Author: draenog Date: Thu Jan 6 18:52:40 2011 GMT Module: packages Tag: HEAD ---- Log message: - patch internal version of gd (taken from Fedora) - rel. 14
---- Files affected: packages/libwmf: libwmf.spec (1.98 -> 1.99) , libwmf-0.2.8.4-CAN-2004-0941.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-0455.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-2756.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-3472.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-3473.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2007-3477.patch (NONE -> 1.1) (NEW), libwmf-0.2.8.4-CVE-2009-3546.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/libwmf/libwmf.spec diff -u packages/libwmf/libwmf.spec:1.98 packages/libwmf/libwmf.spec:1.99 --- packages/libwmf/libwmf.spec:1.98 Mon Nov 1 21:20:07 2010 +++ packages/libwmf/libwmf.spec Thu Jan 6 19:52:34 2011 @@ -8,7 +8,7 @@ Summary(pl.UTF-8): libwmf - biblioteka z funkcjami do konwersji plików WMF Name: libwmf Version: 0.2.8.4 -Release: 13 +Release: 14 Epoch: 2 License: LGPL v2+ Group: Applications/Text @@ -19,6 +19,13 @@ Patch2: %{name}-segv.patch Patch3: %{name}-png12.patch Patch4: %{name}-0.2.8.4-useafterfree.patch +Patch5: %{name}-0.2.8.4-CVE-2007-0455.patch +Patch6: %{name}-0.2.8.4-CVE-2007-3472.patch +Patch7: %{name}-0.2.8.4-CVE-2007-3473.patch +Patch8: %{name}-0.2.8.4-CVE-2007-3477.patch +Patch9: %{name}-0.2.8.4-CVE-2007-2756.patch +Patch10: %{name}-0.2.8.4-CAN-2004-0941.patch +Patch11: %{name}-0.2.8.4-CVE-2009-3546.patch URL: http://wvware.sourceforge.net/ BuildRequires: autoconf >= 2.59-9 BuildRequires: automake @@ -107,6 +114,13 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 %build rm configure.in @@ -194,6 +208,10 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.99 2011/01/06 18:52:34 draenog +- patch internal version of gd (taken from Fedora) +- rel. 14 + Revision 1.98 2010/11/01 20:20:07 arekm - release 13 ================================================================ Index: packages/libwmf/libwmf-0.2.8.4-CAN-2004-0941.patch diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CAN-2004-0941.patch:1.1 --- /dev/null Thu Jan 6 19:52:40 2011 +++ packages/libwmf/libwmf-0.2.8.4-CAN-2004-0941.patch Thu Jan 6 19:52:34 2011 @@ -0,0 +1,17 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500 ++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500 +@@ -188,6 +188,14 @@ + + png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); ++ if (overflow2(sizeof (int), width)) ++ { ++ return NULL; ++ } ++ if (overflow2(sizeof (int) * width, height)) ++ { ++ return NULL; ++ } + if ((color_type == PNG_COLOR_TYPE_RGB) || + (color_type == PNG_COLOR_TYPE_RGB_ALPHA)) + { ================================================================ Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch:1.1 --- /dev/null Thu Jan 6 19:52:40 2011 +++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-0455.patch Thu Jan 6 19:52:34 2011 @@ -0,0 +1,11 @@ +--- libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000 +@@ -811,7 +811,7 @@ + { + ch = c & 0xFF; /* don't extend sign */ + } +- next++; ++ if (*next) next++; + } + else + { ================================================================ Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch:1.1 --- /dev/null Thu Jan 6 19:52:40 2011 +++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-2756.patch Thu Jan 6 19:52:34 2011 @@ -0,0 +1,16 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1 ++++ libwmf-0.2.8.4/src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000 +@@ -78,8 +78,11 @@ + gdPngReadData (png_structp png_ptr, + png_bytep data, png_size_t length) + { +- gdGetBuf (data, length, (gdIOCtx *) +- png_get_io_ptr (png_ptr)); ++ int check; ++ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr)); ++ if (check != length) { ++ png_error(png_ptr, "Read Error: truncated data"); ++ } + } + + static void ================================================================ Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch:1.1 --- /dev/null Thu Jan 6 19:52:40 2011 +++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-3472.patch Thu Jan 6 19:52:34 2011 @@ -0,0 +1,59 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd.c ++++ libwmf-0.2.8.4/src/extra/gd/gd.c +@@ -106,6 +106,18 @@ + gdImagePtr im; + unsigned long cpa_size; + ++ if (overflow2(sx, sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof (int *), sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof(int), sx)) { ++ return NULL; ++ } ++ + im = (gdImage *) gdMalloc (sizeof (gdImage)); + if (im == 0) return 0; + memset (im, 0, sizeof (gdImage)); +--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000 +@@ -2,6 +2,7 @@ + #include "gdhelpers.h" + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + + /* TBB: gd_strtok_r is not portable; provide an implementation */ + +@@ -94,3 +95,18 @@ + { + free (ptr); + } ++ ++int overflow2(int a, int b) ++{ ++ if(a < 0 || b < 0) { ++ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); ++ return 1; ++ } ++ if(b == 0) ++ return 0; ++ if(a > INT_MAX / b) { ++ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); ++ return 1; ++ } ++ return 0; ++} +--- libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000 +@@ -15,4 +15,6 @@ + void *gdMalloc(size_t size); + void *gdRealloc(void *ptr, size_t size); + ++int overflow2(int a, int b); ++ + #endif /* GDHELPERS_H */ ================================================================ Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch:1.1 --- /dev/null Thu Jan 6 19:52:40 2011 +++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-3473.patch Thu Jan 6 19:52:34 2011 @@ -0,0 +1,13 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd.c ++++ libwmf-0.2.8.4/src/extra/gd/gd.c +@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd) + } + bytes = (w * h / 8) + 1; + im = gdImageCreate (w, h); ++ if (!im) { ++ return 0; ++ } ++ + gdImageColorAllocate (im, 255, 255, 255); + gdImageColorAllocate (im, 0, 0, 0); + x = 0; ================================================================ Index: packages/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch:1.1 --- /dev/null Thu Jan 6 19:52:40 2011 +++ packages/libwmf/libwmf-0.2.8.4-CVE-2007-3477.patch Thu Jan 6 19:52:34 2011 @@ -0,0 +1,38 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd.c ++++ libwmf-0.2.8.4/src/extra/gd/gd.c +@@ -1335,10 +1335,31 @@ + int w2, h2; + w2 = w / 2; + h2 = h / 2; +- while (e < s) +- { +- e += 360; +- } ++ ++ if ((s % 360) == (e % 360)) { ++ s = 0; e = 360; ++ } else { ++ if (s > 360) { ++ s = s % 360; ++ } ++ ++ if (e > 360) { ++ e = e % 360; ++ } ++ ++ while (s < 0) { ++ s += 360; ++ } ++ ++ while (e < s) { ++ e += 360; ++ } ++ ++ if (s == e) { ++ s = 0; e = 360; ++ } ++ } ++ + for (i = s; (i <= e); i++) + { + int x, y; ================================================================ Index: packages/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch diff -u /dev/null packages/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch:1.1 --- /dev/null Thu Jan 6 19:52:40 2011 +++ packages/libwmf/libwmf-0.2.8.4-CVE-2009-3546.patch Thu Jan 6 19:52:34 2011 @@ -0,0 +1,13 @@ +--- libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000 ++++ libwmf-0.2.8.4/src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000 +@@ -42,6 +42,10 @@ + { + goto fail1; + } ++ if (&im->colorsTotal > gdMaxColors) ++ { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt (&im->transparent, in)) ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/libwmf/libwmf.spec?r1=1.98&r2=1.99&f=u _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit