Hello community, here is the log from the commit of package libcaca for openSUSE:Factory checked in at 2019-02-04 21:23:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libcaca (Old) and /work/SRC/openSUSE:Factory/.libcaca.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcaca" Mon Feb 4 21:23:02 2019 rev:41 rq:667603 version:0.99.beta19.git20171003 Changes: -------- --- /work/SRC/openSUSE:Factory/libcaca/libcaca.changes 2018-02-03 15:35:56.971735833 +0100 +++ /work/SRC/openSUSE:Factory/.libcaca.new.28833/libcaca.changes 2019-02-04 21:23:04.823629923 +0100 @@ -1,0 +2,25 @@ +Mon Jan 21 13:01:52 UTC 2019 - [email protected] + +- Cast intermediate results to 64 bits to prevent overflow of + calculations with 32-bit quentities. + [CVE-2018-20544, bsc#1120502, + Bug1120502-add_cast_to_prevent_overflow.patch] + +------------------------------------------------------------------- +Mon Jan 21 12:39:30 UTC 2019 - [email protected] + +- Fix the size of width and height to be of size_t rather than + int in struct caca_dither. Re-using existing patch. + [CVE-2018-20546, bsc#1120503, CVE-2018-20547, + bsc#1120504, libcaca-variable-type.patch] + +------------------------------------------------------------------- +Tue Jan 15 15:03:38 UTC 2019 - [email protected] + +- Fix the size of width and height to be of size_t rather than + unsigned int which may be too small on 64 bit architectures. + This fixes three CVS and associated bugs. + [CVE-2018-20545, bsc#1120584, CVE-2018-20548, bsc#1120589, + CVE-2018-20549, bsc#1120470, libcaca-variable-type.patch] + +------------------------------------------------------------------- New: ---- Bug1120502-add_cast_to_prevent_overflow.patch libcaca-variable-type.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcaca.spec ++++++ --- /var/tmp/diff_new_pack.H8fZFs/_old 2019-02-04 21:23:05.667629717 +0100 +++ /var/tmp/diff_new_pack.H8fZFs/_new 2019-02-04 21:23:05.667629717 +0100 @@ -1,7 +1,7 @@ # # spec file for package libcaca # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -35,6 +35,8 @@ Patch7: libcaca-0.99.beta16-missing-GLU.patch Patch9: caca-no-build-date.patch Patch10: libcaca-ncurses6.patch +Patch11: libcaca-variable-type.patch +Patch12: Bug1120502-add_cast_to_prevent_overflow.patch BuildRequires: doxygen BuildRequires: fdupes BuildRequires: freeglut-devel @@ -136,6 +138,8 @@ %patch9 %patch1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 RUBY="ruby-`echo %{rb_ver} | sed 's|\.[^\.]*$||'`" find . -type f -exec sed -i "s|ruby-1.9|$RUBY|" \{\} \; pushd python ++++++ Bug1120502-add_cast_to_prevent_overflow.patch ++++++ Author: Josef Möllers <[email protected]> Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c =================================================================== --- libcaca-da28e9684ef445ac8d42745644336b8a75c01855.orig/caca/dither.c +++ libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c @@ -991,10 +991,10 @@ int caca_dither_bitmap(caca_canvas_t *cv /* First get RGB */ if(d->antialias) { - fromx = (x - x1) * w / deltax; - fromy = (y - y1) * h / deltay; - tox = (x - x1 + 1) * w / deltax; - toy = (y - y1 + 1) * h / deltay; + fromx = (uint64_t)(x - x1) * w / deltax; + fromy = (uint64_t)(y - y1) * h / deltay; + tox = (uint64_t)(x - x1 + 1) * w / deltax; + toy = (uint64_t)(y - y1 + 1) * h / deltay; /* We want at least one pixel */ if(tox == fromx) tox++; @@ -1017,10 +1017,10 @@ int caca_dither_bitmap(caca_canvas_t *cv } else { - fromx = (x - x1) * w / deltax; - fromy = (y - y1) * h / deltay; - tox = (x - x1 + 1) * w / deltax; - toy = (y - y1 + 1) * h / deltay; + fromx = (uint64_t)(x - x1) * w / deltax; + fromy = (uint64_t)(y - y1) * h / deltay; + tox = (uint64_t)(x - x1 + 1) * w / deltax; + toy = (uint64_t)(y - y1 + 1) * h / deltay; /* tox and toy can overflow the canvas, but they cannot overflow * when averaged with fromx and fromy because these are guaranteed ++++++ libcaca-variable-type.patch ++++++ Author: Josef Möllers <[email protected]> Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/src/common-image.h =================================================================== --- libcaca-da28e9684ef445ac8d42745644336b8a75c01855.orig/src/common-image.h +++ libcaca-da28e9684ef445ac8d42745644336b8a75c01855/src/common-image.h @@ -13,7 +13,7 @@ struct image { char *pixels; - unsigned int w, h; + size_t w, h; struct caca_dither *dither; void *priv; }; Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c =================================================================== --- libcaca-da28e9684ef445ac8d42745644336b8a75c01855.orig/caca/dither.c +++ libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c @@ -116,7 +116,7 @@ enum color_mode struct caca_dither { int bpp, has_palette, has_alpha; - int w, h, pitch; + size_t w, h, pitch; int rmask, gmask, bmask, amask; int rright, gright, bright, aright; int rleft, gleft, bleft, aleft;
