[fontforge/f13/master] Add patch to fix CVE-2010-4259 (fixes #659359)
Kevin Fenzi
kevin at fedoraproject.org
Sat Dec 4 22:05:06 UTC 2010
commit cf3b62ddcba4759d5d0c96e05c8380636eaba48e
Author: Kevin Fenzi <kevin at tummy.com>
Date: Sat Dec 4 15:04:53 2010 -0700
Add patch to fix CVE-2010-4259 (fixes #659359)
fontforge-20090923-CVE-2010-4259.patch | 50 ++++++++++++++++++++++++++++++++
fontforge.spec | 6 +++-
2 files changed, 55 insertions(+), 1 deletions(-)
---
diff --git a/fontforge-20090923-CVE-2010-4259.patch b/fontforge-20090923-CVE-2010-4259.patch
new file mode 100644
index 0000000..0719761
--- /dev/null
+++ b/fontforge-20090923-CVE-2010-4259.patch
@@ -0,0 +1,50 @@
+--- fontforge/fontforge/fvimportbdf.c 15 Apr 2010 10:47:36 -0000 1.58
++++ fontforge/fontforge/fvimportbdf.c 3 Dec 2010 21:03:38 -0000
+@@ -560,7 +560,7 @@
+ }
+
+ if ( strcmp(tok,"FONT")==0 ) {
+- if ( sscanf(buf,"-%*[^-]-%[^-]-%[^-]-%[^-]-%*[^-]-", family, weight, italic )!=0 ) {
++ if ( sscanf(buf,"-%*[^-]-%99[^-]-%99[^-]-%99[^-]-%*[^-]-", family, weight, italic )!=0 ) {
+ char *pt=buf;
+ int dcnt=0;
+ while ( *pt=='-' && dcnt<7 ) { ++pt; ++dcnt; }
+@@ -616,26 +616,30 @@
+ sscanf(buf, "%d", &defs->metricsset );
+ else if ( strcmp(tok,"VVECTOR")==0 )
+ sscanf(buf, "%*d %d", &defs->vertical_origin );
++ /* For foundry, fontname and encname, only copy up to the buffer size */
+ else if ( strcmp(tok,"FOUNDRY")==0 )
+- sscanf(buf, "%[^\"]", foundry );
++ sscanf(buf, "%99[^\"]", foundry );
+ else if ( strcmp(tok,"FONT_NAME")==0 )
+- sscanf(buf, "%[^\"]", fontname );
++ sscanf(buf, "%99[^\"]", fontname );
+ else if ( strcmp(tok,"CHARSET_REGISTRY")==0 )
+- sscanf(buf, "%[^\"]", encname );
++ sscanf(buf, "%99[^\"]", encname );
+ else if ( strcmp(tok,"CHARSET_ENCODING")==0 ) {
+ enc = 0;
+ if ( sscanf(buf, " %d", &enc )!=1 )
+ sscanf(buf, "%d", &enc );
++ /* These properties should be copied up to the buffer length too */
+ } else if ( strcmp(tok,"FAMILY_NAME")==0 ) {
+- strcpy(family,buf);
++ strncpy(family,buf,99);
+ } else if ( strcmp(tok,"FULL_NAME")==0 || strcmp(tok,"FACE_NAME")==0 ) {
+- strcpy(full,buf);
++ strncpy(full,buf,99);
+ } else if ( strcmp(tok,"WEIGHT_NAME")==0 )
+- strcpy(weight,buf);
++ strncpy(weight,buf,99);
+ else if ( strcmp(tok,"SLANT")==0 )
+- strcpy(italic,buf);
++ strncpy(italic,buf,99);
+ else if ( strcmp(tok,"COPYRIGHT")==0 ) {
+- strcpy(comments,buf);
++ /* LS: Assume the size of the passed-in buffer is 1000, see below in
++ * COMMENT */
++ strncpy(comments,buf,999);
+ found_copyright = true;
+ } else if ( strcmp(tok,"COMMENT")==0 && !found_copyright ) {
+ char *pt = comments+strlen(comments);
diff --git a/fontforge.spec b/fontforge.spec
index 08e3060..34e07c9 100644
--- a/fontforge.spec
+++ b/fontforge.spec
@@ -5,7 +5,7 @@
Name: fontforge
Version: 20090923
-Release: 3%{?dist}
+Release: 4%{?dist}
Summary: Outline and bitmap font editor
Group: Applications/Publishing
@@ -17,6 +17,7 @@ Source2: http://downloads.sourceforge.net/fontforge/fontforge_htdocs-%{do
Source3: fontforge.xml
Patch1: fontforge-20090224-pythondl.patch
Patch2: fontforge-20090923-rel-path.patch
+Patch3: fontforge-20090923-CVE-2010-4259.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: xdg-utils
@@ -149,6 +150,9 @@ update-mime-database %{_datadir}/mime &> /dev/null || :
%{_libdir}/pkgconfig/*.pc
%changelog
+* Sat Dec 04 2010 Kevin Fenzi <kevin at tummy.com> - 20090923-4
+- Add patch to fix CVE-2010-4259 (fixes #659359)
+
* Sat Mar 20 2010 Kevin Fenzi <kevin at tummy.com> - 20090923-3
- Fix patch to fix python module (fixes #560277)
More information about the fonts-bugs
mailing list