From 1f2c39ba610d5441eb5ec135f2fcdfa2512082df Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 21 2019 20:00:37 +0000 Subject: import advancecomp-1.15-22.el7 --- diff --git a/.advancecomp.metadata b/.advancecomp.metadata new file mode 100644 index 0000000..72a9b5b --- /dev/null +++ b/.advancecomp.metadata @@ -0,0 +1 @@ +74fed754841efadcb8dd156d2c5e095bfaff83e6 SOURCES/advancecomp-1.15.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..de35f67 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/advancecomp-1.15.tar.gz diff --git a/SOURCES/advancecomp-1.15-CVE-2019-8379.patch b/SOURCES/advancecomp-1.15-CVE-2019-8379.patch new file mode 100644 index 0000000..5bb32a7 --- /dev/null +++ b/SOURCES/advancecomp-1.15-CVE-2019-8379.patch @@ -0,0 +1,85 @@ +commit 7894a6e684ce68ddff9f4f4919ab8e3911ac8040 +Author: Andrea Mazzoleni +Date: Fri Jan 4 20:49:48 2019 +0100 + + Fix a buffer overflow caused by invalid chunks + +diff --git a/pngex.cc b/pngex.cc +index 55d16f5..3f5b49f 100644 +--- a/pngex.cc ++++ b/pngex.cc +@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + + switch (type) { + case ADV_MNG_CN_MHDR : ++ if (size < 28) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8); + cout << " simplicity:" << be_uint32_read(data+24); + cout << "(bit"; +@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << ")"; + break; + case ADV_MNG_CN_DHDR : ++ if (size < 4) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + switch (data[2]) { + case 0 : cout << " img:unspecified"; break; +@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_DEFI : ++ if (size < 2) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + if (size >= 3) { + switch (data[2]) { +@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_MOVE : ++ if (size < 13) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2); + switch (data[4]) { + case 0 : cout << " type:replace"; break; +@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9); + break; + case ADV_MNG_CN_PPLT : ++ if (size < 1) { ++ cout << " invalid chunk size"; ++ break; ++ } + switch (data[0]) { + case 0 : cout << " type:replacement_rgb"; break; + case 1 : cout << " type:delta_rgb"; break; +@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + default : cout << " type:?"; break; + } + i = 1; +- while (i +Date: Fri Jan 4 20:49:25 2019 +0100 + + Fix a buffer overflow caused by invalid images + +diff --git a/lib/png.c b/lib/png.c +index 0939a5a..cbf140b 100644 +--- a/lib/png.c ++++ b/lib/png.c +@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr( + unsigned pixel; + unsigned width; + unsigned width_align; ++ unsigned scanline; + unsigned height; + unsigned depth; + int r; +@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr( + goto err_ptr; + } + +- *dat_size = height * (width_align * pixel + 1); ++ /* check for overflow */ ++ if (pixel == 0 || width_align >= UINT_MAX / pixel) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ scanline = width_align * pixel + 1; ++ ++ /* check for overflow */ ++ if (scanline == 0 || height >= UINT_MAX / scanline) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ *dat_size = height * scanline; + *dat_ptr = malloc(*dat_size); +- *pix_scanline = width_align * pixel + 1; ++ *pix_scanline = scanline; + *pix_ptr = *dat_ptr + 1; + + z.zalloc = 0; +diff -up advancecomp-1.15/portable.h.me advancecomp-1.15/portable.h +--- advancecomp-1.15/portable.h.me 2019-05-17 15:15:08.109528451 +0200 ++++ advancecomp-1.15/portable.h 2019-05-17 15:15:38.318620937 +0200 +@@ -39,6 +39,7 @@ extern "C" { + #include + #include + #include ++#include + + #if HAVE_UNISTD_H + #include diff --git a/SOURCES/advancecomp-1.15-CVE-2019-9210-integer-overflow-in-png_compress.patch b/SOURCES/advancecomp-1.15-CVE-2019-9210-integer-overflow-in-png_compress.patch new file mode 100644 index 0000000..6ac6439 --- /dev/null +++ b/SOURCES/advancecomp-1.15-CVE-2019-9210-integer-overflow-in-png_compress.patch @@ -0,0 +1,15 @@ +diff -up advancecomp-1.15/lib/png.c.me advancecomp-1.15/lib/png.c +--- advancecomp-1.15/lib/png.c.me 2019-06-11 13:17:33.265490986 +0200 ++++ advancecomp-1.15/lib/png.c 2019-06-11 13:21:50.655818111 +0200 +@@ -656,6 +656,11 @@ adv_error adv_png_read_ihdr( + } + *pix_pixel = pixel; + ++ if (width_align < width) { ++ error_unsupported_set("Invalid image