R
+     RsvgDrawingCtx *ctx;
+     RsvgFilterPrimitiveImage *upself;
+     RsvgNode *drawable;
+    cairo_surface_t *result;
+ 
+     ctx = context->ctx;
+ 
+@@ -3929,13 +3930,17 @@ rsvg_filter_primitive_image_render_in (R
+     if (!upself->href)
+         return NULL;
+ 
+-    drawable = rsvg_defs_lookup (ctx->defs, upself->href->str);
+    drawable = rsvg_acquire_node (ctx, upself->href->str);
+     if (!drawable)
+         return NULL;
+ 
+     rsvg_current_state (ctx)->affine = context->paffine;
+ 
+-    return rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
+    result = rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
+
+    rsvg_release_node (ctx, drawable);
+
+    return result;
+ }
+ 
+ static cairo_surface_t *
+Index: librsvg-2.40.10/rsvg-private.h
+===================================================================
+--- librsvg-2.40.10.orig/rsvg-private.h
+++ librsvg-2.40.10/rsvg-private.h
+@@ -200,6 +200,7 @@ struct RsvgDrawingCtx {
+     GSList *vb_stack;
+     GSList *drawsub_stack;
+     GSList *ptrs;
+    GSList *acquired_nodes;
+ };
+ 
+ /*Abstract base class for context for our backends (one as yet)*/
+@@ -360,6 +361,10 @@ void rsvg_pop_discrete_layer    (RsvgDra
+ G_GNUC_INTERNAL
+ void rsvg_push_discrete_layer   (RsvgDrawingCtx * ctx);
+ G_GNUC_INTERNAL
+RsvgNode *rsvg_acquire_node     (RsvgDrawingCtx * ctx, const char *url);
+G_GNUC_INTERNAL
+void rsvg_release_node          (RsvgDrawingCtx * ctx, RsvgNode *node);
+G_GNUC_INTERNAL
+ void rsvg_render_path           (RsvgDrawingCtx * ctx, const cairo_path_t *path);
+ G_GNUC_INTERNAL
+ void rsvg_render_surface        (RsvgDrawingCtx * ctx, cairo_surface_t *surface,

diff --git a/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch new file mode 100644 index 0000000000..dd67ab768d --- /dev/null +++ b/meta/recipes-gnome/librsvg/librsvg/CVE-2015-7558_3.patch
@@ -0,0 +1,223 @@
	1	From a51919f7e1ca9c535390a746fbf6e28c8402dc61 Mon Sep 17 00:00:00 2001
	2	From: Benjamin Otte <otte@redhat.com>
	3	Date: Wed, 7 Oct 2015 08:45:37 +0200
	4	Subject: [PATCH] rsvg: Add rsvg_acquire_node()
	5
	6	This function does proper recursion checks when looking up resources
	7	from URLs and thereby helps avoiding infinite loops when cyclic
	8	references span multiple types of elements.
	9
	10	Upstream-status: Backport
	11
	12	https://git.gnome.org/browse/librsvg/commit/rsvg-styles.c?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61
	13
	14	CVE: CVE-2015-7558
	15	Signed-off-by: Armin Kuster <akuster@mvista.com>
	16
	17	---
	18	rsvg-base.c \| 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++
	19	rsvg-cairo-draw.c \| 15 +++++++++++----
	20	rsvg-cairo-render.c \| 1 +
	21	rsvg-filter.c \| 9 +++++++--
	22	rsvg-private.h \| 5 +++++
	23	5 files changed, 79 insertions(+), 6 deletions(-)
	24
	25	Index: librsvg-2.40.10/rsvg-base.c
	26	===================================================================
	27	--- librsvg-2.40.10.orig/rsvg-base.c
	28	+++ librsvg-2.40.10/rsvg-base.c
	29	@@ -1236,6 +1236,8 @@ rsvg_drawing_ctx_free (RsvgDrawingCtx *
	30	g_slist_free (handle->drawsub_stack);
	31
	32	g_slist_free (handle->ptrs);
	33	+ g_warn_if_fail (handle->acquired_nodes == NULL);
	34	+ g_slist_free (handle->acquired_nodes);
	35
	36	if (handle->base_uri)
	37	g_free (handle->base_uri);
	38	@@ -2018,6 +2020,59 @@ rsvg_push_discrete_layer (RsvgDrawingCtx
	39	ctx->render->push_discrete_layer (ctx);
	40	}
	41
	42	+/*
	43	+ * rsvg_acquire_node:
	44	+ * @ctx: The drawing context in use
	45	+ * @url: The IRI to lookup
	46	+ *
	47	+ * Use this function when looking up urls to other nodes. This
	48	+ * function does proper recursion checking and thereby avoids
	49	+ * infinite loops.
