Hello community, here is the log from the commit of package libredwg for openSUSE:Factory checked in at 2018-08-10 09:51:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libredwg (Old) and /work/SRC/openSUSE:Factory/.libredwg.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libredwg" Fri Aug 10 09:51:50 2018 rev:3 rq:628364 version:0.5 Changes: -------- --- /work/SRC/openSUSE:Factory/libredwg/libredwg.changes 2018-07-22 23:05:53.228893845 +0200 +++ /work/SRC/openSUSE:Factory/.libredwg.new/libredwg.changes 2018-08-10 09:52:01.594487609 +0200 @@ -1,0 +2,8 @@ +Thu Aug 9 09:34:20 UTC 2018 - [email protected] + +- CVE-2018-14524: double free (boo#1102702) + add CVE-2018-14524.patch +- CVE-2018-14471: NULL pointer dereference DoS (boo#1102696) + add CVE-2018-14471.patch + +------------------------------------------------------------------- New: ---- CVE-2018-14471.patch CVE-2018-14524.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libredwg.spec ++++++ --- /var/tmp/diff_new_pack.S5zIh1/_old 2018-08-10 09:52:03.254490290 +0200 +++ /var/tmp/diff_new_pack.S5zIh1/_new 2018-08-10 09:52:03.254490290 +0200 @@ -27,6 +27,8 @@ Source2: https://ftp.gnu.org/pub/gnu/%{name}/%{name}-%{version}.tar.xz.sig Source3: http://savannah.gnu.org/people/viewgpg.php?user_id=101103#/%{name}.keyring Source4: %{name}-rpmlintrc +Patch0: CVE-2018-14471.patch +Patch1: CVE-2018-14524.patch %description GNU LibreDWG is a C library to handle DWG files. It can replace the @@ -67,6 +69,8 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build %configure \ ++++++ CVE-2018-14471.patch ++++++ >From 7bb6307da56c753b962de127a43ebde3e621ecbb Mon Sep 17 00:00:00 2001 From: Reini Urban <[email protected]> Date: Fri, 20 Jul 2018 22:29:51 +0200 Subject: [PATCH] protect dwg_obj_block_control_get_block_headers from empty ctrl->block_headers. Fixes [GH #32] --- src/dwg_api.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/dwg_api.c b/src/dwg_api.c index f44f6207..82776188 100644 --- a/src/dwg_api.c +++ b/src/dwg_api.c @@ -17888,7 +17888,13 @@ dwg_obj_block_control_get_block_headers(const dwg_obj_block_control *restrict ct { dwg_object_ref **ptx = (dwg_object_ref**) malloc(ctrl->num_entries * sizeof(Dwg_Object_Ref *)); - if (ptx) + if (ctrl->num_entries && !ctrl->block_headers) + { + *error = 1; + LOG_ERROR("%s: null block_headers", __FUNCTION__); + return NULL; + } + else if (ptx) { BITCODE_BS i; *error = 0; ++++++ CVE-2018-14524.patch ++++++ >From 9a8b9fb49108bab5d12f3353292f8fd8ea12898f Mon Sep 17 00:00:00 2001 From: Reini Urban <[email protected]> Date: Mon, 23 Jul 2018 15:22:08 +0200 Subject: [PATCH] free: improve eed double-free Fixes [GH #33], detected by jinyu00 --- src/decode.c | 2 ++ src/free.c | 6 ++---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/decode.c b/src/decode.c index 74668403..fb09f11a 100644 --- a/src/decode.c +++ b/src/decode.c @@ -2309,6 +2309,7 @@ dwg_decode_eed(Bit_Chain * dat, Dwg_Object_Object * obj) LOG_ERROR("No EED[%d].handle", idx); obj->num_eed = 0; free(obj->eed); + obj->eed = NULL; return error; } else { end = dat->byte + size; @@ -2372,6 +2373,7 @@ dwg_decode_eed(Bit_Chain * dat, Dwg_Object_Object * obj) free(obj->eed[idx].raw); free(obj->eed[idx].data); free(obj->eed); + obj->eed = NULL; dat->byte = end; return DWG_ERR_VALUEOUTOFBOUNDS; /* may not continue */ #endif diff --git a/src/free.c b/src/free.c index ce6940e7..65fb3f9e 100644 --- a/src/free.c +++ b/src/free.c @@ -267,8 +267,7 @@ dwg_free_eed(Dwg_Object* obj) for (i=0; i < _obj->num_eed; i++) { if (_obj->eed[i].size) FREE_IF(_obj->eed[i].raw); - if (_obj->eed[i].data) - FREE_IF(_obj->eed[i].data); + FREE_IF(_obj->eed[i].data); } FREE_IF(_obj->eed); } @@ -277,8 +276,7 @@ dwg_free_eed(Dwg_Object* obj) for (i=0; i < _obj->num_eed; i++) { if (_obj->eed[i].size) FREE_IF(_obj->eed[i].raw); - if (_obj->eed[i].data) - FREE_IF(_obj->eed[i].data); + FREE_IF(_obj->eed[i].data); } FREE_IF(_obj->eed); }
