Hello community, here is the log from the commit of package t1lib for openSUSE:Factory checked in at 2012-04-23 09:18:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/t1lib (Old) and /work/SRC/openSUSE:Factory/.t1lib.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "t1lib", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/t1lib/t1lib.changes 2011-11-28 12:58:10.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.t1lib.new/t1lib.changes 2012-04-23 09:18:32.000000000 +0200 @@ -1,0 +2,10 @@ +Thu Apr 19 08:51:04 UTC 2012 - [email protected] + +- fix bnc#684802 - VUL-0: t1lib: memory corruption + * used fix from Jaroslav Škarvada from RedHat + * t1lib-type1-fix-invalid-rw.patch (CVE-2011-1552, + CVE-2011-1553, CVE-2011-1554) +- fix bnc#757961: VUL-0: t1lib: heap overflow in afm font parser + * t1lib-5.1.1-afm-fix.patch (CVE-2011-0433) + +------------------------------------------------------------------- New: ---- t1lib-5.1.2-afm-fix.patch t1lib-type1-fix-invalid-rw.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ t1lib.spec ++++++ --- /var/tmp/diff_new_pack.7ElCkg/_old 2012-04-23 09:18:34.000000000 +0200 +++ /var/tmp/diff_new_pack.7ElCkg/_new 2012-04-23 09:18:34.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package t1lib # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,20 +16,24 @@ # - Name: t1lib -BuildRequires: libtool xorg-x11-devel -License: LGPL-2.1+ -Group: System/Libraries +BuildRequires: libtool +BuildRequires: xorg-x11-devel Version: 5.1.2 -Release: 1 -URL: ftp://sunsite.unc.edu/pub/Linux/libs/graphics/ -Source: ftp://sunsite.unc.edu/pub/Linux/libs/graphics/%{name}-%{version}.tar.bz2 +Release: 0 +Url: ftp://sunsite.unc.edu/pub/Linux/libs/graphics/ +Source: %{name}-%{version}.tar.bz2 Patch0: t1lib-auto.patch Patch1: t1lib_5.1.2-3.diff.gz Patch2: t1lib-5.1.2-CVE-2010-2642.patch +#https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0764 +#https://bugzilla.redhat.com/attachment.cgi?id=551723 +Patch3: t1lib-type1-fix-invalid-rw.patch +Patch4: t1lib-5.1.2-afm-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary: Adobe Type 1 Font Rasterizing Library +License: LGPL-2.1+ +Group: System/Libraries %description T1lib is a library for generating character and string glyphs from @@ -41,7 +45,8 @@ %package -n t1lib-devel Summary: Development Libraries for T1lib Group: Development/Libraries/C and C++ -Requires: %{name} = %{version} xorg-x11-libX11-devel +Requires: %{name} = %{version} +Requires: xorg-x11-libX11-devel %description -n t1lib-devel This package provides the t1lib development environment (static @@ -57,6 +62,8 @@ if test -z "$level" ; then level=-p1; fi patch $level < debian/patches/$patch done +%patch3 -p1 +%patch4 -p1 %build autoreconf -fiv ++++++ t1lib-5.1.2-afm-fix.patch ++++++ Index: t1lib-5.1.2/lib/t1lib/parseAFM.c =================================================================== --- t1lib-5.1.2.orig/lib/t1lib/parseAFM.c 2012-04-19 10:48:55.818038155 +0200 +++ t1lib-5.1.2/lib/t1lib/parseAFM.c 2012-04-19 10:50:08.689549026 +0200 @@ -199,7 +199,8 @@ idx = 0; while (ch != EOF && ch != ' ' && ch != CR && ch != LF && - ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME){ + ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';' && + idx < (MAX_NAME - 1)){ ident[idx++] = ch; ch = fgetc(stream); } /* while */ @@ -235,7 +236,8 @@ while ((ch = fgetc(stream)) == ' ' || ch == '\t' ); idx = 0; - while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z) + while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z && + idx < (MAX_NAME - 1)) { ident[idx++] = ch; ch = fgetc(stream); ++++++ t1lib-type1-fix-invalid-rw.patch ++++++ diff -up t1lib-5.1.2/lib/type1/lines.c.orig t1lib-5.1.2/lib/type1/lines.c --- t1lib-5.1.2/lib/type1/lines.c.orig 2007-12-23 16:49:42.000000000 +0100 +++ t1lib-5.1.2/lib/type1/lines.c 2012-01-10 00:50:01.617614468 +0100 @@ -67,6 +67,10 @@ This module provides the following entry None. */ +#define BITS (sizeof(LONG)*8) +#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */ +#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy)) + /* :h2.StepLine() - Produces Run Ends for a Line After Checks @@ -84,6 +88,9 @@ void StepLine(R, x1, y1, x2, y2) IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n", x1, y1, x2, y2); + if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2)) + abort("Lines this big not supported", 49); + dy = y2 - y1; /* diff -up t1lib-5.1.2/lib/type1/objects.c.orig t1lib-5.1.2/lib/type1/objects.c --- t1lib-5.1.2/lib/type1/objects.c.orig 2007-12-23 16:49:42.000000000 +0100 +++ t1lib-5.1.2/lib/type1/objects.c 2012-01-10 00:55:18.082937510 +0100 @@ -1137,12 +1137,13 @@ char *t1_get_abort_message( int number) "Context: out of them", /* 46 */ "MatrixInvert: can't", /* 47 */ "xiStub called", /* 48 */ - "Illegal access type1 abort() message" /* 49 */ + "Lines this big not supported", /* 49 */ + "Illegal access type1 abort() message" /* 50 */ }; - /* no is valid from 1 to 48 */ - if ( (number<1)||(number>48)) - number=49; + /* no is valid from 1 to 49 */ + if ( (number<1)||(number>49)) + number=50; return( err_msgs[number-1]); } diff -up t1lib-5.1.2/lib/type1/type1.c.orig t1lib-5.1.2/lib/type1/type1.c --- t1lib-5.1.2/lib/type1/type1.c.orig 2007-12-23 21:19:42.000000000 +0530 +++ t1lib-5.1.2/lib/type1/type1.c 2012-01-04 13:11:50.324115578 +0530 @@ -1012,6 +1012,7 @@ double nextdtana = 0.0; /* tangent of post-delta against horizontal line */ double nextdtanb = 0.0; /* tangent of post-delta against vertical line */ + if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n"); /* setup default hinted position */ ppoints[numppoints-1].ax = ppoints[numppoints-1].x; @@ -1289,7 +1290,7 @@ static int DoRead(CodeP) int *CodeP; { - if (strindex >= CharStringP->len) return(FALSE); /* end of string */ + if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */ /* We handle the non-documented Adobe convention to use lenIV=-1 to suppress charstring encryption. */ if (blues->lenIV==-1) { @@ -1700,6 +1701,7 @@ long pindex = 0; /* compute hinting for previous segment! */ + if (ppoints == NULL || numppoints < 2 ) Error0i("RLineTo: No previous point!\n"); FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy); /* Allocate a new path point and pre-setup data */ @@ -1728,6 +1730,7 @@ long pindex = 0; /* compute hinting for previous point! */ + if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n"); FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1); /* Allocate three new path points and pre-setup data */ @@ -1786,7 +1789,9 @@ long tmpind; double deltax = 0.0; double deltay = 0.0; - + + if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!"); + /* If this ClosePath command together with the starting point of this path completes to a segment aligned to a stem, we would miss hinting for this point. --> Check and explicitly care for this! */ @@ -1801,6 +1806,7 @@ deltax = ppoints[i].x - ppoints[numppoints-1].x; deltay = ppoints[i].y - ppoints[numppoints-1].y; + if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!"); /* save nummppoints and reset to move point */ tmpind = numppoints; numppoints = i + 1; @@ -1903,6 +1909,7 @@ FindStems( currx, curry, 0, 0, dx, dy); } else { + if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n"); FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy); } @@ -2152,6 +2159,7 @@ DOUBLE cx, cy; DOUBLE ex, ey; + if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!"); /* Our PPOINT list now contains 7 moveto commands which are about to be consumed by the Flex mechanism. --> Remove these @@ -2321,6 +2329,7 @@ /* Returns currentpoint on stack */ static void FlxProc2() { + if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!"); /* Push CurrentPoint on fake PostScript stack */ PSFakePush( ppoints[numppoints-1].x); PSFakePush( ppoints[numppoints-1].y); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