	50	+ *
	51	+ * Nodes acquired by this function must be released using
	52	+ * rsvg_release_node() in reverse acquiring order.
	53	+ *
	54	+ * Returns: The node referenced by @url or %NULL if the @url
	55	+ * does not reference a node.
	56	+ */
	57	+RsvgNode *
	58	+rsvg_acquire_node (RsvgDrawingCtx * ctx, const char *url)
	59	+{
	60	+ RsvgNode *node;
	61	+
	62	+ node = rsvg_defs_lookup (ctx->defs, url);
	63	+ if (node == NULL)
	64	+ return NULL;
	65	+
	66	+ if (g_slist_find (ctx->acquired_nodes, node))
	67	+ return NULL;
	68	+
	69	+ ctx->acquired_nodes = g_slist_prepend (ctx->acquired_nodes, node);
	70	+
	71	+ return node;
	72	+}
	73	+
	74	+/*
	75	+ * rsvg_release_node:
	76	+ * @ctx: The drawing context the node was acquired from
	77	+ * @node: Node to release
	78	+ *
	79	+ * Releases a node previously acquired via rsvg_acquire_node().
	80	+ *
	81	+ * if @node is %NULL, this function does nothing.
	82	+ */
	83	+void
	84	+rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node)
	85	+{
	86	+ if (node == NULL)
	87	+ return;
	88	+
	89	+ g_return_if_fail (ctx->acquired_nodes != NULL);
	90	+ g_return_if_fail (ctx->acquired_nodes->data == node);
	91	+
	92	+ ctx->acquired_nodes = g_slist_remove (ctx->acquired_nodes, node);
	93	+}
	94	+
	95	void
	96	rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path)
	97	{
	98	Index: librsvg-2.40.10/rsvg-cairo-draw.c
	99	===================================================================
	100	--- librsvg-2.40.10.orig/rsvg-cairo-draw.c
	101	+++ librsvg-2.40.10/rsvg-cairo-draw.c
	102	@@ -721,7 +721,7 @@ rsvg_cairo_push_render_stack (RsvgDrawin
	103
	104	if (rsvg_current_state (ctx)->clip_path) {
	105	RsvgNode *node;
	106	- node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
	107	+ node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
	108	if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH) {
	109	RsvgClipPath clip_path = (RsvgClipPath ) node;
	110
	111	@@ -739,6 +739,8 @@ rsvg_cairo_push_render_stack (RsvgDrawin
	112	}
	113
	114	}
	115	+
	116	+ rsvg_release_node (ctx, node);
	117	}
	118
	119	if (state->opacity == 0xFF
	120	@@ -798,10 +800,12 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
	121
	122	if (rsvg_current_state (ctx)->clip_path) {
	123	RsvgNode *node;
	124	- node = rsvg_defs_lookup (ctx->defs, rsvg_current_state (ctx)->clip_path);
	125	+ node = rsvg_acquire_node (ctx, rsvg_current_state (ctx)->clip_path);
	126	if (node && RSVG_NODE_TYPE (node) == RSVG_NODE_TYPE_CLIP_PATH
	127	&& ((RsvgClipPath *) node)->units == objectBoundingBox)
	128	lateclip = (RsvgClipPath *) node;
	129	+ else
	130	+ rsvg_release_node (ctx, node);
	131	}
	132
	133	if (state->opacity == 0xFF
	134	@@ -831,17 +835,20 @@ rsvg_cairo_pop_render_stack (RsvgDrawing
	135	nest ? 0 : render->offset_x,
	136	nest ? 0 : render->offset_y);
	137
	138	- if (lateclip)
	139	+ if (lateclip) {
	140	rsvg_cairo_clip (ctx, lateclip, &render->bbox);
	141	+ rsvg_release_node (ctx, (RsvgNode *) lateclip);
	142	+ }
	143
