Author: megabajt Date: Sat Jan 15 00:06:58 2011 GMT Module: packages Tag: HEAD ---- Log message: - added -secfix.patch (fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643) - release 5
---- Files affected: packages/evince: evince.spec (1.117 -> 1.118) , evince-secfix.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/evince/evince.spec diff -u packages/evince/evince.spec:1.117 packages/evince/evince.spec:1.118 --- packages/evince/evince.spec:1.117 Fri Jan 14 22:01:56 2011 +++ packages/evince/evince.spec Sat Jan 15 01:06:53 2011 @@ -12,12 +12,13 @@ Summary(pl.UTF-8): Przeglądarka dokumentów w wielu formatach Name: evince Version: 2.32.0 -Release: 4 +Release: 5 License: GPL v2 Group: X11/Applications/Graphics Source0: http://ftp.gnome.org/pub/GNOME/sources/evince/2.32/%{name}-%{version}.tar.bz2 # Source0-md5: ebc3ce6df8dcbf29cb9492f8dd031319 Patch0: %{name}-poppler.patch +Patch1: %{name}-secfix.patch URL: http://www.gnome.org/projects/evince/ BuildRequires: GConf2-devel >= 2.24.0 BuildRequires: autoconf >= 2.57 @@ -159,6 +160,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %build %{__gtkdocize} @@ -322,6 +324,11 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.118 2011/01/15 00:06:53 megabajt +- added -secfix.patch (fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 + and CVE-2010-2643) +- release 5 + Revision 1.117 2011/01/14 21:01:56 megabajt - added -poppler.patch (fixes crash) - release 4 ================================================================ Index: packages/evince/evince-secfix.patch diff -u /dev/null packages/evince/evince-secfix.patch:1.1 --- /dev/null Sat Jan 15 01:06:58 2011 +++ packages/evince/evince-secfix.patch Sat Jan 15 01:06:53 2011 @@ -0,0 +1,97 @@ +From d4139205b010ed06310d14284e63114e88ec6de2 Mon Sep 17 00:00:00 2001 +From: José Aliste <[email protected]> +Date: Tue, 07 Dec 2010 18:56:47 +0000 +Subject: backends: Fix several security issues in the dvi-backend. + +See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643. +--- +diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c +index 164366b..361e23d 100644 +--- a/backend/dvi/mdvi-lib/afmparse.c ++++ b/backend/dvi/mdvi-lib/afmparse.c +@@ -160,7 +160,7 @@ static char *token(FILE *stream) + + idx = 0; + while (ch != EOF && ch != ' ' && ch != lineterm +- && ch != '\t' && ch != ':' && ch != ';') ++ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME) + { + ident[idx++] = ch; + ch = fgetc(stream); +diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c +index cd8cfa9..d014320 100644 +--- a/backend/dvi/mdvi-lib/dviread.c ++++ b/backend/dvi/mdvi-lib/dviread.c +@@ -1507,6 +1507,10 @@ int special(DviContext *dvi, int opcode) + Int32 arg; + + arg = dugetn(dvi, opcode - DVI_XXX1 + 1); ++ if (arg <= 0) { ++ dvierr(dvi, _("malformed special length\n")); ++ return -1; ++ } + s = mdvi_malloc(arg + 1); + dread(dvi, s, arg); + s[arg] = 0; +diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c +index a579186..08377e6 100644 +--- a/backend/dvi/mdvi-lib/pk.c ++++ b/backend/dvi/mdvi-lib/pk.c +@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font) + } + if(feof(p)) + break; ++ ++ /* Although the PK format support bigger char codes, ++ * XeTeX and other extended TeX engines support charcodes up to ++ * 65536, while normal TeX engine supports only charcode up to 255.*/ ++ if (cc < 0 || cc > 65536) { ++ mdvi_error (_("%s: unexpected charcode (%d)\n"), ++ font->fontname,cc); ++ goto error; ++ } + if(cc < loc) + loc = cc; + if(cc > hic) +@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font) + } + + /* resize font char data */ +- if(loc > 0 || hic < maxch-1) { ++ if(loc > 0 && hic < maxch-1) { + memmove(font->chars, font->chars + loc, + (hic - loc + 1) * sizeof(DviFontChar)); + font->chars = xresize(font->chars, +diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c +index 73ebf26..8c2a30b 100644 +--- a/backend/dvi/mdvi-lib/tfmfile.c ++++ b/backend/dvi/mdvi-lib/tfmfile.c +@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info) + /* We read the entire TFM file into core */ + if(fstat(fileno(in), &st) < 0) + return -1; +- if(st.st_size == 0) ++ /* according to the spec, TFM files are smaller than 16K */ ++ if(st.st_size == 0 || st.st_size >= 16384) + goto bad_tfm; + + /* allocate a word-aligned buffer to hold the file */ +diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c +index fb49847..a5ae3bb 100644 +--- a/backend/dvi/mdvi-lib/vf.c ++++ b/backend/dvi/mdvi-lib/vf.c +@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font) + cc = fuget1(p); + tfm = fuget3(p); + } ++ if (cc < 0 || cc > 65536) { ++ /* TeX engines do not support char codes bigger than 65535 */ ++ mdvi_error(_("(vf) %s: unexpected character %d\n"), ++ font->fontname, cc); ++ goto error; ++ } + if(loc < 0 || cc < loc) + loc = cc; + if(hic < 0 || cc > hic) +-- +cgit v0.8.3.1 ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/evince/evince.spec?r1=1.117&r2=1.118&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
