[fontforge] Add patch for CVE-2010-4259
Kevin Fenzi
kevin at fedoraproject.org
Sat Dec 4 21:31:28 UTC 2010
commit 0f49f1f837bb2977eed6739e46522c753d6e5358
Author: Kevin Fenzi <kevin at tummy.com>
Date: Sat Dec 4 14:31:18 2010 -0700
Add patch for CVE-2010-4259
fontforge-20100501-CVE-2010-4259.patch | 50 ++++++++++++++++++++++++++++++++
fontforge.spec | 7 ++++-
2 files changed, 56 insertions(+), 1 deletions(-)
---
diff --git a/fontforge-20100501-CVE-2010-4259.patch b/fontforge-20100501-CVE-2010-4259.patch
new file mode 100644
index 0000000..0719761
--- /dev/null
+++ b/fontforge-20100501-CVE-2010-4259.patch
@@ -0,0 +1,50 @@
+--- fontforge/fontforge/fvimportbdf.c 15 Apr 2010 10:47:36 -0000 1.58
++++ fontforge/fontforge/fvimportbdf.c 3 Dec 2010 21:03:38 -0000
+@@ -560,7 +560,7 @@
+ }
+
+ if ( strcmp(tok,"FONT")==0 ) {
+- if ( sscanf(buf,"-%*[^-]-%[^-]-%[^-]-%[^-]-%*[^-]-", family, weight, italic )!=0 ) {
++ if ( sscanf(buf,"-%*[^-]-%99[^-]-%99[^-]-%99[^-]-%*[^-]-", family, weight, italic )!=0 ) {
+ char *pt=buf;
+ int dcnt=0;
+ while ( *pt=='-' && dcnt<7 ) { ++pt; ++dcnt; }
+@@ -616,26 +616,30 @@
+ sscanf(buf, "%d", &defs->metricsset );
+ else if ( strcmp(tok,"VVECTOR")==0 )
+ sscanf(buf, "%*d %d", &defs->vertical_origin );
++ /* For foundry, fontname and encname, only copy up to the buffer size */
+ else if ( strcmp(tok,"FOUNDRY")==0 )
+- sscanf(buf, "%[^\"]", foundry );
++ sscanf(buf, "%99[^\"]", foundry );
+ else if ( strcmp(tok,"FONT_NAME")==0 )
+- sscanf(buf, "%[^\"]", fontname );
++ sscanf(buf, "%99[^\"]", fontname );
+ else if ( strcmp(tok,"CHARSET_REGISTRY")==0 )
+- sscanf(buf, "%[^\"]", encname );
++ sscanf(buf, "%99[^\"]", encname );
+ else if ( strcmp(tok,"CHARSET_ENCODING")==0 ) {
+ enc = 0;
+ if ( sscanf(buf, " %d", &enc )!=1 )
+ sscanf(buf, "%d", &enc );
++ /* These properties should be copied up to the buffer length too */
+ } else if ( strcmp(tok,"FAMILY_NAME")==0 ) {
+- strcpy(family,buf);
++ strncpy(family,buf,99);
+ } else if ( strcmp(tok,"FULL_NAME")==0 || strcmp(tok,"FACE_NAME")==0 ) {
+- strcpy(full,buf);
++ strncpy(full,buf,99);
+ } else if ( strcmp(tok,"WEIGHT_NAME")==0 )
+- strcpy(weight,buf);
++ strncpy(weight,buf,99);
+ else if ( strcmp(tok,"SLANT")==0 )
+- strcpy(italic,buf);
++ strncpy(italic,buf,99);
+ else if ( strcmp(tok,"COPYRIGHT")==0 ) {
+- strcpy(comments,buf);
++ /* LS: Assume the size of the passed-in buffer is 1000, see below in
++ * COMMENT */
++ strncpy(comments,buf,999);
+ found_copyright = true;
+ } else if ( strcmp(tok,"COMMENT")==0 && !found_copyright ) {
+ char *pt = comments+strlen(comments);
diff --git a/fontforge.spec b/fontforge.spec
index 18d9d71..cef3608 100644
--- a/fontforge.spec
+++ b/fontforge.spec
@@ -5,7 +5,7 @@
Name: fontforge
Version: 20100501
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: Outline and bitmap font editor
Group: Applications/Publishing
@@ -19,6 +19,7 @@ Patch1: fontforge-20090224-pythondl.patch
# See Bug https://bugzilla.redhat.com/show_bug.cgi?id=536920
Patch2: fontforge-20100501-splinesets.patch
Patch3: fontforge-20100501-python27.patch
+Patch4: fontforge-20100501-CVE-2010-4259.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: xdg-utils
@@ -62,6 +63,7 @@ to compile applications against fontforge.
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
mkdir htdocs
tar xjf %{SOURCE2} -C htdocs
@@ -152,6 +154,9 @@ update-mime-database %{_datadir}/mime &> /dev/null || :
%{_libdir}/pkgconfig/*.pc
%changelog
+* Sat Dec 04 2010 Kevin Fenzi <kevin at tummy.com> - 20100501-5
+- Add patch for CVE-2010-4259
+
* Wed Jul 28 2010 Kevin Fenzi <kevin at tummy.com> - 20100501-4
- Add patch to build with python 2.7
More information about the fonts-bugs
mailing list