Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package podofo for openSUSE:Factory checked in at 2022-02-18 23:02:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/podofo (Old) and /work/SRC/openSUSE:Factory/.podofo.new.1958 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "podofo" Fri Feb 18 23:02:37 2022 rev:33 rq:955585 version:0.9.7 Changes: -------- --- /work/SRC/openSUSE:Factory/podofo/podofo.changes 2021-07-02 13:26:40.373130317 +0200 +++ /work/SRC/openSUSE:Factory/.podofo.new.1958/podofo.changes 2022-02-18 23:02:39.105414207 +0100 @@ -1,0 +2,9 @@ +Wed Feb 16 15:00:45 UTC 2022 - Christophe Giboudeaux <christo...@krop.fr> + +- Add GCC12 compatibility fix from Fedora (boo#1194962): + * podofo-gcc12.patch +- Add upstream changes: + * podofo-CVE-2019-10723.patch (boo#1131544, CVE-2019-10723) + * podofo-CVE-2018-12983.patch (boo#1099719, CVE-2018-12983) + +------------------------------------------------------------------- New: ---- podofo-CVE-2018-12983.patch podofo-CVE-2019-10723.patch podofo-gcc12.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ podofo.spec ++++++ --- /var/tmp/diff_new_pack.4A8kNw/_old 2022-02-18 23:02:39.677414162 +0100 +++ /var/tmp/diff_new_pack.4A8kNw/_new 2022-02-18 23:02:39.681414162 +0100 @@ -25,6 +25,12 @@ Group: Productivity/Publishing/PDF URL: http://podofo.sourceforge.net/ Source0: http://downloads.sourceforge.net/podofo/%{name}-%{version}.tar.gz +# PATCH-FIX-UPSTREAM https://src.fedoraproject.org/rpms/podofo/tree/rawhide +Patch0: podofo-gcc12.patch +# PATCH-FIX-UPSTREAM +Patch1: podofo-CVE-2019-10723.patch +# PATCH-FIX-UPSTREAM +Patch2: podofo-CVE-2018-12983.patch BuildRequires: cmake >= 2.6 BuildRequires: doxygen BuildRequires: fdupes @@ -63,7 +69,7 @@ This package contains development files for podofo library. %prep -%setup -q +%autosetup -p1 # Remove build time references so build-compare can do its work echo "HTML_TIMESTAMP = NO" >> Doxyfile ++++++ podofo-CVE-2018-12983.patch ++++++ Fix by Matthew Brincke: CVE-2018-12983 - stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryptionKey() Closes https://sourceforge.net/p/podofo/tickets/23/ --- a/src/podofo/base/PdfEncrypt.cpp +++ b/src/podofo/base/PdfEncrypt.cpp @@ -615,6 +615,12 @@ && PdfEncrypt::IsEncryptionEnabled( ePdfEncryptAlgorithm_RC4V2 ) ) { // [Alexey] - lLength is pdf_int64. Please make changes in encryption algorithms + // [mabri] - Fix CVE-2018-12983: Check key length lLength here + // to prevent stack-based buffer over-read later in this file + if (lLength > MD5_DIGEST_LENGTH * 8) // lLength in bits, md5 in bytes + { + PODOFO_RAISE_ERROR_INFO( ePdfError_ValueOutOfRange, "Given key length too large for MD5." ); + } pdfEncrypt = new PdfEncryptRC4(oValue, uValue, pValue, rValue, ePdfEncryptAlgorithm_RC4V2, static_cast<int>(lLength), encryptMetadata); } else ++++++ podofo-CVE-2019-10723.patch ++++++ Patch by Christopher Creutzig: CVE-2019-10723 - Excessive memory allocation crash at PdfPagesTreeCache Given the offending instruction is just preallocating memory for performance, use an arbitrary limit for preallocation. Closes https://sourceforge.net/p/podofo/tickets/46/ --- a/src/podofo/doc/PdfPagesTreeCache.cpp +++ b/src/podofo/doc/PdfPagesTreeCache.cpp @@ -42,7 +42,9 @@ PdfPagesTreeCache::PdfPagesTreeCache( int nInitialSize ) { - m_deqPageObjs.resize( nInitialSize ); + if (nInitialSize > 0 && nInitialSize < (1L << 20)) { + m_deqPageObjs.resize( nInitialSize ); + } } PdfPagesTreeCache::~PdfPagesTreeCache() ++++++ podofo-gcc12.patch ++++++ Comment out some asserts in the testsuite which fail to build with gcc12 diff -rupN --no-dereference podofo-0.9.7/test/unit/StringTest.cpp podofo-0.9.7-new/test/unit/StringTest.cpp --- podofo-0.9.7/test/unit/StringTest.cpp 2019-01-15 14:04:40.000000000 +0100 +++ podofo-0.9.7-new/test/unit/StringTest.cpp 2022-01-28 10:14:44.069677817 +0100 @@ -179,19 +179,19 @@ void StringTest::testUtf16beContructor() CPPUNIT_ASSERT_EQUAL_MESSAGE( "Comparing UTF8 and UTF16 string converted to UTF8", strUtf8.GetStringUtf8(), strUtf16.GetStringUtf8() ); - CPPUNIT_ASSERT_EQUAL_MESSAGE( "Comparing UTF8 and UTF16 string", strUtf8, strUtf16 ); +// CPPUNIT_ASSERT_EQUAL_MESSAGE( "Comparing UTF8 and UTF16 string", strUtf8, strUtf16 ); // Compare two UTF16 strings CPPUNIT_ASSERT_EQUAL( strUtf16.GetCharacterLength(), strUtf16b.GetCharacterLength() ); CPPUNIT_ASSERT_EQUAL( strUtf16.GetStringUtf8(), strUtf16b.GetStringUtf8() ); - CPPUNIT_ASSERT_EQUAL( strUtf16, strUtf16b ); +// CPPUNIT_ASSERT_EQUAL( strUtf16, strUtf16b ); } void StringTest::testWCharConstructor() { - CPPUNIT_ASSERT_EQUAL( PdfString("Hallo World"), PdfString(L"Hallo World") ); - CPPUNIT_ASSERT_EQUAL( PdfString(L"Hallo World"), PdfString(L"Hallo World") ); +// CPPUNIT_ASSERT_EQUAL( PdfString("Hallo World"), PdfString(L"Hallo World") ); +// CPPUNIT_ASSERT_EQUAL( PdfString(L"Hallo World"), PdfString(L"Hallo World") ); } void StringTest::testEscapeBrackets()
