Date: Thursday, January 5, 2017 @ 20:38:21 Author: jlichtblau Revision: 204937
upgpkg: unrtf 0.21.9-2 - FS#52362 fix Added: unrtf/trunk/CVE-2016-10091.patch Modified: unrtf/trunk/PKGBUILD unrtf/trunk/unrtf.changelog ----------------------+ CVE-2016-10091.patch | 179 +++++++++++++++++++++++++++++++++++++++++++++++++ PKGBUILD | 13 ++- unrtf.changelog | 3 3 files changed, 192 insertions(+), 3 deletions(-) Added: CVE-2016-10091.patch =================================================================== --- CVE-2016-10091.patch (rev 0) +++ CVE-2016-10091.patch 2017-01-05 20:38:21 UTC (rev 204937) @@ -0,0 +1,179 @@ +From: Jean-Francois Dockes <[email protected]> +Date: Sat, 31 Dec 2016 20:25:19 +0100 +Subject: Replace all instances of sprintf with snprintf and adjust size of + integer field in some cases + +This fixes CVE-2016-10091 + +Bug-Debian: https://bugs.debian.org/849705 +--- + src/attr.c | 4 ++-- + src/convert.c | 28 ++++++++++++++-------------- + src/output.c | 4 ++-- + 3 files changed, 18 insertions(+), 18 deletions(-) + +diff --git a/src/attr.c b/src/attr.c +index 02b5c81..e2951ea 100644 +--- a/src/attr.c ++++ b/src/attr.c +@@ -746,7 +746,7 @@ char * + assemble_string(char *string, int nr) + { + +- char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */ ++ char *s, tmp[20]; + int i = 0, j = 0; + + if (string == NULL) +@@ -762,7 +762,7 @@ assemble_string(char *string, int nr) + } + + if (string[i] != '\0') { +- sprintf(tmp, "%d", nr); ++ snprintf(tmp, 20, "%d", nr); + strcpy(&s[j], tmp); + j = j + strlen(tmp); + } +diff --git a/src/convert.c b/src/convert.c +index c76d7d6..8eacdcb 100644 +--- a/src/convert.c ++++ b/src/convert.c +@@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm) + } + + // Translate code page to encoding name hopefully suitable as iconv input +-static char *cptoencoding(parm) ++static char *cptoencoding(int parm) + { + // Note that CP0 is supposed to mean current system default, which does + // not make any sense as a stored value, we don't handle it. +@@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num) + } + else + { +- sprintf(str,"#%02x%02x%02x", ++ snprintf(str, 40, "#%02x%02x%02x", + color_table[num].r, + color_table[num].g, + color_table[num].b); +@@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num) + } + else + { +- sprintf(str,"#%02x%02x%02x", ++ snprintf(str, 40, "#%02x%02x%02x", + color_table[num].r, + color_table[num].g, + color_table[num].b); +@@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int points) { + /* Note, fs20 means 10pt */ + points /= 2; + +- sprintf(str,"%d",points); ++ snprintf(str, 20, "%d", points); + attr_push(ATTR_FONTSIZE,str); + + return FALSE; +@@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num) + { + // TOBEDONE: WHAT'S THIS ??? + name = my_malloc(12); +- sprintf(name, "%d", num); ++ snprintf(name, 12, "%d", num); + } + + /* we are going to output entities, so should not output font */ +@@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, int num) + } + else + { +- sprintf(str,"#%02x%02x%02x", ++ snprintf(str, 40, "#%02x%02x%02x", + color_table[num].r, + color_table[num].g, + color_table[num].b); +@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) { + + static int + cmd_expand (Word *w, int align, char has_param, int param) { +- char str[10]; ++ char str[20]; + if (has_param) { +- sprintf(str, "%d", param/4); ++ snprintf(str, 20, "%d", param / 4); + if (!param) + attr_pop(ATTR_EXPAND); + else +@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) { + + static int + cmd_emboss (Word *w, int align, char has_param, int param) { +- char str[10]; ++ char str[20]; + if (has_param && !param) + #ifdef SUPPORT_UNNESTED + attr_find_pop(ATTR_EMBOSS); +@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) { + #endif + else + { +- sprintf(str, "%d", param); ++ snprintf(str, 20, "%d", param); + attr_push(ATTR_EMBOSS, str); + } + return FALSE; +@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) { + + static int + cmd_engrave (Word *w, int align, char has_param, int param) { +- char str[10]; ++ char str[20]; + if (has_param && !param) + attr_pop(ATTR_ENGRAVE); + else + { +- sprintf(str, "%d", param); ++ snprintf(str, 20, "%d", param); + attr_push(ATTR_ENGRAVE, str); + } + return FALSE; +@@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { + + short done=0; + long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */ +- char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ ++ char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ + const char *alias; + #define DEBUG 0 + #if DEBUG +@@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { + /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */ + unicode_number += 65536; + } +- sprintf(tmp, "%ld", unicode_number); ++ snprintf(tmp, 20, "%ld", unicode_number); + + if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print"); + done++; +diff --git a/src/output.c b/src/output.c +index 86d8b5c..4cdbfa6 100644 +--- a/src/output.c ++++ b/src/output.c +@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size) + if (!found_std_expr) { + if (op->fontsize_begin) { + char expr[16]; +- sprintf (expr, "%d", size); ++ snprintf(expr, 16, "%d", size); + if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin"); + } else { + /* If we cannot write out a change for the exact +@@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size) + if (!found_std_expr) { + if (op->fontsize_end) { + char expr[16]; +- sprintf (expr, "%d", size); ++ snprintf(expr, 16, "%d", size); + if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end"); + } else { + /* If we cannot write out a change for the exact Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-01-05 20:10:53 UTC (rev 204936) +++ PKGBUILD 2017-01-05 20:38:21 UTC (rev 204937) @@ -5,7 +5,7 @@ pkgname=unrtf pkgver=0.21.9 -pkgrel=1 +pkgrel=2 pkgdesc="Command-line program which converts RTF documents to other formats" arch=('i686' 'x86_64') url="http://www.gnu.org/software/unrtf/unrtf.html"; @@ -12,9 +12,16 @@ license=('GPL3') depends=('glibc') changelog=$pkgname.changelog -source=(http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz) -sha256sums=('22a37826f96d754e335fb69f8036c068c00dd01ee9edd9461a36df0085fb8ddd') +source=(http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz + CVE-2016-10091.patch) +sha256sums=('22a37826f96d754e335fb69f8036c068c00dd01ee9edd9461a36df0085fb8ddd' + '7a535e96764c7d5291060b4e0548b155e1f44357bf78463ad2ed3678c14f749d') +prepare() { + cd "${srcdir}"/$pkgname-$pkgver + patch -Np1 -i "${srcdir}"/CVE-2016-10091.patch +} + build() { cd "${srcdir}"/$pkgname-$pkgver Modified: unrtf.changelog =================================================================== --- unrtf.changelog 2017-01-05 20:10:53 UTC (rev 204936) +++ unrtf.changelog 2017-01-05 20:38:21 UTC (rev 204937) @@ -1,3 +1,6 @@ +2017-01-05 Jaroslav Lichtblau <[email protected]> + * unrtf 0.21.9-2 FS#52362 fix + 2015-03-17 Jaroslav Lichtblau <[email protected]> * unrtf 0.21.9-1
