[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/tetex/devel tetex-3.0-CVE-2005-3193.patch, 1.2, 1.3 tetex-3.0-texmfcnf.patch, 1.3, 1.4 tetex.spec, 1.78, 1.79



Author: jnovy

Update of /cvs/dist/rpms/tetex/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv3640

Modified Files:
	tetex-3.0-CVE-2005-3193.patch tetex-3.0-texmfcnf.patch 
	tetex.spec 
Log Message:
* Mon Jan 11 2006 Jindrich Novy <jnovy redhat com> 3.0-14
- apply additional patch to fix xpdf flaws from Ludwig Nussel
  (CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193) (#177128)
- /usr/share/texmf/doc is now owned by tetex package (#177065)
- update searching order for kpathsea (local texmf tree is
  searched first)


tetex-3.0-CVE-2005-3193.patch:
 JBIG2Stream.cc |   45 +++++++++++++++++++++++++++++++++++++++++----
 JPXStream.cc   |   18 +++++++++++++++---
 Stream.cc      |   49 +++++++++++++++++++++++++++++++++++++++++++++++--
 Stream.h       |    3 +++
 4 files changed, 106 insertions(+), 9 deletions(-)

Index: tetex-3.0-CVE-2005-3193.patch
===================================================================
RCS file: /cvs/dist/rpms/tetex/devel/tetex-3.0-CVE-2005-3193.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- tetex-3.0-CVE-2005-3193.patch	20 Dec 2005 10:12:04 -0000	1.2
+++ tetex-3.0-CVE-2005-3193.patch	11 Jan 2006 14:41:32 -0000	1.3
@@ -1,5 +1,5 @@
---- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc
+--- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193	2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc	2006-01-09 15:15:27.000000000 +0100
 @@ -7,6 +7,7 @@
  //========================================================================
  
@@ -8,7 +8,7 @@
  
  #ifdef USE_GCC_PRAGMAS
  #pragma implementation
-@@ -666,7 +667,7 @@
+@@ -666,7 +667,7 @@ GBool JPXStream::readCodestream(Guint le
    int segType;
    GBool haveSIZ, haveCOD, haveQCD, haveSOT;
    Guint precinctSize, style;
@@ -17,7 +17,7 @@
  
    //----- main header
    haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
-@@ -701,8 +702,19 @@
+@@ -701,8 +702,19 @@ GBool JPXStream::readCodestream(Guint le
  	            / img.xTileSize;
        img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
  	            / img.yTileSize;
@@ -39,11 +39,9 @@
        for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
  	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
  							sizeof(JPXTileComp));
-only in patch2:
-unchanged:
---- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h
-@@ -233,6 +233,8 @@
+--- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193	2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h	2006-01-09 15:15:27.000000000 +0100
+@@ -233,6 +233,8 @@ public:
  
    ~StreamPredictor();
  
@@ -52,7 +50,7 @@
    int lookChar();
    int getChar();
  
-@@ -250,6 +252,7 @@
+@@ -250,6 +252,7 @@ private:
    int rowBytes;			// bytes per line
    Guchar *predLine;		// line buffer
    int predIdx;			// current index in predLine
@@ -60,10 +58,8 @@
  };
  
  //------------------------------------------------------------------------
-only in patch2:
-unchanged:
---- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc
+--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193	2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc	2006-01-09 15:15:27.000000000 +0100
 @@ -15,6 +15,7 @@
  #include <stdio.h>
  #include <stdlib.h>
@@ -72,7 +68,7 @@
  #ifndef WIN32
  #include <unistd.h>
  #endif
-@@ -412,13 +413,28 @@
+@@ -412,13 +413,28 @@ StreamPredictor::StreamPredictor(Stream 
    width = widthA;
    nComps = nCompsA;
    nBits = nBitsA;
@@ -101,7 +97,7 @@
  }
  
