packages: evince/evince.spec, evince/evince-secfix.patch (NEW) - added -sec...

megabajt megabajt at pld-linux.org
Sat Jan 15 01:06:58 CET 2011 

Author: megabajt                     Date: Sat Jan 15 00:06:58 2011 GMT
Module: packages                      Tag: HEAD
---- Log message:
- added -secfix.patch (fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642
  and CVE-2010-2643)
- release 5

---- Files affected:
packages/evince:
   evince.spec (1.117 -> 1.118) , evince-secfix.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/evince/evince.spec
diff -u packages/evince/evince.spec:1.117 packages/evince/evince.spec:1.118
--- packages/evince/evince.spec:1.117	Fri Jan 14 22:01:56 2011
+++ packages/evince/evince.spec	Sat Jan 15 01:06:53 2011
@@ -12,12 +12,13 @@
 Summary(pl.UTF-8):	Przeglądarka dokumentów w wielu formatach
 Name:		evince
 Version:	2.32.0
-Release:	4
+Release:	5
 License:	GPL v2
 Group:		X11/Applications/Graphics
 Source0:	http://ftp.gnome.org/pub/GNOME/sources/evince/2.32/%{name}-%{version}.tar.bz2
 # Source0-md5:	ebc3ce6df8dcbf29cb9492f8dd031319
 Patch0:		%{name}-poppler.patch
+Patch1:		%{name}-secfix.patch
 URL:		http://www.gnome.org/projects/evince/
 BuildRequires:	GConf2-devel >= 2.24.0
 BuildRequires:	autoconf >= 2.57
@@ -159,6 +160,7 @@
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 
 %build
 %{__gtkdocize}
@@ -322,6 +324,11 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.118  2011/01/15 00:06:53  megabajt
+- added -secfix.patch (fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642
+  and CVE-2010-2643)
+- release 5
+
 Revision 1.117  2011/01/14 21:01:56  megabajt
 - added -poppler.patch (fixes crash)
 - release 4

================================================================
Index: packages/evince/evince-secfix.patch
diff -u /dev/null packages/evince/evince-secfix.patch:1.1
--- /dev/null	Sat Jan 15 01:06:58 2011
+++ packages/evince/evince-secfix.patch	Sat Jan 15 01:06:53 2011
@@ -0,0 +1,97 @@
+From d4139205b010ed06310d14284e63114e88ec6de2 Mon Sep 17 00:00:00 2001
+From: José Aliste <jaliste at src.gnome.org>
+Date: Tue, 07 Dec 2010 18:56:47 +0000
+Subject: backends: Fix several security issues in the dvi-backend.
+
+See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and  CVE-2010-2643.
+---
+diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
+index 164366b..361e23d 100644
+--- a/backend/dvi/mdvi-lib/afmparse.c
++++ b/backend/dvi/mdvi-lib/afmparse.c
+@@ -160,7 +160,7 @@ static char *token(FILE *stream)
+     
+     idx = 0;
+     while (ch != EOF && ch != ' ' && ch != lineterm 
+-           && ch != '\t' && ch != ':' && ch != ';') 
++           && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
+     {
+         ident[idx++] = ch;
+         ch = fgetc(stream);
+diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
+index cd8cfa9..d014320 100644
+--- a/backend/dvi/mdvi-lib/dviread.c
++++ b/backend/dvi/mdvi-lib/dviread.c
+@@ -1507,6 +1507,10 @@ int	special(DviContext *dvi, int opcode)
+ 	Int32	arg;
+ 	
+ 	arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
++	if (arg <= 0) {
++		dvierr(dvi, _("malformed special length\n"));
++		return -1;
++	}
+ 	s = mdvi_malloc(arg + 1);
+ 	dread(dvi, s, arg);
+ 	s[arg] = 0;
+diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
+index a579186..08377e6 100644
+--- a/backend/dvi/mdvi-lib/pk.c
++++ b/backend/dvi/mdvi-lib/pk.c
+@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font)
+ 			}
+ 			if(feof(p))
+ 				break;
++
++			/* Although the PK format support bigger char codes,
++                         * XeTeX and other extended TeX engines support charcodes up to
++                         * 65536, while normal TeX engine supports only charcode up to 255.*/
++			if (cc < 0 || cc > 65536) {
++				mdvi_error (_("%s: unexpected charcode (%d)\n"),
++					    font->fontname,cc);
++				goto error;
++			} 
+ 			if(cc < loc)
+ 				loc = cc;
+ 			if(cc > hic)
+@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
+ 	}
+ 
+ 	/* resize font char data */
+-	if(loc > 0 || hic < maxch-1) {
++	if(loc > 0 && hic < maxch-1) {
+ 		memmove(font->chars, font->chars + loc, 
+ 			(hic - loc + 1) * sizeof(DviFontChar));
+ 		font->chars = xresize(font->chars,
+diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
+index 73ebf26..8c2a30b 100644
+--- a/backend/dvi/mdvi-lib/tfmfile.c
++++ b/backend/dvi/mdvi-lib/tfmfile.c
+@@ -172,7 +172,8 @@ int	tfm_load_file(const char *filename, TFMInfo *info)
+ 	/* We read the entire TFM file into core */
+ 	if(fstat(fileno(in), &st) < 0)
+ 		return -1;
+-	if(st.st_size == 0)
++	/* according to the spec, TFM files are smaller than 16K */
++	if(st.st_size == 0 || st.st_size >= 16384)
+ 		goto bad_tfm;
+ 
+ 	/* allocate a word-aligned buffer to hold the file */
+diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
+index fb49847..a5ae3bb 100644
+--- a/backend/dvi/mdvi-lib/vf.c
++++ b/backend/dvi/mdvi-lib/vf.c
+@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font)
+ 			cc = fuget1(p);
+ 			tfm = fuget3(p);
+ 		}
++		if (cc < 0 || cc > 65536) {
++			/* TeX engines do not support char codes bigger than 65535 */
++			mdvi_error(_("(vf) %s: unexpected character %d\n"),
++				   font->fontname, cc);
++			goto error;
++		}
+ 		if(loc < 0 || cc < loc)
+ 			loc = cc;
+ 		if(hic < 0 || cc > hic)
+--
+cgit v0.8.3.1
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/evince/evince.spec?r1=1.117&r2=1.118&f=u

More information about the pld-cvs-commit mailing list