[evince/f13/master] Security bugfixes
mkasik
mkasik at fedoraproject.org
Thu Jan 6 11:09:10 UTC 2011
commit f9b40c11f250c7c5895232335162374e2c874638
Author: Marek Kasik <mkasik at redhat.com>
Date: Thu Jan 6 11:58:45 2011 +0100
Security bugfixes
Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643
Resolves: #667573
...CVE-2010-2641_CVE-2010-2642_CVE-2010-2643.patch | 96 ++++++++++++++++++++
evince.spec | 9 ++-
2 files changed, 104 insertions(+), 1 deletions(-)
---
diff --git a/evince-CVE-2010-2640_CVE-2010-2641_CVE-2010-2642_CVE-2010-2643.patch b/evince-CVE-2010-2640_CVE-2010-2641_CVE-2010-2642_CVE-2010-2643.patch
new file mode 100644
index 0000000..8d4f504
--- /dev/null
+++ b/evince-CVE-2010-2640_CVE-2010-2641_CVE-2010-2642_CVE-2010-2643.patch
@@ -0,0 +1,96 @@
+commit d4139205b010ed06310d14284e63114e88ec6de2
+Author: José Aliste <jaliste at src.gnome.org>
+Date: Tue Dec 7 15:56:47 2010 -0300
+
+ backends: Fix several security issues in the dvi-backend.
+
+ See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643.
+
+diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
+index 164366b..361e23d 100644
+--- a/backend/dvi/mdvi-lib/afmparse.c
++++ b/backend/dvi/mdvi-lib/afmparse.c
+@@ -160,7 +160,7 @@ static char *token(FILE *stream)
+
+ idx = 0;
+ while (ch != EOF && ch != ' ' && ch != lineterm
+- && ch != '\t' && ch != ':' && ch != ';')
++ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
+ {
+ ident[idx++] = ch;
+ ch = fgetc(stream);
+diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
+index cd8cfa9..d014320 100644
+--- a/backend/dvi/mdvi-lib/dviread.c
++++ b/backend/dvi/mdvi-lib/dviread.c
+@@ -1507,6 +1507,10 @@ int special(DviContext *dvi, int opcode)
+ Int32 arg;
+
+ arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
++ if (arg <= 0) {
++ dvierr(dvi, _("malformed special length\n"));
++ return -1;
++ }
+ s = mdvi_malloc(arg + 1);
+ dread(dvi, s, arg);
+ s[arg] = 0;
+diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
+index a579186..08377e6 100644
+--- a/backend/dvi/mdvi-lib/pk.c
++++ b/backend/dvi/mdvi-lib/pk.c
+@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font)
+ }
+ if(feof(p))
+ break;
++
++ /* Although the PK format support bigger char codes,
++ * XeTeX and other extended TeX engines support charcodes up to
++ * 65536, while normal TeX engine supports only charcode up to 255.*/
++ if (cc < 0 || cc > 65536) {
++ mdvi_error (_("%s: unexpected charcode (%d)\n"),
++ font->fontname,cc);
++ goto error;
++ }
+ if(cc < loc)
+ loc = cc;
+ if(cc > hic)
+@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
+ }
+
+ /* resize font char data */
+- if(loc > 0 || hic < maxch-1) {
++ if(loc > 0 && hic < maxch-1) {
+ memmove(font->chars, font->chars + loc,
+ (hic - loc + 1) * sizeof(DviFontChar));
+ font->chars = xresize(font->chars,
+diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
+index 73ebf26..8c2a30b 100644
+--- a/backend/dvi/mdvi-lib/tfmfile.c
++++ b/backend/dvi/mdvi-lib/tfmfile.c
+@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info)
+ /* We read the entire TFM file into core */
+ if(fstat(fileno(in), &st) < 0)
+ return -1;
+- if(st.st_size == 0)
++ /* according to the spec, TFM files are smaller than 16K */
++ if(st.st_size == 0 || st.st_size >= 16384)
+ goto bad_tfm;
+
+ /* allocate a word-aligned buffer to hold the file */
+diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
+index fb49847..a5ae3bb 100644
+--- a/backend/dvi/mdvi-lib/vf.c
++++ b/backend/dvi/mdvi-lib/vf.c
+@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font)
+ cc = fuget1(p);
+ tfm = fuget3(p);
+ }
++ if (cc < 0 || cc > 65536) {
++ /* TeX engines do not support char codes bigger than 65535 */
++ mdvi_error(_("(vf) %s: unexpected character %d\n"),
++ font->fontname, cc);
++ goto error;
++ }
+ if(loc < 0 || cc < loc)
+ loc = cc;
+ if(hic < 0 || cc > hic)
diff --git a/evince.spec b/evince.spec
index 56a61db..f714da8 100644
--- a/evince.spec
+++ b/evince.spec
@@ -6,7 +6,7 @@
Name: evince
Version: 2.30.3
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: Document viewer
License: GPLv2+ and GFDL
@@ -17,6 +17,8 @@ Source0: http://download.gnome.org/sources/%{name}/2.30/%{name}-%{version
Patch2: evince-t1font-mapping.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=597777
Patch4: evince-metadata.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=667573
+Patch5: evince-CVE-2010-2640_CVE-2010-2641_CVE-2010-2642_CVE-2010-2643.patch
BuildRequires: gtk2-devel >= %{gtk2_version}
BuildRequires: glib2-devel >= %{glib2_version}
@@ -115,6 +117,7 @@ It adds an additional tab called "Document" to the file properties dialog.
%setup -q
%patch2 -p1 -b .t1font-map
%patch4 -p1 -b .metadata
+%patch5 -p1 -b .CVE-2010-2640_CVE-2010-2641_CVE-2010-2642_CVE-2010-2643
%build
%configure --disable-static --disable-scrollkeeper --disable-schemas-install \
@@ -237,6 +240,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
%{_libdir}/nautilus/extensions-2.0/libevince-properties-page.so
%changelog
+* Thu Jan 6 2011 Marek Kasik <mkasik at redhat.com> - 2.30.3-2
+- Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643
+- Resolves: #667573
+
* Fri Jun 25 2010 Marek Kasik <mkasik at redhat.com> - 2.30.3-1
- Update to 2.30.3
More information about the scm-commits
mailing list