Hello community, here is the log from the commit of package patchinfo.11734 for openSUSE:Leap:15.1:Update checked in at 2020-01-17 12:15:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/patchinfo.11734 (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.patchinfo.11734.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patchinfo.11734" Fri Jan 17 12:15:40 2020 rev:1 rq:760423 version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- _patchinfo ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _patchinfo ++++++ <patchinfo incident="11734"> <issue tracker="cve" id="2019-9774"/> <issue tracker="cve" id="2019-9776"/> <issue tracker="cve" id="2019-20013"/> <issue tracker="cve" id="2019-9773"/> <issue tracker="cve" id="2019-20014"/> <issue tracker="cve" id="2019-9770"/> <issue tracker="cve" id="2019-9771"/> <issue tracker="cve" id="2019-20009"/> <issue tracker="cve" id="2019-9775"/> <issue tracker="cve" id="2019-9777"/> <issue tracker="cve" id="2019-20012"/> <issue tracker="cve" id="2019-20015"/> <issue tracker="cve" id="2019-9779"/> <issue tracker="cve" id="2019-9778"/> <issue tracker="cve" id="2019-9772"/> <issue tracker="cve" id="2019-20011"/> <issue tracker="cve" id="2019-20010"/> <issue tracker="bnc" id="1129874">VUL-0: CVE-2019-9773: libredwg: heap-based buffer overflow in the function dwg_decode_eed_data at decode.c for the z dimension</issue> <issue tracker="bnc" id="1129873">VUL-1: CVE-2019-9776: libredwg: NULL pointer dereference in the function dwg_dxf_LTYPE at dwg.spec</issue> <issue tracker="bnc" id="1159826">VUL-1: CVE-2019-20011: libredwg: heap-based buffer over-read in decode_R13_R2000 in decode.c</issue> <issue tracker="bnc" id="1129881">VUL-0: CVE-2019-9770: libredwg: heap-based buffer overflow in the function dwg_decode_eed_data at decode.c for the y dimension</issue> <issue tracker="bnc" id="1159832">VUL-1: CVE-2019-20015: libredwg: crafted input will lead to an attempted excessive memory allocation in dwg_decode_LWPOLYLINE_private in dwg.spec.</issue> <issue tracker="bnc" id="1159827">VUL-1: CVE-2019-20012: libredwg: crafted input will lead to excessive memory allocation in dwg_decode_HATCH_private in dwg.spec</issue> <issue tracker="bnc" id="1129875">VUL-1: CVE-2019-9772: libredwg: NULL pointer dereference in the function dwg_dxf_LEADER at dwg.spec.</issue> <issue tracker="bnc" id="1159828">VUL-1: CVE-2019-20013: libredwg: crafted input will lead to excessive memory allocation in decode_3dsolid in dwg.spec</issue> <issue tracker="bnc" id="1159824">VUL-1: CVE-2019-20009: libredwg: Crafted input will lead to aexcessive memory allocation in dwg_decode_SPLINE_private in dwg.spec</issue> <issue tracker="bnc" id="1129870">VUL-1: CVE-2019-9777: libredwg: heap-based buffer over-read in the function dxf_header_write at header_variables_dxf.spec</issue> <issue tracker="bnc" id="1129868">VUL-1: CVE-2019-9779: libredwg: NULL pointer dereference in the function dwg_dxf_LTYPE at dwg.spec</issue> <issue tracker="bnc" id="1129876">VUL-1: CVE-2019-9771: libredwg: NULL pointer dereference in the function bit_convert_TU at bits.c</issue> <issue tracker="bnc" id="1129879">VUL-1: CVE-2019-9774: libredwg: out-of-bounds read in the function bit_read_B at bits.c</issue> <issue tracker="bnc" id="1159825">VUL-1: CVE-2019-20010: libredwg: use-after-free in resolve_objectref_vector in decode.c</issue> <issue tracker="bnc" id="1129878">VUL-1: CVE-2019-9775: libredwg: out-of-bounds read in the function dwg_dxf_BLOCK_CONTROL at dwg.spec</issue> <issue tracker="bnc" id="1154080">libredwg: update to v0.9 (beta)</issue> <issue tracker="bnc" id="1129869">VUL-1: CVE-2019-9778: libredwg: heap-based buffer over-read in the function dwg_dxf_LTYPE at dwg.spec</issue> <issue tracker="bnc" id="1159831">VUL-1: CVE-2019-20014: libredwg: double-free in dwg_free in free.c</issue> <packager>jengelh</packager> <rating>moderate</rating> <category>security</category> <summary>Security update for libredwg</summary> <description>This update for libredwg fixes the following issues: libredwg was updated to release 0.9.3: * Added the -x,--extnames option to dwglayers for r13-r14 DWGs. * Fixed some leaks: SORTENTSTABLE, PROXY_ENTITY.ownerhandle for r13. * Add DICTIONARY.itemhandles[] for r13 and r14. * Fixed some dwglayers null pointer derefs, and flush its output for each layer. * Added several overflow checks from fuzzing [CVE-2019-20010, boo#1159825], [CVE-2019-20011, boo#1159826], [CVE-2019-20012, boo#1159827], [CVE-2019-20013, boo#1159828], [CVE-2019-20014, boo#1159831], [CVE-2019-20015, boo#1159832] * Disallow illegal SPLINE scenarios [CVE-2019-20009, boo#1159824] Update to release 0.9.1: * Fixed more null pointer dereferences, overflows, hangs and memory leaks for fuzzed (i.e. illegal) DWGs. Update to release 0.9 [boo#1154080]: * Added the DXF importer, using the new dynapi and the r2000 encoder. Only for r2000 DXFs. * Added utf8text conversion functions to the dynapi. * Added 3DSOLID encoder. * Added APIs to find handles for names, searching in tables and dicts. * API breaking changes - see NEWS file in package. * Fixed null pointer dereferences, and memory leaks (except DXF importer) [boo#1129868, CVE-2019-9779] [boo#1129869, CVE-2019-9778] [boo#1129870, CVE-2019-9777] [boo#1129873, CVE-2019-9776] [boo#1129874, CVE-2019-9773] [boo#1129875, CVE-2019-9772] [boo#1129876, CVE-2019-9771] [boo#1129878, CVE-2019-9775] [boo#1129879, CVE-2019-9774] [boo#1129881, CVE-2019-9770] Update to 0.8: * add a new dynamic API, read and write all header and object fields by name * API breaking changes * Fix many errors in DXF output * Fix JSON output * Many more bug fixes to handle specific object types </description> </patchinfo>
