rpms/tetex/devel tetex-3.0-CVE-2005-3193.patch, 1.2, 1.3 tetex-3.0-texmfcnf.patch, 1.3, 1.4 tetex.spec, 1.78, 1.79
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jan 11 14:41:36 UTC 2006
- Previous message (by thread): rpms/dump/devel dump-dmfix.patch,NONE,1.1 dump.spec,1.32,1.33
- Next message (by thread): rpms/tetex/FC-4 tetex-3.0-CVE-2005-3193.patch, 1.2, 1.3 tetex-3.0-texdoc-defaults.patch, 1.1, 1.2 tetex-3.0-texmfcnf.patch, 1.1, 1.2 tetex.spec, 1.69, 1.70
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jnovy
Update of /cvs/dist/rpms/tetex/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv3640
Modified Files:
tetex-3.0-CVE-2005-3193.patch tetex-3.0-texmfcnf.patch
tetex.spec
Log Message:
* Mon Jan 11 2006 Jindrich Novy <jnovy at redhat.com> 3.0-14
- apply additional patch to fix xpdf flaws from Ludwig Nussel
(CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193) (#177128)
- /usr/share/texmf/doc is now owned by tetex package (#177065)
- update searching order for kpathsea (local texmf tree is
searched first)
tetex-3.0-CVE-2005-3193.patch:
JBIG2Stream.cc | 45 +++++++++++++++++++++++++++++++++++++++++----
JPXStream.cc | 18 +++++++++++++++---
Stream.cc | 49 +++++++++++++++++++++++++++++++++++++++++++++++--
Stream.h | 3 +++
4 files changed, 106 insertions(+), 9 deletions(-)
Index: tetex-3.0-CVE-2005-3193.patch
===================================================================
RCS file: /cvs/dist/rpms/tetex/devel/tetex-3.0-CVE-2005-3193.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- tetex-3.0-CVE-2005-3193.patch 20 Dec 2005 10:12:04 -0000 1.2
+++ tetex-3.0-CVE-2005-3193.patch 11 Jan 2006 14:41:32 -0000 1.3
@@ -1,5 +1,5 @@
---- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc
+--- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc 2006-01-09 15:15:27.000000000 +0100
@@ -7,6 +7,7 @@
//========================================================================
@@ -8,7 +8,7 @@
#ifdef USE_GCC_PRAGMAS
#pragma implementation
-@@ -666,7 +667,7 @@
+@@ -666,7 +667,7 @@ GBool JPXStream::readCodestream(Guint le
int segType;
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
Guint precinctSize, style;
@@ -17,7 +17,7 @@
//----- main header
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
-@@ -701,8 +702,19 @@
+@@ -701,8 +702,19 @@ GBool JPXStream::readCodestream(Guint le
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
@@ -39,11 +39,9 @@
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
sizeof(JPXTileComp));
-only in patch2:
-unchanged:
---- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h
-@@ -233,6 +233,8 @@
+--- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h 2006-01-09 15:15:27.000000000 +0100
+@@ -233,6 +233,8 @@ public:
~StreamPredictor();
@@ -52,7 +50,7 @@
int lookChar();
int getChar();
-@@ -250,6 +252,7 @@
+@@ -250,6 +252,7 @@ private:
int rowBytes; // bytes per line
Guchar *predLine; // line buffer
int predIdx; // current index in predLine
@@ -60,10 +58,8 @@
};
//------------------------------------------------------------------------
-only in patch2:
-unchanged:
---- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc
+--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc 2006-01-09 15:15:27.000000000 +0100
@@ -15,6 +15,7 @@
#include <stdio.h>
#include <stdlib.h>
@@ -72,7 +68,7 @@
#ifndef WIN32
#include <unistd.h>
#endif
-@@ -412,13 +413,28 @@
+@@ -412,13 +413,28 @@ StreamPredictor::StreamPredictor(Stream
width = widthA;
nComps = nCompsA;
nBits = nBitsA;
@@ -101,7 +97,7 @@
}
StreamPredictor::~StreamPredictor() {
-@@ -1012,6 +1028,10 @@
+@@ -1012,6 +1028,10 @@ LZWStream::LZWStream(Stream *strA, int p
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
@@ -112,40 +108,81 @@
} else {
pred = NULL;
}
-@@ -2897,6 +2917,10 @@
+@@ -1260,6 +1280,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
+ endOfLine = endOfLineA;
+ byteAlign = byteAlignA;
+ columns = columnsA;
++ if (columns < 1 || columns >= INT_MAX / sizeof(short)) {
++ error(-1, "invalid number of columns: %d", columns);
++ exit(1);
++ }
+ rows = rowsA;
+ endOfBlock = endOfBlockA;
+ black = blackA;
+@@ -2897,6 +2921,11 @@ GBool DCTStream::readBaselineSOF() {
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
-+ error(getPos(), "Bad number of components in DCT stream", prec);
++ numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
-@@ -2923,6 +2947,10 @@
+@@ -2923,6 +2952,11 @@ GBool DCTStream::readProgressiveSOF() {
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
-+ error(getPos(), "Bad number of components in DCT stream", prec);
++ numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
-@@ -2945,6 +2973,10 @@
+@@ -2945,6 +2979,11 @@ GBool DCTStream::readScanInfo() {
length = read16() - 2;
scanInfo.numComps = str->getChar();
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++ scanInfo.numComps = 0;
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
--length;
if (length != 2 * scanInfo.numComps + 3) {
error(getPos(), "Bad DCT scan info block");
-@@ -3255,6 +3287,10 @@
+@@ -3019,12 +3058,12 @@ GBool DCTStream::readHuffmanTables() {
+ while (length > 0) {
+ index = str->getChar();
+ --length;
+- if ((index & 0x0f) >= 4) {
++ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
+ error(getPos(), "Bad DCT Huffman table");
+ return gFalse;
+ }
+ if (index & 0x10) {
+- index &= 0x0f;
++ index &= 0x03;
+ if (index >= numACHuffTables)
+ numACHuffTables = index+1;
+ tbl = &acHuffTables[index];
+@@ -3142,9 +3181,11 @@ int DCTStream::readMarker() {
+ do {
+ do {
+ c = str->getChar();
++ if(c == EOF) return EOF;
+ } while (c != 0xff);
+ do {
+ c = str->getChar();
++ if(c == EOF) return EOF;
+ } while (c == 0xff);
+ } while (c == 0x00);
+ return c;
+@@ -3255,6 +3296,10 @@ FlateStream::FlateStream(Stream *strA, i
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
@@ -156,8 +193,8 @@
} else {
pred = NULL;
}
---- tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc
+--- tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc 2006-01-09 15:15:27.000000000 +0100
@@ -7,6 +7,7 @@
//========================================================================
@@ -166,45 +203,61 @@
#ifdef USE_GCC_PRAGMAS
#pragma implementation
-@@ -681,7 +682,15 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
+@@ -681,7 +682,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = wA;
h = hA;
line = (wA + 7) >> 3;
- data = (Guchar *)gmalloc(h * line);
+
-+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
++ error(-1, "invalid width/height");
+ data = NULL;
++ return;
+ }
-+ else {
-+ // need to allocate one extra guard byte for use in combine()
-+ data = (Guchar *)gmalloc(h * line + 1);
-+ data[h * line] = 0;
-+ }
++
++ // need to allocate one extra guard byte for use in combine()
++ data = (Guchar *)gmalloc(h * line + 1);
++ data[h * line] = 0;
}
JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
-@@ -692,5 +699,11 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
+@@ -690,8 +700,17 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
+- data = (Guchar *)gmalloc(h * line);
+
-+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
++ error(-1, "invalid width/height");
+ data = NULL;
+ return;
+ }
-+
- data = (Guchar *)gmalloc(h * line);
++
++ // need to allocate one extra guard byte for use in combine()
++ data = (Guchar *)gmalloc(h * line + 1);
memcpy(data, bitmap->data, h * line);
-@@ -720,7 +733,7 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
++ data[h * line] = 0;
+ }
+
+ JBIG2Bitmap::~JBIG2Bitmap() {
+@@ -716,10 +735,14 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {
- if (newH <= h) {
-+ if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
++ if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
++ error(-1, "invalid width/height");
++ gfree(data);
++ data = NULL;
return;
}
- // need to allocate one extra guard byte for use in combine()
-@@ -2305,6 +2318,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
+- data = (Guchar *)grealloc(data, newH * line);
++ // need to allocate one extra guard byte for use in combine()
++ data = (Guchar *)grealloc(data, newH * line + 1);
+ if (pixel) {
+ memset(data + h * line, 0xff, (newH - h) * line);
+ } else {
+@@ -2256,6 +2279,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
@@ -220,38 +273,15 @@
patternDict = (JBIG2PatternDict *)seg;
bpp = 0;
i = 1;
-@@ -2936,6 +2958,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
+@@ -2887,6 +2919,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
int x, y, pix;
-+ if (w < 0 || h <= 0 || w >= INT_MAX / h)
++ if (w < 0 || h <= 0 || w >= INT_MAX / h) {
++ error(-1, "invalid width/height");
+ return NULL;
++ }
+
bitmap = new JBIG2Bitmap(0, w, h);
bitmap->clearToZero();
---- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc
-@@ -1277,4 +1277,7 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
- endOfLine = endOfLineA;
- byteAlign = byteAlignA;
- columns = columnsA;
-+ if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
-+ columns = 1;
-+ }
- rows = rowsA;
-@@ -3066,12 +3066,12 @@ GBool DCTStream::readHuffmanTables() {
- while (length > 0) {
- index = str->getChar();
- --length;
-- if ((index & 0x0f) >= 4) {
-+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
- error(getPos(), "Bad DCT Huffman table");
- return gFalse;
- }
- if (index & 0x10) {
-- index &= 0x0f;
-+ index &= 0x03;
- if (index >= numACHuffTables)
- numACHuffTables = index+1;
- tbl = &acHuffTables[index];
tetex-3.0-texmfcnf.patch:
texmf.in-teTeX | 24 ++++++++++++++++++------
1 files changed, 18 insertions(+), 6 deletions(-)
Index: tetex-3.0-texmfcnf.patch
===================================================================
RCS file: /cvs/dist/rpms/tetex/devel/tetex-3.0-texmfcnf.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- tetex-3.0-texmfcnf.patch 22 Nov 2005 14:50:04 -0000 1.3
+++ tetex-3.0-texmfcnf.patch 11 Jan 2006 14:41:32 -0000 1.4
@@ -1,5 +1,5 @@
---- tetex-src-3.0/texk/kpathsea/texmf.in-teTeX.texmfcnf 2005-02-06 09:04:35.000000000 +0900
-+++ tetex-src-3.0/texk/kpathsea/texmf.in-teTeX 2005-02-08 18:27:28.232751576 +0900
+--- tetex-src-3.0/texk/kpathsea/texmf.in-teTeX.texmfcnf 2005-02-06 01:04:35.000000000 +0100
++++ tetex-src-3.0/texk/kpathsea/texmf.in-teTeX 2006-01-11 15:28:24.000000000 +0100
@@ -64,7 +64,7 @@
% A place for local additions to a "standard" texmf tree.
