gpdf 2.8.1 is based on xpdf 3.00pl1. I've added the pl2 and pl3 security patches, as well as a fix for the CAN-2005-2097 DoS issue I pulled out of the Mandrake SRPM.
It is important to realize that the xpdf code base is duplicated several times in the tree: xpdf itself, gpdf, kpdf, and cups. Any security issue affecting xpdf is likely to also affect its derivatives. Index: Makefile =================================================================== RCS file: /cvs/ports/textproc/gpdf/Makefile,v retrieving revision 1.9 diff -u -r1.9 Makefile --- Makefile 21 Feb 2005 16:54:19 -0000 1.9 +++ Makefile 20 Aug 2005 20:49:17 -0000 @@ -3,6 +3,7 @@ COMMENT= "PDF viewer for GNOME" DISTNAME= gpdf-2.8.1 +PKGNAME= ${DISTNAME}p0 CATEGORIES= textproc x11/gnome HOMEPAGE= http://www.inf.tu-dresden.de/~mk793652/gpdf/ Index: patches/patch-xpdf_GPOutputDev_cc =================================================================== RCS file: patches/patch-xpdf_GPOutputDev_cc diff -N patches/patch-xpdf_GPOutputDev_cc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-xpdf_GPOutputDev_cc 20 Aug 2005 20:49:17 -0000 @@ -0,0 +1,56 @@ +$OpenBSD$ +--- xpdf/GPOutputDev.cc.orig Sat Aug 20 22:36:27 2005 ++++ xpdf/GPOutputDev.cc Sat Aug 20 22:38:32 2005 +@@ -257,26 +257,14 @@ GnomeFontFace *GPOFontMap::getFontFaceEm + } + case fontTrueType: { + FoFiTrueType *ff; +- gint fd; +- gchar *temp_name; +- FILE *f; + gushort *code_to_gid; + + ff = FoFiTrueType::make((char *)contents, length); // FIXME error handling + + code_to_gid = ((Gfx8BitFont *)font)->getCodeToGIDMap(ff); // this is g(oo)malloc'd + +- fd = g_file_open_tmp("gpdf-ttf-XXXXXX", &temp_name, NULL); +- f = fdopen(fd, "wb"); +- ff->writeTTF(&fileWrite, f); + delete ff; +- g_free(contents); +- fclose(f); + +- g_file_get_contents(temp_name, (gchar **)&contents, &length, NULL); +- unlink(temp_name); +- g_free(temp_name); +- + gff = gpdf_font_face_download((const guchar *)font_name, + (const guchar *)"", + GNOME_FONT_REGULAR, FALSE, +@@ -318,25 +306,8 @@ GnomeFontFace *GPOFontMap::getFontFaceEm + break; + } + case fontCIDType2: { +- FoFiTrueType *ff; +- gint fd; +- gchar *temp_name; +- FILE *f; + gint n_cids; + gushort *code_to_gid; +- +- ff = FoFiTrueType::make((char *)contents, length); // FIXME error handling +- +- fd = g_file_open_tmp("gpdf-ttf-XXXXXX", &temp_name, NULL); +- f = fdopen(fd, "wb"); +- ff->writeTTF(&fileWrite, f); +- delete ff; +- g_free(contents); +- fclose(f); +- +- g_file_get_contents(temp_name, (gchar **)&contents, &length, NULL); +- unlink(temp_name); +- g_free(temp_name); + + gff = gpdf_font_face_download((const guchar *)font_name, + (const guchar *)"", Index: patches/patch-xpdf_GfxState_cc =================================================================== RCS file: patches/patch-xpdf_GfxState_cc diff -N patches/patch-xpdf_GfxState_cc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-xpdf_GfxState_cc 20 Aug 2005 20:49:17 -0000 @@ -0,0 +1,24 @@ +$OpenBSD$ +--- xpdf/GfxState.cc.orig Sat Aug 20 22:10:30 2005 ++++ xpdf/GfxState.cc Sat Aug 20 22:12:38 2005 +@@ -714,6 +714,11 @@ GfxColorSpace *GfxICCBasedColorSpace::pa + } + nCompsA = obj2.getInt(); + obj2.free(); ++ if (nCompsA > gfxColorMaxComps) { ++ error(-1, "ICCBased color space with too many (%d > %d) components", ++ nCompsA, gfxColorMaxComps); ++ nCompsA = gfxColorMaxComps; ++ } + if (dict->lookup("Alternate", &obj2)->isNull() || + !(altA = GfxColorSpace::parse(&obj2))) { + switch (nCompsA) { +@@ -1060,7 +1065,7 @@ GfxColorSpace *GfxDeviceNColorSpace::par + } + nCompsA = obj1.arrayGetLength(); + if (nCompsA > gfxColorMaxComps) { +- error(-1, "DeviceN color space with more than %d > %d components", ++ error(-1, "DeviceN color space with too many (%d > %d) components", + nCompsA, gfxColorMaxComps); + nCompsA = gfxColorMaxComps; + } Index: patches/patch-xpdf_Gfx_cc =================================================================== RCS file: patches/patch-xpdf_Gfx_cc diff -N patches/patch-xpdf_Gfx_cc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-xpdf_Gfx_cc 20 Aug 2005 20:49:17 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ +--- xpdf/Gfx.cc.orig Sat Aug 20 22:09:21 2005 ++++ xpdf/Gfx.cc Sat Aug 20 22:10:22 2005 +@@ -2654,7 +2654,9 @@ void Gfx::doImage(Object *ref, Stream *s + haveMask = gFalse; + dict->lookup("Mask", &maskObj); + if (maskObj.isArray()) { +- for (i = 0; i < maskObj.arrayGetLength(); ++i) { ++ for (i = 0; ++ i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps; ++ ++i) { + maskObj.arrayGet(i, &obj1); + maskColors[i] = obj1.getInt(); + obj1.free(); Index: patches/patch-xpdf_XRef_cc =================================================================== RCS file: patches/patch-xpdf_XRef_cc diff -N patches/patch-xpdf_XRef_cc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-xpdf_XRef_cc 20 Aug 2005 20:49:17 -0000 @@ -0,0 +1,13 @@ +$OpenBSD$ +--- xpdf/XRef.cc.orig Sat Aug 20 22:14:19 2005 ++++ xpdf/XRef.cc Sat Aug 20 22:16:10 2005 +@@ -819,6 +819,9 @@ GBool XRef::checkEncrypted(GString *owne + } else { + keyLength = 5; + } ++ if (keyLength > 16) { ++ keyLength = 16; ++ } + permFlags = permissions.getInt(); + if (encVersion >= 1 && encVersion <= 2 && + encRevision >= 2 && encRevision <= 3) { -- Christian "naddy" Weisgerber [EMAIL PROTECTED]