rpms/wv/FC-4 wv-1.0.3-CVE-2006-4513.patch, NONE, 1.1 .cvsignore, 1.4, 1.5 sources, 1.4, 1.5 wv.spec, 1.11, 1.12

Aurelien Bompard (abompard) fedora-extras-commits at redhat.com
Sun Oct 29 18:01:30 UTC 2006 

Author: abompard

Update of /cvs/extras/rpms/wv/FC-4
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21208

Modified Files:
	.cvsignore sources wv.spec 
Added Files:
	wv-1.0.3-CVE-2006-4513.patch 
Log Message:
fix CVE-2006-4513

wv-1.0.3-CVE-2006-4513.patch:

--- NEW FILE wv-1.0.3-CVE-2006-4513.patch ---
diff -bruN wv-1.2.2/lfo.c wv-1.2.3/lfo.c
--- wv-1.2.2/lfo.c	2005-04-17 23:16:58.000000000 +0200
+++ wv-1.2.3/lfo.c	2006-10-20 03:48:47.000000000 +0200
@@ -32,6 +32,16 @@
 followed by its corresponding LVL structure (if LFOLVL.fFormatting is set).
 */
 
+static int
+multiplication_will_overflow(U32 a, U32 b)
+{
+  if((a > 0) && (b > 0) && (G_MAXUINT / a) >= b) {
+    return 0;
+  }
+
+  return 1;
+}
+
 int
 wvGetLFO_records (LFO ** lfo, LFOLVL ** lfolvl, LVL ** lvl, U32 * nolfo,
 		  U32 * nooflvl, U32 offset, U32 len, wvStream * fd)
@@ -49,7 +59,9 @@
     wvTrace (("pos %x %d\n", wvStream_tell (fd), *nooflvl));
     wvTrace (("nolfo is %d nooflvl is %d\n", *nolfo, *nooflvl));
 
-    if (*nooflvl == 0)
+    if ((*nooflvl == 0) ||
+	multiplication_will_overflow(sizeof (LFOLVL), *nooflvl) ||
+	multiplication_will_overflow(sizeof (LVL), *nooflvl))
       {
 	  *lfolvl = NULL;
 	  *lvl = NULL;
@@ -101,17 +113,23 @@
 	  *nolfo = read_32ubit (fd);
 	  wvTrace (("%d\n", *nolfo));
 
-	  *lfo = (LFO *) wvMalloc (*nolfo * sizeof (LFO));
+	  /* check for integer overflow */
+	  if (multiplication_will_overflow(*nolfo, sizeof(LFO))) {
+	    wvError (("Malicious document!\n"));			
+	    *nolfo = 0;
+	    return (1);
+	  } else {
+	    *lfo = (LFO *) wvMalloc (*nolfo * sizeof(LFO));
 	  if (*lfo == NULL)
 	    {
-		wvError (
-			 ("NO MEM 1, failed to alloc %d bytes\n",
+		wvError (("NO MEM 1, failed to alloc %d bytes\n",
 			  *nolfo * sizeof (LFO)));
 		return (1);
 	    }
 	  for (i = 0; i < *nolfo; i++)
 	      wvGetLFO (&((*lfo)[i]), fd);
       }
+      }
     return (0);
 }
 


Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/wv/FC-4/.cvsignore,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- .cvsignore	28 Oct 2006 08:53:37 -0000	1.4
+++ .cvsignore	29 Oct 2006 18:00:59 -0000	1.5
@@ -1 +1 @@
-wv-1.2.4.tar.gz
+wv-1.0.3.tar.gz


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/wv/FC-4/sources,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- sources	28 Oct 2006 08:53:37 -0000	1.4
+++ sources	29 Oct 2006 18:00:59 -0000	1.5
@@ -1 +1 @@
-c1861c560491f121e12917fa76970ac5  wv-1.2.4.tar.gz
+71e42aa9af1e03cc8c608bbbdcb43af8  wv-1.0.3.tar.gz