size"); ++ goto err; ++ } ++ + if (data[10] != 0) { /* compression */ + error_unsupported_set("Unsupported compression, %d instead of 0", (unsigned)data[10]); + goto err; diff --git a/SPECS/advancecomp.spec b/SPECS/advancecomp.spec new file mode 100644 index 0000000..3068853 --- /dev/null +++ b/SPECS/advancecomp.spec @@ -0,0 +1,149 @@ +Summary: Recompression utilities for .PNG, .MNG and .ZIP files +Name: advancecomp +Version: 1.15 +Release: 22%{?dist} +License: GPLv2+ +Group: Applications/Emulators +URL: http://advancemame.sourceforge.net/ +Source: http://downloads.sf.net/advancemame/advancecomp-%{version}.tar.gz +Patch0: advancecomp-1.15-CVE-2019-8379.patch +Patch1: advancecomp-1.15-CVE-2019-8383.patch +Patch2: advancecomp-1.15-CVE-2019-9210-integer-overflow-in-png_compress.patch +BuildRequires: zlib-devel + +%description +AdvanceCOMP is a set of recompression utilities for .PNG, .MNG and .ZIP files. +The main features are : +* Recompress ZIP, PNG and MNG files using the Deflate 7-Zip implementation. +* Recompress MNG files using Delta and Move optimization. + + +%prep +%setup -q +%patch0 -p1 -b .CVE-2019-8379 +%patch1 -p1 -b .CVE-2019-8383 +%patch2 -p1 -b .CVE-2019-9210-integer-overflow-in-png_compress + +%build +%configure +make %{?_smp_mflags} + + +%install +make install DESTDIR=%{buildroot} + + +%files +%defattr(-,root,root,-) +%doc AUTHORS COPYING HISTORY README +%{_bindir}/* +%{_mandir}/man1/* + + +%changelog +* Mon Jul 29 2019 Than Ngo - 1.15-22 +- Resolves: #1686115, integer overflow in png_compress + +* Fri May 17 2019 Than Ngo - 1.15-21 +- Resolves: #1711051, CVE-2019-8383 denial of service +- Resolves: #1710910, CVE-2019-8379 null pointer dereference + +* Wed Jan 29 2014 Daniel Mach - 1.15-20 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 1.15-19 +- Mass rebuild 2013-12-27 + +* Wed Feb 13 2013 Fedora Release Engineering - 1.15-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jul 18 2012 Fedora Release Engineering - 1.15-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Apr 27 2012 Peter Robinson - 1.15-16 +- Add disttag, modernise spec file + +* Tue Feb 28 2012 Fedora Release Engineering - 1.15-15 +- Rebuilt for c++ ABI breakage + +* Thu Jan 12 2012 Fedora Release Engineering - 1.15-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Feb 07 2011 Fedora Release Engineering - 1.15-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Jul 24 2009 Fedora Release Engineering - 1.15-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Feb 23 2009 Fedora Release Engineering - 1.15-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 19 2008 Fedora Release Engineering - 1.15-10 +- Autorebuild for GCC 4.3 + +* Wed Aug 22 2007 Matthias Saou 1.15-9 +- Rebuild for new BuildID feature. + +* Fri Aug 3 2007 Matthias Saou 1.15-8 +- Update License field. +- Remove dist tag, since the package will seldom change. + +* Thu Mar 29 2007 Matthias Saou 1.15-7 +- Switch to using DESTDIR install method. + +* Thu Mar 29 2007 Matthias Saou 1.15-6 +- Switch to use downloads.sf.net source URL. +- Tweak defattr. + +* Mon Aug 28 2006 Matthias Saou 1.15-5 +- FC6 rebuild, remove gcc-c++ build requirement (it's a default). + +* Mon Mar 6 2006 Matthias Saou 1.15-4 +- FC5 rebuild. + +* Wed Feb 8 2006 Matthias Saou 1.15-3 +- Rebuild for new gcc/glibc. + +* Tue Jan 24 2006 Matthias Saou 1.15-2 +- Rebuild for FC5. + +* Wed Nov 2 2005 Matthias Saou 1.15-1 +- Update to 1.15, includes 64bit fixes. + +* Fri May 27 2005 Matthias Saou 1.14-5 +- Update 64bit patch to a cleaner approach as Ralf suggested. + +* Thu May 26 2005 Jeremy Katz - 1.14-4 +- fix build on 64bit arches + +* Sun May 22 2005 Jeremy Katz - 1.14-3 +- rebuild on all arches + +* Fri Apr 7 2005 Michael Schwendt 1.14-2 +- rebuilt + +* Wed Feb 23 2005 Matthias Saou 1.14-1 +- Update to 1.14. + +* Mon Nov 29 2004 Matthias Saou 1.13-1 +- Update to 1.13. + +* Tue Nov 2 2004 Matthias Saou 1.12-1 +- Update to 1.12. + +* Tue Aug 24 2004 Matthias Saou 1.11-1 +- Update to 1.11. + +* Mon May 17 2004 Matthias Saou 1.10-1 +- Update to 1.10. + +* Mon Nov 3 2003 Matthias Saou 1.7-2 +- Rebuild for Fedora Core 1. +- Added missing build dependencies, thanks to mach. + +* Tue Aug 26 2003 Matthias Saou +- Update to 1.7. + +* Thu May 22 2003 Matthias Saou +- Initial RPM release. +