  StreamPredictor::~StreamPredictor() {
-@@ -1012,6 +1028,10 @@
+@@ -1012,6 +1028,10 @@ LZWStream::LZWStream(Stream *strA, int p
      FilterStream(strA) {
    if (predictor != 1) {
      pred = new StreamPredictor(this, predictor, columns, colors, bits);
@@ -112,40 +108,81 @@
    } else {
      pred = NULL;
    }
-@@ -2897,6 +2917,10 @@
+@@ -1260,6 +1280,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
+   endOfLine = endOfLineA;
+   byteAlign = byteAlignA;
+   columns = columnsA;
++  if (columns < 1 || columns >= INT_MAX / sizeof(short)) {
++    error(-1, "invalid number of columns: %d", columns);
++    exit(1);
++  }
+   rows = rowsA;
+   endOfBlock = endOfBlockA;
+   black = blackA;
+@@ -2897,6 +2921,11 @@ GBool DCTStream::readBaselineSOF() {
    height = read16();
    width = read16();
    numComps = str->getChar();
 +  if (numComps <= 0 || numComps > 4) {
-+    error(getPos(), "Bad number of components in DCT stream", prec);
++    numComps = 0;
++    error(getPos(), "Bad number of components in DCT stream");
 +    return gFalse;
 +  }
    if (prec != 8) {
      error(getPos(), "Bad DCT precision %d", prec);
      return gFalse;
-@@ -2923,6 +2947,10 @@
+@@ -2923,6 +2952,11 @@ GBool DCTStream::readProgressiveSOF() {
    height = read16();
    width = read16();
    numComps = str->getChar();
 +  if (numComps <= 0 || numComps > 4) {
-+    error(getPos(), "Bad number of components in DCT stream", prec);
++    numComps = 0;
++    error(getPos(), "Bad number of components in DCT stream");
 +    return gFalse;
 +  }
    if (prec != 8) {
      error(getPos(), "Bad DCT precision %d", prec);
      return gFalse;
-@@ -2945,6 +2973,10 @@
+@@ -2945,6 +2979,11 @@ GBool DCTStream::readScanInfo() {
  
    length = read16() - 2;
    scanInfo.numComps = str->getChar();
 +  if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++    scanInfo.numComps = 0;
 +    error(getPos(), "Bad number of components in DCT stream");
 +    return gFalse;
 +  }
    --length;
    if (length != 2 * scanInfo.numComps + 3) {
      error(getPos(), "Bad DCT scan info block");
-@@ -3255,6 +3287,10 @@
+@@ -3019,12 +3058,12 @@ GBool DCTStream::readHuffmanTables() {
+   while (length > 0) {
+     index = str->getChar();
+     --length;
+-    if ((index & 0x0f) >= 4) {
++    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
+       error(getPos(), "Bad DCT Huffman table");
+       return gFalse;
+     }
+     if (index & 0x10) {
+-      index &= 0x0f;
++      index &= 0x03;
+       if (index >= numACHuffTables)
+ 	numACHuffTables = index+1;
+       tbl = &acHuffTables[index];
+@@ -3142,9 +3181,11 @@ int DCTStream::readMarker() {
+   do {
+     do {
+       c = str->getChar();
++      if(c == EOF) return EOF;
+     } while (c != 0xff);
+     do {
+       c = str->getChar();
++      if(c == EOF) return EOF;
+     } while (c == 0xff);
+   } while (c == 0x00);
+   return c;
+@@ -3255,6 +3296,10 @@ FlateStream::FlateStream(Stream *strA, i
      FilterStream(strA) {
    if (predictor != 1) {
      pred = new StreamPredictor(this, predictor, columns, colors, bits);
@@ -156,8 +193,8 @@
    } else {
      pred = NULL;
    }
---- tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc
+--- tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc.CVE-2005-3193	2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc	2006-01-09 15:15:27.000000000 +0100
 @@ -7,6 +7,7 @@
  //========================================================================
  