	144	cairo_set_operator (render->cr, state->comp_op);
	145
	146	if (state->mask) {
	147	RsvgNode *mask;
	148
	149	- mask = rsvg_defs_lookup (ctx->defs, state->mask);
	150	+ mask = rsvg_acquire_node (ctx, state->mask);
	151	if (mask && RSVG_NODE_TYPE (mask) == RSVG_NODE_TYPE_MASK)
	152	rsvg_cairo_generate_mask (render->cr, (RsvgMask *) mask, ctx, &render->bbox);
	153	+ rsvg_release_node (ctx, mask);
	154	} else if (state->opacity != 0xFF)
	155	cairo_paint_with_alpha (render->cr, (double) state->opacity / 255.0);
	156	else
	157	Index: librsvg-2.40.10/rsvg-cairo-render.c
	158	===================================================================
	159	--- librsvg-2.40.10.orig/rsvg-cairo-render.c
	160	+++ librsvg-2.40.10/rsvg-cairo-render.c
	161	@@ -155,6 +155,7 @@ rsvg_cairo_new_drawing_ctx (cairo_t * cr
	162	draw->pango_context = NULL;
	163	draw->drawsub_stack = NULL;
	164	draw->ptrs = NULL;
	165	+ draw->acquired_nodes = NULL;
	166
	167	rsvg_state_push (draw);
	168	state = rsvg_current_state (draw);
	169	Index: librsvg-2.40.10/rsvg-filter.c
	170	===================================================================
	171	--- librsvg-2.40.10.orig/rsvg-filter.c
	172	+++ librsvg-2.40.10/rsvg-filter.c
	173	@@ -3921,6 +3921,7 @@ rsvg_filter_primitive_image_render_in (R
	174	RsvgDrawingCtx *ctx;
	175	RsvgFilterPrimitiveImage *upself;
	176	RsvgNode *drawable;
	177	+ cairo_surface_t *result;
	178
	179	ctx = context->ctx;
	180
	181	@@ -3929,13 +3930,17 @@ rsvg_filter_primitive_image_render_in (R
	182	if (!upself->href)
	183	return NULL;
	184
	185	- drawable = rsvg_defs_lookup (ctx->defs, upself->href->str);
	186	+ drawable = rsvg_acquire_node (ctx, upself->href->str);
	187	if (!drawable)
	188	return NULL;
	189
	190	rsvg_current_state (ctx)->affine = context->paffine;
	191
	192	- return rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
	193	+ result = rsvg_get_surface_of_node (ctx, drawable, context->width, context->height);
	194	+
	195	+ rsvg_release_node (ctx, drawable);
	196	+
	197	+ return result;
	198	}
	199
	200	static cairo_surface_t *
	201	Index: librsvg-2.40.10/rsvg-private.h
	202	===================================================================
	203	--- librsvg-2.40.10.orig/rsvg-private.h
	204	+++ librsvg-2.40.10/rsvg-private.h
	205	@@ -200,6 +200,7 @@ struct RsvgDrawingCtx {
	206	GSList *vb_stack;
	207	GSList *drawsub_stack;
	208	GSList *ptrs;
	209	+ GSList *acquired_nodes;
	210	};
	211
	212	/Abstract base class for context for our backends (one as yet)/
	213	@@ -360,6 +361,10 @@ void rsvg_pop_discrete_layer (RsvgDra
	214	G_GNUC_INTERNAL
	215	void rsvg_push_discrete_layer (RsvgDrawingCtx * ctx);
	216	G_GNUC_INTERNAL
	217	+RsvgNode rsvg_acquire_node (RsvgDrawingCtx ctx, const char *url);
	218	+G_GNUC_INTERNAL
	219	+void rsvg_release_node (RsvgDrawingCtx * ctx, RsvgNode *node);
	220	+G_GNUC_INTERNAL
	221	void rsvg_render_path (RsvgDrawingCtx * ctx, const cairo_path_t *path);
	222	G_GNUC_INTERNAL
	223	void rsvg_render_surface (RsvgDrawingCtx * ctx, cairo_surface_t *surface,