Hello community, here is the log from the commit of package evince for openSUSE:11.3 checked in at Mon Feb 21 18:09:55 CET 2011.
-------- --- old-versions/11.3/UPDATES/all/evince/evince.changes 2011-01-05 09:08:04.000000000 +0100 +++ 11.3/evince/evince.changes 2011-02-17 15:29:05.000000000 +0100 @@ -1,0 +2,6 @@ +Thu Feb 17 15:28:54 CET 2011 - [email protected] + +- Add evince-dvi-vulnerability-again.patch to fix another + vulnerability in the DVI backend. Fix bnc#671064. + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- evince-dvi-vulnerability-again.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ evince.spec ++++++ --- /var/tmp/diff_new_pack.EkCJ6F/_old 2011-02-21 18:09:49.000000000 +0100 +++ /var/tmp/diff_new_pack.EkCJ6F/_new 2011-02-21 18:09:49.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package evince (Version 2.30.1) +# spec file for package evince # # Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,7 +20,7 @@ Name: evince Version: 2.30.1 -Release: 3.<RELEASE1> +Release: 3.<RELEASE5> %define _major_version 2.30 License: GPLv2+ Summary: GNOME Document Viewer @@ -31,6 +31,8 @@ Patch0: evince-bgo617154.patch # PATCH-FIX-UPSTREAM evince-dvi-vulnerabilities.patch [email protected] -- CVE-2010-2640, CVE-2010-2641, CVE-2010-2642, CVE-2010-2643 Patch1: evince-dvi-vulnerabilities.patch +# PATCH-FIX-UPSTREAM evince-dvi-vulnerability-again.patch bgo#640923 bnc#671064 [email protected] -- Fix an issue similar to one fixed in evince-dvi-vulnerabilities.patch +Patch2: evince-dvi-vulnerability-again.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gconf2-devel @@ -96,6 +98,7 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 translation-update-upstream %build ++++++ evince-dvi-vulnerability-again.patch ++++++ commit 439c5070022eab6cef7266aab47f978058012c72 Author: Vincent Untz <[email protected]> Date: Thu Feb 17 15:23:39 2011 +0100 backends: Fix another security issue in the dvi-backend This is similar to one of the fixes from d4139205. https://bugzilla.gnome.org/show_bug.cgi?id=640923 diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c index 361e23d..e1cd115 100644 --- a/backend/dvi/mdvi-lib/afmparse.c +++ b/backend/dvi/mdvi-lib/afmparse.c @@ -190,7 +190,7 @@ static char *linetoken(FILE *stream) while ((ch = fgetc(stream)) == ' ' || ch == '\t' ); idx = 0; - while (ch != EOF && ch != lineterm) + while (ch != EOF && ch != lineterm && idx < MAX_NAME) { ident[idx++] = ch; ch = fgetc(stream); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
