rpms/wv/FC-4 wv-1.0.3-CVE-2006-4513.patch, NONE, 1.1 .cvsignore, 1.4, 1.5 sources, 1.4, 1.5 wv.spec, 1.11, 1.12
Aurelien Bompard (abompard)
fedora-extras-commits at redhat.com
Sun Oct 29 18:01:30 UTC 2006
Author: abompard
Update of /cvs/extras/rpms/wv/FC-4
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21208
Modified Files:
.cvsignore sources wv.spec
Added Files:
wv-1.0.3-CVE-2006-4513.patch
Log Message:
fix CVE-2006-4513
wv-1.0.3-CVE-2006-4513.patch:
--- NEW FILE wv-1.0.3-CVE-2006-4513.patch ---
diff -bruN wv-1.2.2/lfo.c wv-1.2.3/lfo.c
--- wv-1.2.2/lfo.c 2005-04-17 23:16:58.000000000 +0200
+++ wv-1.2.3/lfo.c 2006-10-20 03:48:47.000000000 +0200
@@ -32,6 +32,16 @@
followed by its corresponding LVL structure (if LFOLVL.fFormatting is set).
*/
+static int
+multiplication_will_overflow(U32 a, U32 b)
+{
+ if((a > 0) && (b > 0) && (G_MAXUINT / a) >= b) {
+ return 0;
+ }
+
+ return 1;
+}
+
int
wvGetLFO_records (LFO ** lfo, LFOLVL ** lfolvl, LVL ** lvl, U32 * nolfo,
U32 * nooflvl, U32 offset, U32 len, wvStream * fd)
@@ -49,7 +59,9 @@
wvTrace (("pos %x %d\n", wvStream_tell (fd), *nooflvl));
wvTrace (("nolfo is %d nooflvl is %d\n", *nolfo, *nooflvl));
- if (*nooflvl == 0)
+ if ((*nooflvl == 0) ||
+ multiplication_will_overflow(sizeof (LFOLVL), *nooflvl) ||
+ multiplication_will_overflow(sizeof (LVL), *nooflvl))
{
*lfolvl = NULL;
*lvl = NULL;
@@ -101,17 +113,23 @@
*nolfo = read_32ubit (fd);
wvTrace (("%d\n", *nolfo));
- *lfo = (LFO *) wvMalloc (*nolfo * sizeof (LFO));
+ /* check for integer overflow */
+ if (multiplication_will_overflow(*nolfo, sizeof(LFO))) {
+ wvError (("Malicious document!\n"));
+ *nolfo = 0;
+ return (1);
+ } else {
+ *lfo = (LFO *) wvMalloc (*nolfo * sizeof(LFO));
if (*lfo == NULL)
{
- wvError (
- ("NO MEM 1, failed to alloc %d bytes\n",
+ wvError (("NO MEM 1, failed to alloc %d bytes\n",
*nolfo * sizeof (LFO)));
return (1);
}
for (i = 0; i < *nolfo; i++)
wvGetLFO (&((*lfo)[i]), fd);
}
+ }
return (0);
}
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/wv/FC-4/.cvsignore,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- .cvsignore 28 Oct 2006 08:53:37 -0000 1.4
+++ .cvsignore 29 Oct 2006 18:00:59 -0000 1.5
@@ -1 +1 @@
-wv-1.2.4.tar.gz
+wv-1.0.3.tar.gz
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/wv/FC-4/sources,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- sources 28 Oct 2006 08:53:37 -0000 1.4
+++ sources 29 Oct 2006 18:00:59 -0000 1.5
@@ -1 +1 @@
-c1861c560491f121e12917fa76970ac5 wv-1.2.4.tar.gz
+71e42aa9af1e03cc8c608bbbdcb43af8 wv-1.0.3.tar.gz
Index: wv.spec
===================================================================
RCS file: /cvs/extras/rpms/wv/FC-4/wv.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- wv.spec 28 Oct 2006 08:53:37 -0000 1.11
+++ wv.spec 29 Oct 2006 18:00:59 -0000 1.12
@@ -1,25 +1,27 @@
Name: wv
Summary: MSWord 6/7/8/9 binary file format to HTML converter
-Version: 1.2.4
-Release: 1%{?dist}
+Version: 1.0.3
+Release: 2%{?dist}
License: GPL
Group: Applications/Text
URL: http://wvware.sourceforge.net
