Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package plib for openSUSE:Factory checked in at 2021-10-31 22:55:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/plib (Old) and /work/SRC/openSUSE:Factory/.plib.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "plib" Sun Oct 31 22:55:49 2021 rev:6 rq:928415 version:1.8.5+svn.2173 Changes: -------- --- /work/SRC/openSUSE:Factory/plib/plib.changes 2021-08-31 19:56:28.058020237 +0200 +++ /work/SRC/openSUSE:Factory/.plib.new.1890/plib.changes 2021-10-31 22:56:34.647741362 +0100 @@ -1,0 +2,6 @@ +Sun Oct 31 11:40:35 UTC 2021 - ldre...@vodafonemail.de + +- add plib-1.8.5-CVE-2021-38714.patch from Anton Gladky to fix + original security issue (boo#1189887) + +------------------------------------------------------------------- New: ---- plib-1.8.5-CVE-2021-38714.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ plib.spec ++++++ --- /var/tmp/diff_new_pack.Oi72xn/_old 2021-10-31 22:56:35.103741712 +0100 +++ /var/tmp/diff_new_pack.Oi72xn/_new 2021-10-31 22:56:35.107741715 +0100 @@ -33,6 +33,8 @@ Patch2: plib-1.8.5-CVE-2011-4620.patch # PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/plib/bugs/51/ Patch3: plib-1.8.5-CVE-2012-4552.patch +# PATCH-FIX-UPSTREAM -- https://sourceforge.net/p/plib/bugs/55/ +Patch4: plib-1.8.5-CVE-2021-38714.patch BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: pkgconfig @@ -80,11 +82,12 @@ %patch1 %patch2 %patch3 +%patch4 %build autoreconf -fiv export CXXFLAGS="%{optflags} -fno-strict-aliasing" -%configure --disable-static --enable-ssg=no --enable-ssgaux=no +%configure --disable-static make %{?_smp_mflags} %install ++++++ plib-1.8.5-CVE-2021-38714.patch ++++++ Description: Prevent integer overflow in ssgLoadTGA() function. CVE-2021-38714 Author: Anton Gladky <gl...@debian.org> Bug-Debian: https://bugs.debian.org/992973 Last-Update: 2021-10-02 Index: plib/src/ssg/ssgLoadTGA.cxx =================================================================== --- src/ssg/ssgLoadTGA.cxx.orig +++ src/ssg/ssgLoadTGA.cxx @@ -23,6 +23,7 @@ #include "ssgLocal.h" +#include <new> #ifdef SSG_LOAD_TGA_SUPPORTED @@ -103,9 +104,9 @@ bool ssgLoadTGA ( const char *fname, ssg // image info int type = header[2]; - int xsize = get16u(header + 12); - int ysize = get16u(header + 14); - int bits = header[16]; + unsigned int xsize = get16u(header + 12); + unsigned int ysize = get16u(header + 14); + unsigned int bits = header[16]; /* image types: * @@ -169,9 +170,32 @@ bool ssgLoadTGA ( const char *fname, ssg } + const auto bytes_to_allocate = (bits / 8) * xsize * ysize; + + ulSetError( UL_DEBUG, "bytes_to_allocate=%ld xsize = %ld, ysize = %ld, %ld == %ld ", bytes_to_allocate, xsize, ysize, bytes_to_allocate / xsize, (ysize * (bits / 8))); + + if (xsize != 0 && ((ysize * (bits / 8)) != bytes_to_allocate / xsize)) + { + ulSetError( UL_WARNING, "Integer overflow in image size: xsize = %d, ysize = %d", xsize, ysize); + return false; + } + else + { + ulSetError( UL_DEBUG, "ssgLoadTGA: Allocating %ld bytes for the size %d x %d", bytes_to_allocate, xsize, ysize ); + } + // read image data - GLubyte *image = new GLubyte [ (bits / 8) * xsize * ysize ]; + GLubyte *image; + try + { + image = new GLubyte [ bytes_to_allocate ]; + } + catch (const std::bad_alloc&) + { + ulSetError( UL_WARNING, "ssgLoadTGA: Allocation of %d bytes failed!", bytes_to_allocate); + return false; + } if ((type & 8) != 0) {
