Hello community,
here is the log from the commit of package xfig for openSUSE:Factory checked in
at 2012-09-29 15:38:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/xfig (Old)
and /work/SRC/openSUSE:Factory/.xfig.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "xfig", Maintainer is "wer...@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/xfig/xfig.changes 2012-06-01
07:25:04.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.xfig.new/xfig.changes 2012-09-29
15:38:10.000000000 +0200
@@ -1,0 +2,5 @@
+Fri Sep 28 14:13:06 UTC 2012 - wer...@suse.de
+
+- Fix bnc #777469 - CVE-2009-4227: xfig: stack based overflows
+
+-------------------------------------------------------------------
New:
----
xfig.3.2.5b-bnc777469.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xfig.spec ++++++
--- /var/tmp/diff_new_pack.BrVShx/_old 2012-09-29 15:38:12.000000000 +0200
+++ /var/tmp/diff_new_pack.BrVShx/_new 2012-09-29 15:38:12.000000000 +0200
@@ -63,6 +63,7 @@
Patch9: xfig.3.2.5b-libpng14.dif
Patch10: xfig.3.2.5b-preview.dif
Patch11: xfig.3.2.5b-bnc657393.dif
+Patch12: xfig.3.2.5b-bnc777469.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config
--variable prefix x11 || echo /usr/X11R6)}
%if "%_exec_prefix" == "/usr/X11R6"
@@ -111,6 +112,7 @@
%patch9 -p0 -b .libpng14
%patch10 -p0 -b .preview
%patch11 -p0 -b .vsprintf
+%patch12 -p1 -b .ovflow
cp %{S:1} .
test ! -e Libraries/Examples/aircraft.fig || { echo forbidden file found 1>&2;
exit 1; }
++++++ xfig.3.2.5b-bnc777469.diff ++++++
--- xfig.3.2.5b/f_readold.c
+++ xfig.3.2.5b/f_readold.c 2009-12-04 10:20:36.000000000 +0000
@@ -471,7 +471,7 @@ read_1_3_textobject(FILE *fp)
F_text *t;
int n;
int dum;
- char buf[128];
+ char buf[512];
PR_SIZE tx_dim;
if ((t = create_text()) == NULL)
@@ -485,22 +485,34 @@ read_1_3_textobject(FILE *fp)
t->pen_style = -1;
t->angle = 0.0;
t->next = NULL;
+ if (!fgets(buf, sizeof(buf), fp)) {
+ file_msg("Incomplete text data");
+ free((char *) t);
+ return (NULL);
+ }
+
+ /* Note using strlen(buf) here will waste a few bytes, as the
+ various text attributes are counted into this length too. */
+ if ((t->cstring = new_string(strlen(buf))) == NULL)
+ return (NULL);
+
/* ascent and length will be recalculated later */
- n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
+ n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
&t->font, &dum, &dum, &t->ascent, &t->length,
- &t->base_x, &t->base_y, buf);
+ &t->base_x, &t->base_y, t->cstring);
if (n != 8) {
file_msg("Incomplete text data");
+ free(t->cstring);
free((char *) t);
return (NULL);
}
- if ((t->cstring = new_string(strlen(buf))) == NULL) {
+
+ if (!strlen(t->cstring)) {
+ free(t->cstring);
free((char *) t);
file_msg("Empty text string at line %d.", line_no);
return (NULL);
}
- /* put string in structure */
- strcpy(t->cstring, buf);
/* get the font struct */
t->zoom = zoomscale;
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
