Hello community, here is the log from the commit of package libEMF for openSUSE:Factory checked in at 2020-09-01 20:01:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libEMF (Old) and /work/SRC/openSUSE:Factory/.libEMF.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libEMF" Tue Sep 1 20:01:43 2020 rev:26 rq:828515 version:1.0.13 Changes: -------- --- /work/SRC/openSUSE:Factory/libEMF/libEMF.changes 2020-06-08 23:51:39.598776278 +0200 +++ /work/SRC/openSUSE:Factory/.libEMF.new.3399/libEMF.changes 2020-09-01 20:01:51.664437875 +0200 @@ -1,0 +2,11 @@ +Mon Aug 17 09:51:29 UTC 2020 - Dirk Mueller <dmuel...@suse.com> + +- update to 1.0.13: + * CVE-2020-13999 (bsc#1173070) + + libEMF (aka ECMA-234 Metafile Library) through 1.0.12 is vulnerable to + Integer overflow condition in libemf.cpp:ScaleviewportExtEx function + leading to Denial of Service + VulnerabilityType : Integer Overflow + +------------------------------------------------------------------- Old: ---- libemf-1.0.12.tar.gz New: ---- libemf-1.0.13.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libEMF.spec ++++++ --- /var/tmp/diff_new_pack.wuyWwb/_old 2020-09-01 20:01:53.880438911 +0200 +++ /var/tmp/diff_new_pack.wuyWwb/_new 2020-09-01 20:01:53.880438911 +0200 @@ -1,7 +1,7 @@ # # spec file for package libEMF # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: libEMF -Version: 1.0.12 +Version: 1.0.13 Release: 0 Summary: Library for Manipulation with Enhanced MetaFile (EMF, ECMA-234) License: LGPL-2.1-or-later AND GPL-2.0-or-later ++++++ libemf-1.0.12.tar.gz -> libemf-1.0.13.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libemf-1.0.12/NEWS new/libemf-1.0.13/NEWS --- old/libemf-1.0.12/NEWS 2020-05-09 15:45:13.000000000 +0200 +++ new/libemf-1.0.13/NEWS 2020-06-14 16:29:09.000000000 +0200 @@ -1,3 +1,22 @@ +Release note for libEMF version 1.0.13 + +This release fixes a security issue: + +CVE-2020-13999 + +libEMF (aka ECMA-234 Metafile Library) through 1.0.12 is vulnerable to +Integer overflow condition in libemf.cpp:ScaleviewportExtEx function +leading to Denial of Service +VulnerabilityType : Integer Overflow +Vendor of Product : https://packages.debian.org/source/sid/libemf +Affected Product Code Base : libemf - <=1.0.12 +Attack Type : Local ( Remote if libEMF is used anywhere in the web +pipeline for processing EMF files ) +Impact: Denial of Service +Has vendor confirmed or acknowledged the vulnerability? true + +------------------------------------------------------------------------ + Release note for libEMF version 1.0.12 This release fixes a number of security issues: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libemf-1.0.12/configure new/libemf-1.0.13/configure --- old/libemf-1.0.12/configure 2020-04-04 23:00:10.000000000 +0200 +++ new/libemf-1.0.13/configure 2020-06-14 16:29:45.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libEMF 1.0.12. +# Generated by GNU Autoconf 2.69 for libEMF 1.0.13. # # Report bugs to <dallenbarn...@users.sourceforge.net>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='libEMF' PACKAGE_TARNAME='libemf' -PACKAGE_VERSION='1.0.12' -PACKAGE_STRING='libEMF 1.0.12' +PACKAGE_VERSION='1.0.13' +PACKAGE_STRING='libEMF 1.0.13' PACKAGE_BUGREPORT='dallenbarn...@users.sourceforge.net' PACKAGE_URL='' @@ -1345,7 +1345,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libEMF 1.0.12 to adapt to many kinds of systems. +\`configure' configures libEMF 1.0.13 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1416,7 +1416,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libEMF 1.0.12:";; + short | recursive ) echo "Configuration of libEMF 1.0.13:";; esac cat <<\_ACEOF @@ -1532,7 +1532,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libEMF configure 1.0.12 +libEMF configure 1.0.13 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2076,7 +2076,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libEMF $as_me 1.0.12, which was +It was created by libEMF $as_me 1.0.13, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2942,7 +2942,7 @@ # Define the identity of the package. PACKAGE='libemf' - VERSION='1.0.12' + VERSION='1.0.13' cat >>confdefs.h <<_ACEOF @@ -17033,7 +17033,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libEMF $as_me 1.0.12, which was +This file was extended by libEMF $as_me 1.0.13, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17099,7 +17099,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libEMF config.status 1.0.12 +libEMF config.status 1.0.13 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libemf-1.0.12/configure.ac new/libemf-1.0.13/configure.ac --- old/libemf-1.0.12/configure.ac 2020-04-04 22:59:42.000000000 +0200 +++ new/libemf-1.0.13/configure.ac 2020-06-07 15:10:20.000000000 +0200 @@ -1,8 +1,8 @@ # Process this file with autoconf to produce a configure script. # Copyright (C) 2002, 2003 lignum Computing, Inc. <dallenbarn...@users.sourceforge.net> -# $Id: configure.ac 88 2020-03-28 13:28:51Z dallenbarnett $ +# $Id: configure.ac 98 2020-06-07 13:10:19Z dallenbarnett $ -AC_INIT([libEMF], 1.0.12, dallenbarn...@users.sourceforge.net) +AC_INIT([libEMF], 1.0.13, dallenbarn...@users.sourceforge.net) AC_CONFIG_AUX_DIR(config) AM_CONFIG_HEADER([config/config.h]) AC_CONFIG_SRCDIR([include/libEMF/emf.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libemf-1.0.12/libemf/libemf.cpp new/libemf-1.0.13/libemf/libemf.cpp --- old/libemf-1.0.12/libemf/libemf.cpp 2020-04-25 20:46:06.000000000 +0200 +++ new/libemf-1.0.13/libemf/libemf.cpp 2020-06-07 15:10:20.000000000 +0200 @@ -1,7 +1,7 @@ /* * EMF: A library for generating ECMA-234 Enhanced Metafiles * Copyright (C) 2002 lignum Computing, Inc. <dallenbarn...@users.sourceforge.net> - * $Id: libemf.cpp 94 2020-04-25 18:46:06Z dallenbarnett $ + * $Id: libemf.cpp 98 2020-06-07 13:10:19Z dallenbarnett $ * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -1674,7 +1674,7 @@ BOOL ScaleViewportExtEx ( HDC context, INT x_num, INT x_den, INT y_num, INT y_den, LPSIZE size ) { - // Avoid nonsense results. + // Avoid obvious nonsense results. if ( x_num == 0 or x_den == 0 or y_num == 0 or y_den == 0 ) return FALSE; EMF::METAFILEDEVICECONTEXT* dc = @@ -1682,6 +1682,25 @@ if ( dc == 0 ) return FALSE; + // Documentation says the numerator is computed first. + // Can we perform this operation? Numerator must not overflow and + // if it is negative, division must not overflow. + INT num{0}; + if ( __builtin_smul_overflow( dc->viewport_ext.cx, x_num, &num ) ) { + return FALSE; + } + if ( num == INT_MIN and x_den == -1 ) { + return FALSE; + } + INT x_ext{ num / x_den }; + if ( __builtin_smul_overflow( dc->viewport_ext.cy, y_num, &num ) ) { + return FALSE; + } + if ( num == INT_MIN and y_den == -1 ) { + return FALSE; + } + INT y_ext{ num / y_den }; + EMF::EMRSCALEVIEWPORTEXTEX* scaleviewportextex = new EMF::EMRSCALEVIEWPORTEXTEX( x_num, x_den, y_num, y_den ); @@ -1690,8 +1709,8 @@ if ( size != 0 ) *size = dc->viewport_ext; - dc->viewport_ext.cx = dc->viewport_ext.cx * x_num / x_den; - dc->viewport_ext.cy = dc->viewport_ext.cy * y_num / y_den; + dc->viewport_ext.cx = x_ext; + dc->viewport_ext.cy = y_ext; return TRUE; } @@ -1757,7 +1776,7 @@ BOOL ScaleWindowExtEx ( HDC context, INT x_num, INT x_den, INT y_num, INT y_den, LPSIZE size ) { - // Avoid nonsense results. + // Avoid obvious nonsense results. if ( x_num == 0 or x_den == 0 or y_num == 0 or y_den == 0 ) return FALSE; EMF::METAFILEDEVICECONTEXT* dc = @@ -1765,6 +1784,25 @@ if ( dc == 0 ) return FALSE; + // Documentation says the numerator is computed first. + // Can we perform this operation? Numerator must not overflow and + // if it is negative, division must not overflow. + INT num{0}; + if ( __builtin_smul_overflow( dc->window_ext.cx, x_num, &num ) ) { + return FALSE; + } + if ( num == INT_MIN and x_den == -1 ) { + return FALSE; + } + INT x_ext{ num / x_den }; + if ( __builtin_smul_overflow( dc->window_ext.cy, y_num, &num ) ) { + return FALSE; + } + if ( num == INT_MIN and y_den == -1 ) { + return FALSE; + } + INT y_ext{ num / y_den }; + EMF::EMRSCALEWINDOWEXTEX* scalewindowextex = new EMF::EMRSCALEWINDOWEXTEX( x_num, x_den, y_num, y_den ); @@ -1773,8 +1811,8 @@ if ( size != 0 ) *size = dc->window_ext; - dc->window_ext.cx = dc->window_ext.cx * x_num / x_den; - dc->window_ext.cy = dc->window_ext.cy * y_num / y_den; + dc->window_ext.cx = x_ext; + dc->window_ext.cy = y_ext; return TRUE; }