[xpdf] fix desktop file, CVE-2012-2142
Tom Callaway
spot at fedoraproject.org
Sun Sep 22 05:19:11 UTC 2013
commit ef59550e71f2ac52f35cb224307b8e9f6b3a0736
Author: Tom Callaway <spot at fedoraproject.org>
Date: Sun Sep 22 01:19:40 2013 -0400
fix desktop file, CVE-2012-2142
xpdf-3.03-CVE-2012-2142.diff | 55 ++++++++++++++++++++++++++++++++++++++++++
xpdf.desktop | 2 +-
xpdf.spec | 15 +++++++++--
3 files changed, 68 insertions(+), 4 deletions(-)
---
diff --git a/xpdf-3.03-CVE-2012-2142.diff b/xpdf-3.03-CVE-2012-2142.diff
new file mode 100644
index 0000000..891c41f
--- /dev/null
+++ b/xpdf-3.03-CVE-2012-2142.diff
@@ -0,0 +1,55 @@
+From 3945969e0072217c143fefa3044512a31ac2afa8 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 at hush.com>
+Date: Sun, 11 Aug 2013
+Subject: CVE-2012-2142
+
+Filter stuff that might end up in the shell to address CVE-2012-2142.
+This code was adapted from the Poppler project.
+---
+ Error.cc | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/xpdf/Error.cc 2013-08-11
++++ b/xpdf/Error.cc 2013-08-11
+@@ -43,7 +43,7 @@ void setErrorCallback(void (*cbk)(void *
+
+ void CDECL error(ErrorCategory category, int pos, const char *msg, ...) {
+ va_list args;
+- GString *s;
++ GString *s, *sanitized;
+
+ // NB: this can be called before the globalParams object is created
+ if (!errorCbk && globalParams && globalParams->getErrQuiet()) {
+@@ -52,17 +52,28 @@ void CDECL error(ErrorCategory category,
+ va_start(args, msg);
+ s = GString::formatv(msg, args);
+ va_end(args);
++
++ sanitized = new GString ();
++ for (int i = 0; i < s->getLength(); ++i) {
++ const char c = s->getChar(i);
++ if (c < (char)0x20 || c >= (char)0x7f) {
++ sanitized->appendf("<{0:02x}>", c & 0xff);
++ } else {
++ sanitized->append(c);
++ }
++ }
++
+ if (errorCbk) {
+- (*errorCbk)(errorCbkData, category, pos, s->getCString());
++ (*errorCbk)(errorCbkData, category, pos, sanitized->getCString());
+ } else {
+ if (pos >= 0) {
+ fprintf(stderr, "%s (%d): %s\n",
+- errorCategoryNames[category], pos, s->getCString());
++ errorCategoryNames[category], pos, sanitized->getCString());
+ } else {
+ fprintf(stderr, "%s: %s\n",
+- errorCategoryNames[category], s->getCString());
++ errorCategoryNames[category], sanitized->getCString());
+ }
+ fflush(stderr);
+ }
+- delete s;
++ delete sanitized;
+ }
diff --git a/xpdf.desktop b/xpdf.desktop
index 90ac5c4..9ad44d3 100644
--- a/xpdf.desktop
+++ b/xpdf.desktop
@@ -11,5 +11,5 @@ Comment[de]=PDF-Betrachter
Exec=xpdf %f
Terminal=0
Type=Application
-Icon=xpdf.png
+Icon=xpdf
MimeType=application/pdf
diff --git a/xpdf.spec b/xpdf.spec
index 9cc4e4d..8b6c9df 100644
--- a/xpdf.spec
+++ b/xpdf.spec
@@ -1,7 +1,7 @@
Summary: A PDF file viewer for the X Window System
Name: xpdf
Version: 3.03
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2 or GPLv3
Epoch: 1
Url: http://www.foolabs.com/xpdf/
@@ -39,14 +39,14 @@ Patch9: xpdf-3.00-papersize.patch
Patch10: xpdf-3.00-gcc4.patch
Patch11: xpdf-3.03-crash.patch
Patch12: xpdf-3.03-64bit.patch
-# Patch13: xpdf-3.01-resize.patch
-# Patch14: xpdf-3.01-freetype-internals.patch
+# Patch13: xpdf-3.01-resize.patch# Patch14: xpdf-3.01-freetype-internals.patch
Patch15: xpdf-3.01-nocmap.patch
Patch16: xpdf-3.02-fontlist.patch
Patch19: xpdf-3.02-additionalzoom.patch
Patch20: xpdf-3.03-compile-fix.patch
# Security patches
+Patch100: xpdf-3.03-CVE-2012-2142.diff
# Debian patches
Patch200: 02_permissions.dpatch
@@ -60,7 +60,11 @@ Requires: poppler-utils
Requires: xorg-x11-fonts-ISO8859-1-75dpi
Requires: xorg-x11-fonts-ISO8859-1-100dpi
+%if 0%{?rhel}
+BuildRequires: openmotif-devel
+%else
BuildRequires: lesstif-devel
+%endif
BuildRequires: freetype-devel >= 2.1.7
BuildRequires: desktop-file-utils
BuildRequires: libpaper-devel
@@ -101,6 +105,7 @@ standard X fonts.
%patch20 -p1 -b .charfix
# security patches
+%patch100 -p1 -b .CVE-2012-2142
# debian patches
%patch200 -p1 -b .permissions
@@ -254,6 +259,10 @@ update-desktop-database &> /dev/null ||:
%{_datadir}/xpdf/latin2
%changelog
+* Sun Sep 22 2013 Tom Callaway <spot at fedoraproject.org> - 1:3.03-8
+- fix CVE-2012-2142
+- fix issue with icon name in .desktop file (except on el5)
+
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:3.03-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
More information about the scm-commits
mailing list