Hello community, here is the log from the commit of package libXfont.2465 for openSUSE:12.2:Update checked in at 2014-01-15 16:47:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/libXfont.2465 (Old) and /work/SRC/openSUSE:12.2:Update/.libXfont.2465.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libXfont.2465" Changes: -------- New Changes file: --- /dev/null 2013-11-25 01:44:08.036031256 +0100 +++ /work/SRC/openSUSE:12.2:Update/.libXfont.2465.new/libXfont.changes 2014-01-15 16:47:09.000000000 +0100 @@ -0,0 +1,28 @@ +------------------------------------------------------------------- +Wed Jan 8 12:58:10 UTC 2014 - [email protected] + +- U_CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch + * unlimited sscanf overflows stack buffer in bdfReadCharacters() + (CVE-2013-6462, bnc#854915) + +------------------------------------------------------------------- +Thu Apr 12 06:24:00 UTC 2012 - [email protected] + +- Update to version 1.4.5: + + Updates to better handle fonts compressed with compress(1) + + Do proper input validation to fix for CVE-2011-2895 + + Fix crash if pcf header is corrupted + + Cleanups for compiler warnings + + Improvements for the developer documentation + + Build configuration improvements +- Changes from version 1.4.4: + + LZW decompress: fix for CVE-2011-2895 + + Fix memory leak + + Build configuration improvements +- Drop U_libXfont_LZW-decompress-fix-for-CVE-2011-2895.patch: fixed + upstream. + +------------------------------------------------------------------- +Tue Feb 7 22:17:49 UTC 2012 - [email protected] + +- Split xorg-x11-libs into separate packages New: ---- U_CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch baselibs.conf libXfont-1.4.5.tar.bz2 libXfont.changes libXfont.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libXfont.spec ++++++ # # spec file for package libXfont # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: libXfont %define lname libXfont1 Version: 1.4.5 Release: 0 Summary: X font handling library for server and utilities License: MIT Group: Development/Libraries/C and C++ Url: http://xorg.freedesktop.org/ #Git-Clone: git://anongit.freedesktop.org/xorg/lib/libXfont #Git-Web: http://cgit.freedesktop.org/xorg/lib/libXfont/ Source: http://xorg.freedesktop.org/releases/individual/lib/%{name}-%{version}.tar.bz2 Patch0: U_CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build #git#BuildRequires: autoconf >= 2.60, automake, libtool BuildRequires: pkgconfig BuildRequires: pkgconfig(fontenc) BuildRequires: pkgconfig(fontsproto) BuildRequires: pkgconfig(freetype2) BuildRequires: pkgconfig(xorg-macros) >= 1.10 BuildRequires: pkgconfig(xproto) BuildRequires: pkgconfig(xtrans) BuildRequires: pkgconfig(zlib) #optional#BuildRequires: pkgconfig(bzip2), + --with-bzip2 %description libXfont provides the core of the legacy X11 font system, handling the index files (fonts.dir, fonts.alias, fonts.scale), the various font file formats, and rasterizing them. It is used by the X servers, the X Font Server (xfs), and some font utilities (bdftopcf for instance), but should not be used by normal X11 clients. X11 clients access fonts via either the new APIs in libXft, or the legacy APIs in libX11. %package -n %lname Summary: X font handling library for server and utilities Group: System/Libraries %description -n %lname libXfont provides the core of the legacy X11 font system, handling the index files (fonts.dir, fonts.alias, fonts.scale), the various font file formats, and rasterizing them. It is used by the X servers, the X Font Server (xfs), and some font utilities (bdftopcf for instance), but should not be used by normal X11 clients. X11 clients access fonts via either the new APIs in libXft, or the legacy APIs in libX11. %package devel Summary: Development files for the X font handling library Group: Development/Libraries/C and C++ Requires: %lname = %version %description devel libXfont provides the core of the legacy X11 font system, handling the index files (fonts.dir, fonts.alias, fonts.scale), the various font file formats, and rasterizing them. It is used by the X servers, the X Font Server (xfs), and some font utilities (bdftopcf for instance), but should not be used by normal X11 clients. X11 clients access fonts via either the new APIs in libXft, or the legacy APIs in libX11. This package contains the development headers for the library found in %lname. %prep %setup -q %patch0 -p1 %build %configure --disable-static make %{?_smp_mflags} %install %makeinstall rm -f "%buildroot/%_libdir"/*.la %post -n %lname -p /sbin/ldconfig %postun -n %lname -p /sbin/ldconfig %files -n %lname %defattr(-,root,root) %_libdir/libXfont.so.1* %files devel %defattr(-,root,root) %_includedir/X11/* %_libdir/libXfont.so %_libdir/pkgconfig/xfont.pc %changelog ++++++ U_CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch ++++++ >From 4d024ac10f964f6bd372ae0dd14f02772a6e5f63 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <[email protected]> Date: Mon, 23 Dec 2013 18:34:02 -0800 Subject: [PATCH] CVE-2013-6462: unlimited sscanf overflows stack buffer in bdfReadCharacters() Fixes cppcheck warning: [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) scanf without field width limits can crash with huge input data. Signed-off-by: Alan Coopersmith <[email protected]> Reviewed-by: Matthieu Herrb <[email protected]> Reviewed-by: Jeremy Huddleston Sequoia <[email protected]> --- src/bitmap/bdfread.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c index e2770dc..e11c5d2 100644 --- a/src/bitmap/bdfread.c +++ b/src/bitmap/bdfread.c @@ -338,7 +338,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, char charName[100]; int ignore; - if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) { + if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) { bdfError("bad character name in BDF file\n"); goto BAILOUT; /* bottom of function, free and return error */ } -- 1.8.1.4 ++++++ baselibs.conf ++++++ libXfont1 libXfont-devel requires -libXfont-<targettype> requires "libXfont1-<targettype> = <version>" -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
