Hello community, here is the log from the commit of package libcroco for openSUSE:Factory checked in at 2017-06-19 13:22:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libcroco (Old) and /work/SRC/openSUSE:Factory/.libcroco.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcroco" Mon Jun 19 13:22:59 2017 rev:34 rq:504290 version:0.6.12 Changes: -------- --- /work/SRC/openSUSE:Factory/libcroco/libcroco.changes 2017-04-29 10:50:08.764862419 +0200 +++ /work/SRC/openSUSE:Factory/.libcroco.new/libcroco.changes 2017-06-19 13:23:01.523524570 +0200 @@ -1,0 +2,8 @@ +Mon Jun 12 16:33:29 UTC 2017 - [email protected] + +- Add libcroco-fix-CVE-2017-7960.patch: Fix boo#1034481, + CVE-2017-7960. +- Add libcroco-fix-CVE-2017-7961.patch: Fix boo#1034482, + CVE-2017-7961. + +------------------------------------------------------------------- New: ---- libcroco-fix-CVE-2017-7960.patch libcroco-fix-CVE-2017-7961.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcroco.spec ++++++ --- /var/tmp/diff_new_pack.ctnuNu/_old 2017-06-19 13:23:02.123439989 +0200 +++ /var/tmp/diff_new_pack.ctnuNu/_new 2017-06-19 13:23:02.123439989 +0200 @@ -25,6 +25,10 @@ Url: http://www.freespiders.org/projects/libcroco/ Source: http://download.gnome.org/sources/libcroco/0.6/%{name}-%{version}.tar.xz Source99: baselibs.conf +# PATCH-FIX-UPSTREAM libcroco-fix-CVE-2017-7960.patch boo#1034481 [email protected] -- Fix CVE-2017-7960 +Patch0: libcroco-fix-CVE-2017-7960.patch +# PATCH-FIX-UPSTREAM libcroco-fix-CVE-2017-7961.patch boo#1034482 [email protected] -- Fix CVE-2017-7961 +Patch1: libcroco-fix-CVE-2017-7961.patch BuildRequires: gtk-doc BuildRequires: pkgconfig(glib-2.0) >= 2.0 BuildRequires: pkgconfig(libxml-2.0) >= 2.4.23 @@ -68,6 +72,8 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build # needed for libcroco-0.6.1: ++++++ libcroco-fix-CVE-2017-7960.patch ++++++ >From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001 From: Ignacio Casal Quinteiro <[email protected]> Date: Sun, 16 Apr 2017 13:13:43 +0200 Subject: input: check end of input before reading a byte When reading bytes we weren't check that the index wasn't out of bound and this could produce an invalid read which could deal to a security bug. --- src/cr-input.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/cr-input.c b/src/cr-input.c index 49000b1..3b63a88 100644 --- a/src/cr-input.c +++ b/src/cr-input.c @@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc) *we should free buf here because it's own by CRInput. *(see the last parameter of cr_input_new_from_buf(). */ - buf = NULL ; + buf = NULL; } cleanup: @@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this) enum CRStatus cr_input_read_byte (CRInput * a_this, guchar * a_byte) { + gulong nb_bytes_left = 0; + g_return_val_if_fail (a_this && PRIVATE (a_this) && a_byte, CR_BAD_PARAM_ERROR); @@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte) if (PRIVATE (a_this)->end_of_input == TRUE) return CR_END_OF_INPUT_ERROR; + nb_bytes_left = cr_input_get_nb_bytes_left (a_this); + + if (nb_bytes_left < 1) { + return CR_END_OF_INPUT_ERROR; + } + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; if (PRIVATE (a_this)->nb_bytes - @@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char) if (*a_char == '\n') { PRIVATE (a_this)->end_of_line = TRUE; } - } return status; -- cgit v0.12 ++++++ libcroco-fix-CVE-2017-7961.patch ++++++ >From 1fa1fdf73af5b2d5a05eafaba41e6ce26df4609b Mon Sep 17 00:00:00 2001 From: Ignacio Casal Quinteiro <[email protected]> Date: Sun, 16 Apr 2017 13:44:56 +0200 Subject: tknzr: remove unneeded assign --- src/cr-tknzr.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c index e3af0ee..1a7cfeb 100644 --- a/src/cr-tknzr.c +++ b/src/cr-tknzr.c @@ -299,7 +299,6 @@ cr_tknzr_parse_w (CRTknzr * a_this, status = cr_tknzr_peek_char (a_this, &cur_char); if (status == CR_END_OF_INPUT_ERROR) { - status = CR_OK; break; } else if (status != CR_OK) { goto error; -- cgit v0.12 >From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001 From: Ignacio Casal Quinteiro <[email protected]> Date: Sun, 16 Apr 2017 13:56:09 +0200 Subject: tknzr: support only max long rgb values This fixes a possible out of bound when reading rgbs which are longer than the support MAXLONG --- src/cr-tknzr.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c index 1a7cfeb..1548c35 100644 --- a/src/cr-tknzr.c +++ b/src/cr-tknzr.c @@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) status = cr_tknzr_parse_num (a_this, &num); ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + if (num->val > G_MAXLONG) { + status = CR_PARSING_ERROR; + goto error; + } + red = num->val; cr_num_destroy (num); num = NULL; @@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) status = cr_tknzr_parse_num (a_this, &num); ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); + if (num->val > G_MAXLONG) { + status = CR_PARSING_ERROR; + goto error; + } + PEEK_BYTE (a_this, 1, &next_bytes[0]); if (next_bytes[0] == '%') { SKIP_CHARS (a_this, 1); -- cgit v0.12
