Hello community, here is the log from the commit of package libwmf for openSUSE:Factory checked in at 2015-08-03 17:20:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libwmf (Old) and /work/SRC/openSUSE:Factory/.libwmf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libwmf" Changes: -------- --- /work/SRC/openSUSE:Factory/libwmf/libwmf.changes 2015-06-24 20:32:19.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libwmf.new/libwmf.changes 2015-08-03 17:20:46.000000000 +0200 @@ -1,0 +2,10 @@ +Tue Jun 30 08:51:41 UTC 2015 - [email protected] + +- Added patches: + * libwmf-0.2.8.4-CVE-2015-4695.patch + - Fix CVE-2015-4695: meta_pen_create heap buffer over read + (bsc#936058) + * libwmf-0.2.8.4-CVE-2015-4696.patch + - Fix CVE-2015-4696: wmf2gd/wmf2eps use after free (bsc#936062) + +------------------------------------------------------------------- @@ -13 +23 @@ -Tue Aug 26 11:59:16 UTC 2014 - [email protected] +Wed Aug 20 13:09:41 UTC 2014 - [email protected] New: ---- libwmf-0.2.8.4-CVE-2015-4695.patch libwmf-0.2.8.4-CVE-2015-4696.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libwmf.spec ++++++ --- /var/tmp/diff_new_pack.VDbgrv/_old 2015-08-03 17:20:47.000000000 +0200 +++ /var/tmp/diff_new_pack.VDbgrv/_new 2015-08-03 17:20:47.000000000 +0200 @@ -34,6 +34,8 @@ Patch5: libwmf-0.2.8.4-bnc495842.patch Patch6: libwmf-0.2.8.4-CVE-2015-0848.patch Patch7: libwmf-0.2.8.4-badrle.patch +Patch8: libwmf-0.2.8.4-CVE-2015-4696.patch +Patch9: libwmf-0.2.8.4-CVE-2015-4695.patch BuildRequires: gd-devel BuildRequires: gtk2-devel BuildRequires: libjpeg-devel @@ -108,6 +110,8 @@ %patch5 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 %build %configure --prefix=%{_prefix} $RPM_ARCH-suse-linux --enable-magick --libdir=%{_libdir} ++++++ libwmf-0.2.8.4-CVE-2015-4695.patch ++++++ Index: libwmf-0.2.8.4/src/player/meta.h =================================================================== --- libwmf-0.2.8.4.orig/src/player/meta.h +++ libwmf-0.2.8.4/src/player/meta.h @@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API, objects = P->objects; i = 0; - while (objects[i].type && (i < NUM_OBJECTS (API))) i++; + while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; if (i == NUM_OBJECTS (API)) { WMF_ERROR (API,"Object out of range!"); @@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w objects = P->objects; i = 0; - while (objects[i].type && (i < NUM_OBJECTS (API))) i++; + while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; if (i == NUM_OBJECTS (API)) { WMF_ERROR (API,"Object out of range!"); @@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API, objects = P->objects; i = 0; - while (objects[i].type && (i < NUM_OBJECTS (API))) i++; + while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; if (i == NUM_OBJECTS (API)) { WMF_ERROR (API,"Object out of range!"); @@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP objects = P->objects; i = 0; - while (objects[i].type && (i < NUM_OBJECTS (API))) i++; + while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; if (i == NUM_OBJECTS (API)) { WMF_ERROR (API,"Object out of range!"); @@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API objects = P->objects; i = 0; - while (objects[i].type && (i < NUM_OBJECTS (API))) i++; + while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; if (i == NUM_OBJECTS (API)) { WMF_ERROR (API,"Object out of range!"); @@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI* objects = P->objects; i = 0; - while (objects[i].type && (i < NUM_OBJECTS (API))) i++; + while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; if (i == NUM_OBJECTS (API)) { WMF_ERROR (API,"Object out of range!"); ++++++ libwmf-0.2.8.4-CVE-2015-4696.patch ++++++ --- libwmf-0.2.8.4/src/player/meta.h +++ libwmf-0.2.8.4/src/player/meta.h + if (FR->region_clip) FR->region_clip (API,&polyrect); + wmf_free (API,polyrect.TL); wmf_free (API,polyrect.BR); } @@ -2593,9 +2595,10 @@ polyrect.BR = 0; polyrect.count = 0; + + if (FR->region_clip) FR->region_clip (API,&polyrect); } - if (FR->region_clip) FR->region_clip (API,&polyrect); return (changed); }