Index: wv.spec
===================================================================
RCS file: /cvs/extras/rpms/wv/FC-4/wv.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- wv.spec	28 Oct 2006 08:53:37 -0000	1.11
+++ wv.spec	29 Oct 2006 18:00:59 -0000	1.12
@@ -1,25 +1,27 @@
 Name:       wv
 Summary:    MSWord 6/7/8/9 binary file format to HTML converter
-Version:    1.2.4
-Release:    1%{?dist}
+Version:    1.0.3
+Release:    2%{?dist}
 License:    GPL
 Group:      Applications/Text
 URL:        http://wvware.sourceforge.net
-Source:     http://dl.sf.net/wvware/wv-%{version}.tar.gz
-#Patch0:     wv-wvtext-tmp.patch
-#Patch1:     wv-1.0.3-oledecod.patch
-#Patch2:     wv-1.0.3-gcc4.patch
+Source:     http://dl.sf.net/wvware/wv-1.0.3.tar.gz
+Patch0:     wv-wvtext-tmp.patch
+Patch1:     wv-1.0.3-oledecod.patch
+Patch2:     wv-1.0.3-gcc4.patch
 Patch5:     wv-1.0.0-rhbug150461.patch
+Patch6:     wv-1.0.3-CVE-2006-4513.patch
 
+#BuildRequires: XFree86-devel
 BuildRequires: glib2-devel
 BuildRequires: libjpeg-devel
 BuildRequires: libpng-devel
 BuildRequires: libxml2-devel
 BuildRequires: ImageMagick-devel
 BuildRequires: pkgconfig
-BuildRequires: libgsf-devel >= 1.11.2
 BuildRoot:  %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Provides:   wvware = %{version}-%{release}
+Provides:   wv-devel = %{version}-%{release}
 
 %description
 Wv is a program that understands the Microsoft Word 6/7/8/9
@@ -27,36 +29,24 @@
 documents into HTML, which can then be read with a browser.
 
 
-%package        devel
-Summary:        MSWord format converter - development files
-Group:          Development/Libraries
-Requires:       %{name} = %{version}-%{release}
-
-%description    devel
-Wv is a program that understands the Microsoft Word 6/7/8/9
-binary file format and is able to convert Word
-documents into HTML, which can then be read with a browser.
-This package contains the development files
-
-
 %prep
 %setup -q
 #%patch0
-#%patch1 -p1 -b .oledecod
-#%patch2 -p1 -b .gcc4
+%patch1 -p1 -b .oledecod
+%patch2 -p1 -b .gcc4
 %patch5 -p1 -b .printf-rhbug150461
+%patch6 -p1 -b .CVE-2006-4513
 
 
 %build
 %configure --with-exporter \
-           --with-libxml2 \
-           --disable-static
+           --with-libxml2
 
 make %{?_smp_mflags}
 
 %install
 rm -rf $RPM_BUILD_ROOT
-make install DESTDIR=$RPM_BUILD_ROOT
+%makeinstall
 
 #ln -sf wvConvert $RPM_BUILD_ROOT/%{_bindir}/wvText
 find $RPM_BUILD_ROOT%{_libdir} -name "*.la" -exec rm -f {} \;
@@ -74,40 +64,15 @@
 %doc COPYING README
 %{_bindir}/wv*
 %{_datadir}/wv
-%{_mandir}/man1/*
-%{_libdir}/libwv*.so.*
-
-%files      devel
-%defattr(-,root,root)
 %{_includedir}/wv
-%{_libdir}/libwv*.so
+%{_mandir}/man1/*
+%{_libdir}/libwv*
 %{_libdir}/pkgconfig/*
 
 
 %changelog
-* Sat Oct 28 2006 Aurelien Bompard <abompard at fedoraproject.org> 1.2.4-1
-- update to 1.2.4, fixes #212696 (CVE-2006-4513)
-
-* Fri Sep 08 2006 Aurelien Bompard <abompard at fedoraproject.org> 1.2.1-7
-- rebuild (releases 1 to 7, cvs problem)
-
-* Fri Sep 08 2006 Aurelien Bompard <abompard at fedoraproject.org> 1.2.1-1
-- version 1.2.1
-
-* Fri Apr 14 2006 Aurelien Bompard <gauret[AT]free.fr> 1.2.0-4
-- rebuild
-
-* Wed Feb 22 2006 Aurelien Bompard <gauret[AT]free.fr> 1.2.0-3
-- don't build the static lib
-
-* Tue Feb 21 2006 Aurelien Bompard <gauret[AT]free.fr> 1.2.0-2
-- rebuild for FC5
-
-* Fri Nov 11 2005 Aurelien Bompard <gauret[AT]free.fr> 1.2.0-1
-- version 1.2.0
-
-* Fri Oct 28 2005 Aurelien Bompard <gauret[AT]free.fr> 1.0.3-2
-- split out a -devel package (#171962)
+* Sun Oct 29 2006 Aurelien Bompard <abompard at fedoraproject.org> 1.0.3-2
+- fix CVE-2006-4513
 
 * Sun May 15 2005 Aurelien Bompard <gauret[AT]free.fr> 1.0.3-1%{?dist}
 - new version

More information about the scm-commits mailing list