@@ -166,45 +203,61 @@
  
  #ifdef USE_GCC_PRAGMAS
  #pragma implementation
-@@ -681,7 +682,15 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, 
+@@ -681,7 +682,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, 
    w = wA;
    h = hA;
    line = (wA + 7) >> 3;
 -  data = (Guchar *)gmalloc(h * line);
 +
-+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++  if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
++    error(-1, "invalid width/height");
 +    data = NULL;
++    return;
 +  }
-+  else {
-+    // need to allocate one extra guard byte for use in combine()
-+    data = (Guchar *)gmalloc(h * line + 1);
-+    data[h * line] = 0;
-+  }
++
++  // need to allocate one extra guard byte for use in combine()
++  data = (Guchar *)gmalloc(h * line + 1);
++  data[h * line] = 0;
  }
  
  JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
-@@ -692,5 +699,11 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, 
+@@ -690,8 +700,17 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, 
    w = bitmap->w;
    h = bitmap->h;
    line = bitmap->line;
+-  data = (Guchar *)gmalloc(h * line);
 +
-+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++  if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
++    error(-1, "invalid width/height");
 +    data = NULL;
 +    return;
 +  }
-+ 
-   data = (Guchar *)gmalloc(h * line);
++
++  // need to allocate one extra guard byte for use in combine()
++  data = (Guchar *)gmalloc(h * line + 1);
    memcpy(data, bitmap->data, h * line);
-@@ -720,7 +733,7 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
++  data[h * line] = 0;
+ }
+ 
+ JBIG2Bitmap::~JBIG2Bitmap() {
+@@ -716,10 +735,14 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
  }
  
  void JBIG2Bitmap::expand(int newH, Guint pixel) {
 -  if (newH <= h) {
-+  if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
++  if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
++    error(-1, "invalid width/height");
++    gfree(data);
++    data = NULL;
      return;
    }
-   // need to allocate one extra guard byte for use in combine()
-@@ -2305,6 +2318,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
+-  data = (Guchar *)grealloc(data, newH * line);
++  // need to allocate one extra guard byte for use in combine()
++  data = (Guchar *)grealloc(data, newH * line + 1);
+   if (pixel) {
+     memset(data + h * line, 0xff, (newH - h) * line);
+   } else {
+@@ -2256,6 +2279,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
      error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
      return;
    }
@@ -220,38 +273,15 @@
    patternDict = (JBIG2PatternDict *)seg;
    bpp = 0;
    i = 1;
-@@ -2936,6 +2958,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
+@@ -2887,6 +2919,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
    JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
    int x, y, pix;
  
-+  if (w < 0 || h <= 0 || w >= INT_MAX / h)
++  if (w < 0 || h <= 0 || w >= INT_MAX / h) {
++    error(-1, "invalid width/height");
 +    return NULL;
++  }
 +
    bitmap = new JBIG2Bitmap(0, w, h);
    bitmap->clearToZero();
  
---- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc
-@@ -1277,4 +1277,7 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
-   endOfLine = endOfLineA;
-   byteAlign = byteAlignA;
-   columns = columnsA;
-+  if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
-+    columns = 1;
-+  }
-   rows = rowsA;
-@@ -3066,12 +3066,12 @@ GBool DCTStream::readHuffmanTables() {
-   while (length > 0) {
-     index = str->getChar();
-     --length;
--    if ((index & 0x0f) >= 4) {
-+    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
-       error(getPos(), "Bad DCT Huffman table");
-       return gFalse;
-     }
-     if (index & 0x10) {
--      index &= 0x0f;
-+      index &= 0x03;
-       if (index >= numACHuffTables)
- 	numACHuffTables = index+1;
-       tbl = &acHuffTables[index];

tetex-3.0-texmfcnf.patch:
 texmf.in-teTeX |   24 ++++++++++++++++++------
 1 files changed, 18 insertions(+), 6 deletions(-)

