Hello community, here is the log from the commit of package lout for openSUSE:Factory checked in at 2020-10-23 18:14:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lout (Old) and /work/SRC/openSUSE:Factory/.lout.new.3463 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "lout" Fri Oct 23 18:14:16 2020 rev:4 rq:843612 version:3.40 Changes: -------- --- /work/SRC/openSUSE:Factory/lout/lout.changes 2019-09-05 12:35:32.883558866 +0200 +++ /work/SRC/openSUSE:Factory/.lout.new.3463/lout.changes 2020-10-23 18:14:18.818453176 +0200 @@ -1,0 +2,8 @@ +Fri Oct 23 13:40:17 UTC 2020 - Matej Cepl <mc...@suse.com> + +- Add lout-3.40-cve.patch from + https://lists.nongnu.org/archive/html/lout-users/2020-10/msg00013.html + fixing bsc#1159713 and bsc#1159714 (CVE-2019-19918 and + CVE-2019-19917), two buffer overflows. + +------------------------------------------------------------------- New: ---- lout-3.40-cve.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lout.spec ++++++ --- /var/tmp/diff_new_pack.voumag/_old 2020-10-23 18:14:19.782453887 +0200 +++ /var/tmp/diff_new_pack.voumag/_new 2020-10-23 18:14:19.782453887 +0200 @@ -1,7 +1,7 @@ # # spec file for package lout # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,6 +26,10 @@ URL: http://savannah.nongnu.org/projects/lout/ Source0: http://download.savannah.gnu.org/releases/lout/lout-%{version}.tar.gz Patch0: makefile.patch +# PATCH-FIX-UPSTREAM lout-3.40-cve.patch mc...@suse.com +# from https://lists.nongnu.org/archive/html/lout-users/2020-10/msg00013.html +# Fix for bsc#1159713 and bsc#1159714 (CVE-2019-19918 and CVE-2019-19917) +Patch1: lout-3.40-cve.patch BuildRequires: fdupes BuildRequires: ghostscript %if !%{makedocs} @@ -44,7 +48,7 @@ %prep %setup -q -%patch0 -p1 +%autopatch -p1 %build make COPTS="%{optflags}" \ ++++++ lout-3.40-cve.patch ++++++ --- a/externs.h +++ b/externs.h @@ -260,6 +260,9 @@ If you're compiling this, you've got the /* that can appear correctly on one page. Can be */ /* increased to any small positive integer. */ /* */ +/* MAX_FORMAT The maximum number of characters for sscanf formats */ +/* for splitting strings with tab-delimited fields. */ +/* */ /*****************************************************************************/ #define MAX_FULL_LENGTH 8388607 /* 2**23 - 1, about 148 metres */ @@ -275,6 +278,7 @@ If you're compiling this, you've got the #define MAX_LEX_STACK 20 #define MAX_CHARS 256 #define MAX_HCOPIES 3 +#define MAX_FORMAT 100 /*****************************************************************************/ /* */ --- a/z02.c +++ b/z02.c @@ -378,7 +378,7 @@ static void srcnext(void) if( blksize != 0 && chpt < limit ) { debugcond0(DLA, DD, stack_free <= 1, "srcnext: transferring."); col = buf; - while( chtbl[(*--col = *--limit)] != NEWLINE ); + while( col > mem_block && chtbl[(*--col = *--limit)] != NEWLINE ); frst = col + 1; limit++; blksize = 0; } --- a/z33.c +++ b/z33.c @@ -847,6 +847,7 @@ BOOLEAN DbRetrieve(OBJECT db, BOOLEAN ga BOOLEAN DbRetrieveNext(OBJECT db, BOOLEAN *gall, OBJECT *sym, FULL_CHAR *tag, FULL_CHAR *seq, FILE_NUM *dfnum, long *dfpos, int *dlnum, long *cont) { FULL_CHAR line[MAX_BUFF], *cline, fname[MAX_BUFF]; int symnum; + char format[MAX_FORMAT]; ifdebug(DPP, D, ProfileOn("DbRetrieveNext")); debug2(DBS, DD, "DbRetrieveNext( %s, %ld )", string(db), *cont); assert(reading(db), "DbRetrieveNext: not reading"); @@ -858,6 +859,8 @@ BOOLEAN DbRetrieveNext(OBJECT db, BOOLEA return FALSE; } + sprintf(format, "%%d&%%%d[^\t]\t%%%d[^\t]\t%%*[^\t]\t%%ld\t%%d\t%%%d[^\n\f]", MAX_BUFF-1, MAX_BUFF-1, MAX_BUFF-1); + if( in_memory(db) ) { /* get next entry from internal database */ @@ -868,7 +871,7 @@ BOOLEAN DbRetrieveNext(OBJECT db, BOOLEA } cline = (FULL_CHAR *) db_lines(db)[*cont]; *gall = (cline[0] == '0' ? 1 : 0); - sscanf((char *)&cline[*gall], "%d&%[^\t]\t%[^\t]\t%*[^\t]\t%ld\t%d\t%[^\n\f]", + sscanf((char *)&cline[*gall], format, &symnum, tag, seq, dfpos, dlnum, fname); *cont = *cont + 1; } @@ -882,7 +885,7 @@ BOOLEAN DbRetrieveNext(OBJECT db, BOOLEA return FALSE; } *gall = (line[0] == '0' ? 1 : 0); - sscanf((char *)&line[*gall], "%d&%[^\t]\t%[^\t]\t%*[^\t]\t%ld\t%d\t%[^\n\f]", + sscanf((char *)&line[*gall], format, &symnum, tag, seq, dfpos, dlnum, fname); *cont = ftell(db_filep(db)); } --- a/z39.c +++ b/z39.c @@ -79,11 +79,13 @@ int strcollcmp(char *a, char *b) int strcollcmp(char *a, char *b) { char a1[MAX_BUFF], a2[MAX_BUFF], a3[MAX_BUFF]; char b1[MAX_BUFF], b2[MAX_BUFF], b3[MAX_BUFF]; + char format[MAX_FORMAT]; int order; + sprintf(format, "%%%d[^\t]\t%%%d[^\t]\t%%%d[^\t]", MAX_BUFF-1, MAX_BUFF-1, MAX_BUFF-1); a1[0] = a2[0] = a3[0] = '\0'; - sscanf(a, "%[^\t]\t%[^\t]\t%[^\t]", a1, a2, a3); + sscanf(a, format, a1, a2, a3); b1[0] = b2[0] = b3[0] = '\0'; - sscanf(b, "%[^\t]\t%[^\t]\t%[^\t]", b1, b2, b3); + sscanf(b, format, b1, b2, b3); order = strcoll(a1, b1); if( order == 0 ) { @@ -251,7 +253,7 @@ FULL_CHAR *StringQuotedWord(OBJECT x) *q++ = CH_QUOTE; for( p = string(x); *p != '\0'; p++ ) { - for( r = (FULL_CHAR *) quoted_string[*p]; *r != '\0'; *q++ = *r++ ); + for( r = (FULL_CHAR *) quoted_string[*p]; *r != '\0' && q < &buff[MAX_BUFF-2]; *q++ = *r++ ); } *q++ = CH_QUOTE; *q++ = '\0';