-Source: http://dl.sf.net/wvware/wv-%{version}.tar.gz
-#Patch0: wv-wvtext-tmp.patch
-#Patch1: wv-1.0.3-oledecod.patch
-#Patch2: wv-1.0.3-gcc4.patch
+Source: http://dl.sf.net/wvware/wv-1.0.3.tar.gz
+Patch0: wv-wvtext-tmp.patch
+Patch1: wv-1.0.3-oledecod.patch
+Patch2: wv-1.0.3-gcc4.patch
Patch5: wv-1.0.0-rhbug150461.patch
+Patch6: wv-1.0.3-CVE-2006-4513.patch
+#BuildRequires: XFree86-devel
BuildRequires: glib2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libxml2-devel
BuildRequires: ImageMagick-devel
BuildRequires: pkgconfig
-BuildRequires: libgsf-devel >= 1.11.2
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Provides: wvware = %{version}-%{release}
+Provides: wv-devel = %{version}-%{release}
%description
Wv is a program that understands the Microsoft Word 6/7/8/9
@@ -27,36 +29,24 @@
documents into HTML, which can then be read with a browser.
-%package devel
-Summary: MSWord format converter - development files
-Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
-
-%description devel
-Wv is a program that understands the Microsoft Word 6/7/8/9
-binary file format and is able to convert Word
-documents into HTML, which can then be read with a browser.
-This package contains the development files
-
-
%prep
%setup -q
#%patch0
-#%patch1 -p1 -b .oledecod
-#%patch2 -p1 -b .gcc4
+%patch1 -p1 -b .oledecod
+%patch2 -p1 -b .gcc4
%patch5 -p1 -b .printf-rhbug150461
+%patch6 -p1 -b .CVE-2006-4513
%build
%configure --with-exporter \
- --with-libxml2 \
- --disable-static
+ --with-libxml2
make %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
-make install DESTDIR=$RPM_BUILD_ROOT
+%makeinstall
#ln -sf wvConvert $RPM_BUILD_ROOT/%{_bindir}/wvText
find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -exec rm -f {} \;
@@ -74,40 +64,15 @@
%doc COPYING README
%{_bindir}/wv*
%{_datadir}/wv
-%{_mandir}/man1/*
-%{_libdir}/libwv*.so.*
-
-%files devel
-%defattr(-,root,root)
%{_includedir}/wv
-%{_libdir}/libwv*.so
+%{_mandir}/man1/*
+%{_libdir}/libwv*
%{_libdir}/pkgconfig/*
%changelog
-* Sat Oct 28 2006 Aurelien Bompard <abompard at fedoraproject.org> 1.2.4-1
-- update to 1.2.4, fixes #212696 (CVE-2006-4513)
-
-* Fri Sep 08 2006 Aurelien Bompard <abompard at fedoraproject.org> 1.2.1-7
-- rebuild (releases 1 to 7, cvs problem)
-
-* Fri Sep 08 2006 Aurelien Bompard <abompard at fedoraproject.org> 1.2.1-1
-- version 1.2.1
-
-* Fri Apr 14 2006 Aurelien Bompard <gauret[AT]free.fr> 1.2.0-4
-- rebuild
-
-* Wed Feb 22 2006 Aurelien Bompard <gauret[AT]free.fr> 1.2.0-3
-- don't build the static lib
-
-* Tue Feb 21 2006 Aurelien Bompard <gauret[AT]free.fr> 1.2.0-2
-- rebuild for FC5
-
-* Fri Nov 11 2005 Aurelien Bompard <gauret[AT]free.fr> 1.2.0-1
-- version 1.2.0
-
-* Fri Oct 28 2005 Aurelien Bompard <gauret[AT]free.fr> 1.0.3-2
-- split out a -devel package (#171962)
+* Sun Oct 29 2006 Aurelien Bompard <abompard at fedoraproject.org> 1.0.3-2
+- fix CVE-2006-4513
* Sun May 15 2005 Aurelien Bompard <gauret[AT]free.fr> 1.0.3-1%{?dist}
- new version
More information about the scm-commits
mailing list