Index: tetex-3.0-texmfcnf.patch
===================================================================
RCS file: /cvs/dist/rpms/tetex/devel/tetex-3.0-texmfcnf.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- tetex-3.0-texmfcnf.patch	22 Nov 2005 14:50:04 -0000	1.3
+++ tetex-3.0-texmfcnf.patch	11 Jan 2006 14:41:32 -0000	1.4
@@ -1,5 +1,5 @@
---- tetex-src-3.0/texk/kpathsea/texmf.in-teTeX.texmfcnf	2005-02-06 09:04:35.000000000 +0900
-+++ tetex-src-3.0/texk/kpathsea/texmf.in-teTeX	2005-02-08 18:27:28.232751576 +0900
+--- tetex-src-3.0/texk/kpathsea/texmf.in-teTeX.texmfcnf	2005-02-06 01:04:35.000000000 +0100
++++ tetex-src-3.0/texk/kpathsea/texmf.in-teTeX	2006-01-11 15:28:24.000000000 +0100
 @@ -64,7 +64,7 @@
  % A place for local additions to a "standard" texmf tree.
  % This tree is not used for local configuration maintained by
@@ -9,6 +9,15 @@
  
  % TEXMFSYSVAR, where texconfig-sys stores variable runtime data.
  % With teTeX-3.0 or later, this must be set.
+@@ -111,7 +111,7 @@
+ %
+ % For texconfig to work properly, TEXMFCONGIG and TEXMFVAR should be named
+ % explicitly and before all other trees.
+-TEXMF = {!!$TEXMFCONFIG,!!$TEXMFVAR,$TEXMFHOME,!!$TEXMFSYSCONFIG,!!$TEXMFSYSVAR,!!$TEXMFMAIN,!!$TEXMFLOCAL,!!$TEXMFDIST}
++TEXMF = {!!$TEXMFCONFIG,!!$TEXMFVAR,$TEXMFHOME,!!$TEXMFSYSCONFIG,!!$TEXMFSYSVAR,!!$TEXMFLOCAL,!!$TEXMFMAIN,!!$TEXMFDIST}
+ 
+ % The system trees.  These are the trees that are shared by all the users.
+ SYSTEXMF = $TEXMFLOCAL;$TEXMFMAIN;$TEXMFDIST
 @@ -208,6 +208,10 @@
  TEXINPUTS.pdftexinfo = .;$TEXMF/tex/{texinfo,plain,generic,}//
  TEXINPUTS.pdfamstex = .;$TEXMF/tex/{amstex,plain,generic,}//


Index: tetex.spec
===================================================================
RCS file: /cvs/dist/rpms/tetex/devel/tetex.spec,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- tetex.spec	29 Dec 2005 16:30:52 -0000	1.78
+++ tetex.spec	11 Jan 2006 14:41:32 -0000	1.79
@@ -11,7 +11,7 @@
 Summary: The TeX text formatting system.
 Name: tetex
 Version: 3.0
-Release: 13
+Release: 14
 License: distributable
 Group: Applications/Publishing
 Requires: tmpwatch, dialog, ed
@@ -640,13 +640,14 @@
 grep -v "/doc/" filelist.full | grep afm 	> filelist.afm
 
 grep "/doc/" filelist.full 			> filelist.doc
-echo "%attr(-,root,root) %dir %{_datadir}/texmf/doc" >> filelist.doc
 
 # now files listed only once are in the tex package
 cat filelist.full filelist.latex filelist.xdvi filelist.dvips \
    filelist.afm filelist.fonts filelist.doc | \
    sort | uniq -u > filelist.tex
 
+echo "%attr(-,root,root) %dir %{_datadir}/texmf/doc" >> filelist.tex
+
 # desktop entry things
 cat > xdvi.desktop <<EOF
 [Desktop Entry]
@@ -788,6 +789,13 @@
 %defattr(-,root,root)
 
 %changelog
+* Mon Jan 11 2006 Jindrich Novy <jnovy redhat com> 3.0-14
+- apply additional patch to fix xpdf flaws from Ludwig Nussel
+  (CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193) (#177128)
+- /usr/share/texmf/doc is now owned by tetex package (#177065)
+- update searching order for kpathsea (local texmf tree is 
+  searched first)
+
 * Thu Dec 29 2005 Jindrich Novy <jnovy redhat com> 3.0-13
 - update package descriptions
 - don't use obsolete bindings in texdoc


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]