[t1lib/el5] Add patch to fix CVE-2010-2642, CVE-2011-0433 (afm-fix patch) New version of patch for CVE-2011-0764
Jaroslav Škarvada
jskarvad at fedoraproject.org
Tue Jan 10 15:56:29 UTC 2012
commit 48f7716c2762f162a2f18510a7bf61b4d8ab9983
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date: Tue Jan 10 16:56:17 2012 +0100
Add patch to fix CVE-2010-2642, CVE-2011-0433 (afm-fix patch)
New version of patch for CVE-2011-0764, also fixes CVE-2011-1552,
CVE-2011-1553, CVE-2011-1554 (type1-inv-rw-fix patch)
Resolves: rhbz#772899
Add explicit NVR requires to apps subpackage (consumes libt1(x).so)
Fix rpmlint warning (mixed-use-of-spaces-and-tabs)
t1lib-5.1.1-afm-fix.patch | 23 +++++++
t1lib-5.1.1-type1-inv-rw-fix.patch | 124 ++++++++++++++++++++++++++++++++++++
t1lib.spec | 18 +++++-
3 files changed, 164 insertions(+), 1 deletions(-)
---
diff --git a/t1lib-5.1.1-afm-fix.patch b/t1lib-5.1.1-afm-fix.patch
new file mode 100644
index 0000000..66fbf4d
--- /dev/null
+++ b/t1lib-5.1.1-afm-fix.patch
@@ -0,0 +1,23 @@
+diff -up t1lib-5.1.2/lib/t1lib/parseAFM.c.orig t1lib-5.1.2/lib/t1lib/parseAFM.c
+--- t1lib-5.1.2/lib/t1lib/parseAFM.c.orig 2007-12-23 16:49:42.000000000 +0100
++++ t1lib-5.1.2/lib/t1lib/parseAFM.c 2011-05-10 23:59:08.726465425 +0200
+@@ -199,7 +199,8 @@ static char *token(stream)
+ idx = 0;
+
+ while (ch != EOF && ch != ' ' && ch != CR && ch != LF &&
+- ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'){
++ ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';' &&
++ idx < (MAX_NAME - 1)){
+ ident[idx++] = ch;
+ ch = fgetc(stream);
+ } /* while */
+@@ -235,7 +236,8 @@ static char *linetoken(stream)
+ while ((ch = fgetc(stream)) == ' ' || ch == '\t' );
+
+ idx = 0;
+- while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z)
++ while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z &&
++ idx < (MAX_NAME - 1))
+ {
+ ident[idx++] = ch;
+ ch = fgetc(stream);
diff --git a/t1lib-5.1.1-type1-inv-rw-fix.patch b/t1lib-5.1.1-type1-inv-rw-fix.patch
new file mode 100644
index 0000000..7d57772
--- /dev/null
+++ b/t1lib-5.1.1-type1-inv-rw-fix.patch
@@ -0,0 +1,124 @@
+diff -up t1lib-5.1.2/lib/type1/lines.c.orig t1lib-5.1.2/lib/type1/lines.c
+--- t1lib-5.1.2/lib/type1/lines.c.orig 2007-12-23 16:49:42.000000000 +0100
++++ t1lib-5.1.2/lib/type1/lines.c 2012-01-10 00:50:01.617614468 +0100
+@@ -67,6 +67,10 @@ This module provides the following entry
+ None.
+ */
+
++#define BITS (sizeof(LONG)*8)
++#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */
++#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
++
+ /*
+ :h2.StepLine() - Produces Run Ends for a Line After Checks
+
+@@ -84,6 +88,9 @@ void StepLine(R, x1, y1, x2, y2)
+ IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
+ x1, y1, x2, y2);
+
++ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
++ abort("Lines this big not supported", 49);
++
+ dy = y2 - y1;
+
+ /*
+diff -up t1lib-5.1.2/lib/type1/objects.c.orig t1lib-5.1.2/lib/type1/objects.c
+--- t1lib-5.1.2/lib/type1/objects.c.orig 2007-12-23 16:49:42.000000000 +0100
++++ t1lib-5.1.2/lib/type1/objects.c 2012-01-10 00:55:18.082937510 +0100
+@@ -1137,12 +1137,13 @@ char *t1_get_abort_message( int number)
+ "Context: out of them", /* 46 */
+ "MatrixInvert: can't", /* 47 */
+ "xiStub called", /* 48 */
+- "Illegal access type1 abort() message" /* 49 */
++ "Lines this big not supported", /* 49 */
++ "Illegal access type1 abort() message" /* 50 */
+ };
+
+- /* no is valid from 1 to 48 */
+- if ( (number<1)||(number>48))
+- number=49;
++ /* no is valid from 1 to 49 */
++ if ( (number<1)||(number>49))
++ number=50;
+ return( err_msgs[number-1]);
+
+ }
+diff -up t1lib-5.1.2/lib/type1/type1.c.orig t1lib-5.1.2/lib/type1/type1.c
+--- t1lib-5.1.2/lib/type1/type1.c.orig 2007-12-23 21:19:42.000000000 +0530
++++ t1lib-5.1.2/lib/type1/type1.c 2012-01-04 13:11:50.324115578 +0530
+@@ -1012,6 +1012,7 @@
+ double nextdtana = 0.0; /* tangent of post-delta against horizontal line */
+ double nextdtanb = 0.0; /* tangent of post-delta against vertical line */
+
++ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
+
+ /* setup default hinted position */
+ ppoints[numppoints-1].ax = ppoints[numppoints-1].x;
+@@ -1289,7 +1290,7 @@
+ static int DoRead(CodeP)
+ int *CodeP;
+ {
+- if (strindex >= CharStringP->len) return(FALSE); /* end of string */
++ if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */
+ /* We handle the non-documented Adobe convention to use lenIV=-1 to
+ suppress charstring encryption. */
+ if (blues->lenIV==-1) {
+@@ -1700,6 +1701,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous segment! */
++ if (ppoints == NULL || numppoints < 2 ) Error0i("RLineTo: No previous point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
+
+ /* Allocate a new path point and pre-setup data */
+@@ -1728,6 +1730,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous point! */
++ if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
+
+ /* Allocate three new path points and pre-setup data */
+@@ -1786,7 +1789,9 @@
+ long tmpind;
+ double deltax = 0.0;
+ double deltay = 0.0;
+-
++
++ if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!");
++
+ /* If this ClosePath command together with the starting point of this
+ path completes to a segment aligned to a stem, we would miss
+ hinting for this point. --> Check and explicitly care for this! */
+@@ -1801,6 +1806,7 @@
+ deltax = ppoints[i].x - ppoints[numppoints-1].x;
+ deltay = ppoints[i].y - ppoints[numppoints-1].y;
+
++ if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!");
+ /* save nummppoints and reset to move point */
+ tmpind = numppoints;
+ numppoints = i + 1;
+@@ -1903,6 +1909,7 @@
+ FindStems( currx, curry, 0, 0, dx, dy);
+ }
+ else {
++ if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n");
+ FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
+ }
+
+@@ -2152,6 +2159,7 @@
+ DOUBLE cx, cy;
+ DOUBLE ex, ey;
+
++ if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
+
+ /* Our PPOINT list now contains 7 moveto commands which
+ are about to be consumed by the Flex mechanism. --> Remove these
+@@ -2321,6 +2329,7 @@
+ /* Returns currentpoint on stack */
+ static void FlxProc2()
+ {
++ if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!");
+ /* Push CurrentPoint on fake PostScript stack */
+ PSFakePush( ppoints[numppoints-1].x);
+ PSFakePush( ppoints[numppoints-1].y);
diff --git a/t1lib.spec b/t1lib.spec
index 2c0734d..be8a7bf 100644
--- a/t1lib.spec
+++ b/t1lib.spec
@@ -1,6 +1,6 @@
Name: t1lib
Version: 5.1.1
-Release: 7%{?dist}
+Release: 8%{?dist}
Summary: PostScript Type 1 font rasterizer
@@ -9,6 +9,12 @@ License: LGPLv2+
URL: ftp://sunsite.unc.edu/pub/Linux/libs/graphics
Source0: ftp://sunsite.unc.edu/pub/Linux/libs/graphics/t1lib-%{version}.tar.gz
Patch0: http://ftp.de.debian.org/debian/pool/main/t/t1lib/t1lib_5.1.1-3.diff.gz
+# Fixes CVE-2010-2642, CVE-2011-0433
+# http://bugzilla.redhat.com/show_bug.cgi?id=679732
+Patch1: t1lib-5.1.1-afm-fix.patch
+# Fixes CVE-2011-0764, CVE-2011-1552, CVE-2011-1553, CVE-2011-1554
+# http://bugzilla.redhat.com/show_bug.cgi?id=692909
+Patch2: t1lib-5.1.1-type1-inv-rw-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libXaw-devel
@@ -42,6 +48,8 @@ This package contains static libraries for %{name}.
%prep
%setup -q
%patch0 -p1
+%patch1 -p1 -b .afm-fix
+%patch2 -p1 -b .type1-inv-rw-fix
# use debian patches directly instead of duplicating them
patch -p1 < debian/patches/cve-2007-4033.diff
@@ -124,6 +132,14 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Tue Jan 10 2012 Jaroslav Škarvada <jskarvad at redhat.com> - 5.1.1-8
+- Add patch to fix CVE-2010-2642, CVE-2011-0433 (afm-fix patch)
+- New version of patch for CVE-2011-0764, also fixes CVE-2011-1552,
+ CVE-2011-1553, CVE-2011-1554 (type1-inv-rw-fix patch)
+ Resolves: rhbz#772899
+- Add explicit NVR requires to apps subpackage (consumes libt1(x).so)
+- Fix rpmlint warning (mixed-use-of-spaces-and-tabs)
+
* Tue Jan 8 2008 Patrice Dumas <pertusus[AT]free.fr> - 5.1.1-7
- add X libs BuildRequires (#353861)
More information about the scm-commits
mailing list