From patchwork Mon Jan 30 13:05:12 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 721471
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3vBqYH5Yrlz9sf9
	for <incoming@patchwork.ozlabs.org>;
	Tue, 31 Jan 2017 00:12:03 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="YiVKLFoC"; dkim-atps=neutral
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 5112881B18;
	Mon, 30 Jan 2017 13:12:00 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id YNlbdsg58YTI; Mon, 30 Jan 2017 13:11:59 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id 818588A41F;
	Mon, 30 Jan 2017 13:11:59 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ash.osuosl.org (Postfix) with ESMTP id 1EAFA1BFF9E
	for <buildroot@lists.busybox.net>;
	Mon, 30 Jan 2017 13:11:58 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 1B97D8A41F
	for <buildroot@lists.busybox.net>;
	Mon, 30 Jan 2017 13:11:58 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id tSkX1OMumB+y for <buildroot@lists.busybox.net>;
	Mon, 30 Jan 2017 13:11:57 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f68.google.com (mail-wm0-f68.google.com
	[74.125.82.68])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 217B08A419
	for <buildroot@buildroot.org>; Mon, 30 Jan 2017 13:11:57 +0000 (UTC)
Received: by mail-wm0-f68.google.com with SMTP id v77so16101706wmv.0
	for <buildroot@buildroot.org>; Mon, 30 Jan 2017 05:11:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id;
	bh=cFH76PYzjGkdfMO5sgS5TnQOxE8y/rQZStFJwYA12Rw=;
	b=YiVKLFoCNo8JtG5+k+JQm5hbAqM5YR6drc5VCmE+2+EDKVL9/0W16cC4falJkjNBYX
	RacEx7LKGadKTkUq2wVxwQ3785cWDV/ZQnTrbMHCkM6LmTAdtIZLt0ebBAjmOILEA4Nd
	UfMoSKj6PS+c9tt0wP8Y/4798GbG20MfBr3NywweeJnsoBnQ33wxy573/LyWEdof8Znk
	Rqo8LYnujrS25MX5aeP0/gOPf3NjhfWQl789kxGiBMr2h0pBM+ITDP8oUh6nWyQha+6s
	t0GL+263dIyHZBuNbVQ29lUE56NHwvTvZ0oPzO+UyjjEGwF95lKGcX0jXcguQMQ7cNVl
	rKQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id;
	bh=cFH76PYzjGkdfMO5sgS5TnQOxE8y/rQZStFJwYA12Rw=;
	b=nh2f8UXYsCFydJj+K+fg3+FOHkNuUKzGEoU4t2sHOakqmCcR2jl+PvkzUlyK+bGv0g
	01y8nQi1hoLW8XUdGD+jVunxFVrBJINOppHXCeDt7WG/drtzO2zizuwO6pnxaiii2GnB
	qGK0CiypkthausNPJnUHl29rqENY9tlLV3rWRk0oi8c79cPWvGCs8vTt1trUYbHUjlUv
	uFu0BBY5jFKlH0lyjuxY7b2rutWDewAq0E1D3tC6acAVHSuWpQiNJCOikq+j/q8RNQg9
	6+WnhY6ACzh7XexXNLAZ4ajckQJdM5x2WyEV2njgY2C7+Y86UjItNASQITrujNn+GMZJ
	NCnw==
X-Gm-Message-State: 
 AIkVDXLoGIU7ppSqZsemkhnMMLddaPHY7WodBbYppH9gn9Zl+TioO9zVJ5h6+2Afubo3sQ==
X-Received: by 10.28.46.73 with SMTP id u70mr13421943wmu.54.1485781516405;
	Mon, 30 Jan 2017 05:05:16 -0800 (PST)
Received: from dell.be.48ers.dk ([91.183.172.93])
	by smtp.gmail.com with ESMTPSA id
	c133sm18647074wmd.13.2017.01.30.05.05.15
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Mon, 30 Jan 2017 05:05:15 -0800 (PST)
Received: from peko by dell.be.48ers.dk with local (Exim 4.88)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1cYBdx-0003Sp-K4; Mon, 30 Jan 2017 14:05:13 +0100
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Mon, 30 Jan 2017 14:05:12 +0100
Message-Id: <20170130130512.13275-1-peter@korsgaard.com>
X-Mailer: git-send-email 2.11.0
Subject: [Buildroot] [PATCH] lcms2: add upstream security fix for
	CVE-2016-10165
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found,
leading to heap memory leak triggered by crafted ICC profile.

https://bugzilla.redhat.com/show_bug.cgi?id=1367357

Add upstream patch to fix it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 .../0002-Added-an-extra-check-to-MLU-bounds.patch  | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 package/lcms2/0002-Added-an-extra-check-to-MLU-bounds.patch

diff --git a/package/lcms2/0002-Added-an-extra-check-to-MLU-bounds.patch b/package/lcms2/0002-Added-an-extra-check-to-MLU-bounds.patch
new file mode 100644
index 000000000..9a5d9dd4e
--- /dev/null
+++ b/package/lcms2/0002-Added-an-extra-check-to-MLU-bounds.patch
@@ -0,0 +1,27 @@
+From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001
+From: Marti <marti.maria@tktbrainpower.com>
+Date: Mon, 15 Aug 2016 23:31:39 +0200
+Subject: [PATCH] Added an extra check to MLU bounds
+
+Thanks to Ibrahim el-sayed for spotting the bug
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/cmstypes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cmstypes.c b/src/cmstypes.c
+index cb61860..c7328b9 100644
+--- a/src/cmstypes.c
++++ b/src/cmstypes.c
+@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+ 
+         // Check for overflow
+         if (Offset < (SizeOfHeader + 8)) goto Error;
++        if ((Offset + Len) > SizeOfTag + 8) goto Error;
+ 
+         // True begin of the string
+         BeginOfThisString = Offset - SizeOfHeader - 8;
+-- 
+2.11.0
+