% This tree is not used for local configuration maintained by
@@ -9,6 +9,15 @@
% TEXMFSYSVAR, where texconfig-sys stores variable runtime data.
% With teTeX-3.0 or later, this must be set.
+@@ -111,7 +111,7 @@
+ %
+ % For texconfig to work properly, TEXMFCONGIG and TEXMFVAR should be named
+ % explicitly and before all other trees.
+-TEXMF = {!!$TEXMFCONFIG,!!$TEXMFVAR,$TEXMFHOME,!!$TEXMFSYSCONFIG,!!$TEXMFSYSVAR,!!$TEXMFMAIN,!!$TEXMFLOCAL,!!$TEXMFDIST}
++TEXMF = {!!$TEXMFCONFIG,!!$TEXMFVAR,$TEXMFHOME,!!$TEXMFSYSCONFIG,!!$TEXMFSYSVAR,!!$TEXMFLOCAL,!!$TEXMFMAIN,!!$TEXMFDIST}
+
+ % The system trees. These are the trees that are shared by all the users.
+ SYSTEXMF = $TEXMFLOCAL;$TEXMFMAIN;$TEXMFDIST
@@ -208,6 +208,10 @@
TEXINPUTS.pdftexinfo = .;$TEXMF/tex/{texinfo,plain,generic,}//
TEXINPUTS.pdfamstex = .;$TEXMF/tex/{amstex,plain,generic,}//
Index: tetex.spec
===================================================================
RCS file: /cvs/dist/rpms/tetex/devel/tetex.spec,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- tetex.spec 29 Dec 2005 16:30:52 -0000 1.78
+++ tetex.spec 11 Jan 2006 14:41:32 -0000 1.79
@@ -11,7 +11,7 @@
Summary: The TeX text formatting system.
Name: tetex
Version: 3.0
-Release: 13
+Release: 14
License: distributable
Group: Applications/Publishing
Requires: tmpwatch, dialog, ed
@@ -640,13 +640,14 @@
grep -v "/doc/" filelist.full | grep afm > filelist.afm
grep "/doc/" filelist.full > filelist.doc
-echo "%attr(-,root,root) %dir %{_datadir}/texmf/doc" >> filelist.doc
# now files listed only once are in the tex package
cat filelist.full filelist.latex filelist.xdvi filelist.dvips \
filelist.afm filelist.fonts filelist.doc | \
sort | uniq -u > filelist.tex
+echo "%attr(-,root,root) %dir %{_datadir}/texmf/doc" >> filelist.tex
+
# desktop entry things
cat > xdvi.desktop <<EOF
[Desktop Entry]
@@ -788,6 +789,13 @@
%defattr(-,root,root)
%changelog
+* Mon Jan 11 2006 Jindrich Novy <jnovy at redhat.com> 3.0-14
+- apply additional patch to fix xpdf flaws from Ludwig Nussel
+ (CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193) (#177128)
+- /usr/share/texmf/doc is now owned by tetex package (#177065)
+- update searching order for kpathsea (local texmf tree is
+ searched first)
+
* Thu Dec 29 2005 Jindrich Novy <jnovy at redhat.com> 3.0-13
- update package descriptions
- don't use obsolete bindings in texdoc
- Previous message (by thread): rpms/dump/devel dump-dmfix.patch,NONE,1.1 dump.spec,1.32,1.33
- Next message (by thread): rpms/tetex/FC-4 tetex-3.0-CVE-2005-3193.patch, 1.2, 1.3 tetex-3.0-texdoc-defaults.patch, 1.1, 1.2 tetex-3.0-texmfcnf.patch, 1.1, 1.2 tetex.spec, 1.69, 1.70
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list