[pl/f14] Fix CVE-2011-2896
Petr Pisar
ppisar at fedoraproject.org
Mon Aug 22 14:05:52 UTC 2011
commit 1dc7503efc5537a959f0c8bdc2122ac5ec7000b0
Author: Petr Písař <ppisar at redhat.com>
Date: Fri Aug 19 13:41:32 2011 +0200
Fix CVE-2011-2896
pl.spec | 14 +++++++-
xpce-gif-CVE-2011-2896-part_1.patch | 66 +++++++++++++++++++++++++++++++++++
xpce-gif-CVE-2011-2896-part_2.patch | 48 +++++++++++++++++++++++++
3 files changed, 127 insertions(+), 1 deletions(-)
---
diff --git a/pl.spec b/pl.spec
index 4e0a099..bd70268 100644
--- a/pl.spec
+++ b/pl.spec
@@ -3,7 +3,7 @@
Name: pl
Version: 5.7.11
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: SWI-Prolog - Edinburgh compatible Prolog compiler
@@ -18,6 +18,9 @@ Patch1: %{name}-5.7.11-jpl-configure.patch
Patch2: %{name}-5.7.11-man-files.patch
Patch3: %{name}-5.6.60-jni.patch
Patch4: %{name}-5.7.11-pc.patch
+# Upstream bug #7, will be in 5.10.5, CVE-2011-2896, rhbz#727800
+Patch5: xpce-gif-CVE-2011-2896-part_1.patch
+Patch6: xpce-gif-CVE-2011-2896-part_2.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: gmp-devel
@@ -106,6 +109,11 @@ in Prolog. In both setups it provides a reentrant bidirectional interface.
%patch3 -p1 -b .jni
%patch4 -p1 -b .pc
(
+cd packages/xpce
+%patch5 -p1 -b .CVE-2011-2896-part_1
+%patch6 -p1 -b .CVE-2011-2896-part_2
+)
+(
mkdir doc-install
cd doc-install
cp -p %{SOURCE1} .
@@ -247,6 +255,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Fri Aug 19 2011 Petr Pisar <ppisar at redhat.com> - 5.7.11-6
+- Fix CVE-2011-2896 (David Koblas' GIF decoder LZW decoder buffer overflow)
+ (bug #727800)
+
* Fri Aug 21 2009 Tomas Mraz <tmraz at redhat.com> - 5.7.11-5
- rebuilt with new openssl
diff --git a/xpce-gif-CVE-2011-2896-part_1.patch b/xpce-gif-CVE-2011-2896-part_1.patch
new file mode 100644
index 0000000..c586112
--- /dev/null
+++ b/xpce-gif-CVE-2011-2896-part_1.patch
@@ -0,0 +1,66 @@
+From: Jan Wielemaker <J.Wielemaker at cs.vu.nl>
+Date: Thu, 18 Aug 2011 09:46:53 +0000 (+0200)
+Subject: SECURITY: Bug#7 Gif-reader bufferoverflow. Petr Pisar.
+X-Git-Url: http://www.swi-prolog.org/packages/xpce.git/commitdiff_plain/bb328029beb148691edc031d9db9cf0a503c8247
+
+SECURITY: Bug#7 Gif-reader bufferoverflow. Petr Pisar.
+
+See http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7
+See https://bugzilla.redhat.com/show_bug.cgi?id=727800
+
+This patch follows a corresponding patch in CUPS:
+
+CUPS was fixed recently (in 1.4.7) and now does code > max_code check
+http://cups.org/str.php?L3867
+svn diff -c 9840 http://svn.easysw.com/public/cups/
+---
+
+diff --git a/src/img/gifread.c b/src/img/gifread.c
+index bb66705..a12a2d8 100644
+--- a/src/img/gifread.c
++++ b/src/img/gifread.c
+@@ -169,7 +169,7 @@ GIFReadFD(IOSTREAM *fd,
+ /* read colormaps */
+ if ( BitSet((UCHAR) buf[4], LOCALCOLORMAP) )
+ { if ( (rval=ReadColorMap(fd, GifScreen.BitPixel, at, ac, closure))
+- != GIF_OK )
++ != GIF_OK )
+ { setGifError("Error reading GIF colormap");
+ return rval;
+ }
+@@ -487,11 +487,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+ max_code = clear_code + 2;
+ sp = stack;
+ firstcode = oldcode = GetCode(fd, code_size, FALSE);
+- return firstcode;
+- } else if (code == end_code)
++ return (firstcode&255);
++ } else if (code == end_code || code > max_code)
+ {
+ int count;
+- UCHAR buf[260];
++ UCHAR buf[260]; /* Block buffer */
+
+ if (ZeroDataBlock)
+ return -2;
+@@ -504,7 +504,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+ }
+ incode = code;
+
+- if (code >= max_code)
++ if (code == max_code)
+ {
+ *sp++ = firstcode;
+ code = oldcode;
+@@ -537,9 +537,9 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+ oldcode = incode;
+
+ if (sp > stack)
+- return *--sp;
++ return ((*--sp) & 255);
+ }
+- return code;
++ return (code&255);
+ }
+
+
diff --git a/xpce-gif-CVE-2011-2896-part_2.patch b/xpce-gif-CVE-2011-2896-part_2.patch
new file mode 100644
index 0000000..b3e35df
--- /dev/null
+++ b/xpce-gif-CVE-2011-2896-part_2.patch
@@ -0,0 +1,48 @@
+From: Jan Wielemaker <J.Wielemaker at cs.vu.nl>
+Date: Thu, 18 Aug 2011 14:26:44 +0000 (+0200)
+Subject: SECURITY: Bug#7: More gif-read fixes.
+X-Git-Url: http://www.swi-prolog.org/packages/xpce.git/commitdiff_plain/30fbc4e030cbef5871e1b96c31458116ce3e2ee8
+
+SECURITY: Bug#7: More gif-read fixes.
+
+Incorporated additional patches from http://cups.org/str.php?L3914
+---
+
+diff --git a/src/img/gifread.c b/src/img/gifread.c
+index a12a2d8..3b8a743 100644
+--- a/src/img/gifread.c
++++ b/src/img/gifread.c
+@@ -466,7 +466,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+ firstcode = oldcode = GetCode(fd, code_size, FALSE);
+ }
+ while (firstcode == clear_code);
+- return firstcode;
++ return (firstcode&255);
+ }
+ if (sp > stack)
+ return *--sp;
+@@ -505,11 +505,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+ incode = code;
+
+ if (code == max_code)
+- {
+- *sp++ = firstcode;
++ { if ( sp < stack+sizeof(stack) ) /* stack is UCHAR */
++ *sp++ = firstcode;
+ code = oldcode;
+ }
+- while (code >= clear_code)
++ while (code >= clear_code && sp < stack+sizeof(stack) )
+ {
+ *sp++ = vals[code];
+ if (code == (int) next[code])
+@@ -520,7 +520,8 @@ LZWReadByte(IOSTREAM * fd, int flag, int input_code_size)
+ code = next[code];
+ }
+
+- *sp++ = firstcode = vals[code];
++ if ( sp < stack+sizeof(stack) )
++ *sp++ = firstcode = vals[code];
+
+ if ((code = max_code) < (1 << MAX_LZW_BITS))
+ {
More information about the scm-commits
mailing list