rpms/tetex/FC-6 tetex-3.0-CVE-2007-3387.patch, NONE, 1.1 tetex.spec, 1.104, 1.105 tetex-3.0-mktexlsrfix.patch, 1.1, NONE

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri Aug 10 12:59:19 UTC 2007 

Author: jnovy

Update of /cvs/dist/rpms/tetex/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv15739

Modified Files:
	tetex.spec 
Added Files:
	tetex-3.0-CVE-2007-3387.patch 
Removed Files:
	tetex-3.0-mktexlsrfix.patch 
Log Message:
- backport upstream fix for xpdf integer overflow CVE-2007-3387 (#251515)
- don't mess up file contexts while running texhash (#235032)


tetex-3.0-CVE-2007-3387.patch:
 Stream.cc |    9 +++++++++
 1 files changed, 9 insertions(+)

--- NEW FILE tetex-3.0-CVE-2007-3387.patch ---
--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2007-3387	2007-07-26 17:13:02.000000000 +0200
+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc	2007-07-26 17:21:58.000000000 +0200
@@ -15,6 +15,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <stddef.h>
+#include <limits.h>
 #ifndef WIN32
 #include <unistd.h>
 #endif
@@ -32,6 +33,7 @@
 #include "JBIG2Stream.h"
 #include "JPXStream.h"
 #include "Stream-CCITT.h"
+#include "GfxState.h"
 
 #ifdef __DJGPP__
 static GBool setDJSYSFLAGS = gFalse;
@@ -429,6 +431,13 @@ StreamPredictor::StreamPredictor(Stream 
   if (rowBytes < 0) {
     return;
   }
+  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+      nComps > gfxColorMaxComps ||
+      nBits > 16 ||
+      width >= INT_MAX / nComps ||      // check for overflow in nVals 
+      nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
+    return;
+  }
   predLine = (Guchar *)gmalloc(rowBytes);
   memset(predLine, 0, rowBytes);
   predIdx = rowBytes;


Index: tetex.spec
===================================================================
RCS file: /cvs/dist/rpms/tetex/FC-6/tetex.spec,v
retrieving revision 1.104
retrieving revision 1.105
diff -u -r1.104 -r1.105
--- tetex.spec	11 Apr 2007 10:33:05 -0000	1.104
+++ tetex.spec	10 Aug 2007 12:59:16 -0000	1.105
@@ -11,7 +11,7 @@
 Summary: The TeX text formatting system.
 Name: tetex
 Version: 3.0
-Release: 34%{?dist}
+Release: 35%{?dist}
 License: distributable
 Group: Applications/Publishing
 Requires: tmpwatch, dialog, ed
@@ -88,8 +88,8 @@
 Patch21: tetex-3.0-dvipdfm.patch
 Patch22: tetex-3.0-selinux.patch
 Patch23: tetex-3.0-footfix.patch
-Patch24: tetex-3.0-mktexlsrfix.patch
-Patch25: tetex-3.0-CVE-2007-0650.patch
+Patch24: tetex-3.0-CVE-2007-0650.patch
+Patch25: tetex-3.0-CVE-2007-3387.patch
 
 ######
 # Japanization patches
@@ -309,10 +309,10 @@
 %patch22 -p1 -b .selinux
 # fix para option in footmisc package (#188701)
 %patch23 -p1 -b .footfix
-# don't inherit incorrect permissions for ls-R from parent directory (#220239)
-%patch24 -p1 -b .mktexlsrfix
 # fix a couple of string overflows in makeindex - CVE-2007-0650 (#225491)
-%patch25 -p1 -b .CVE-2007-0650
+%patch24 -p1 -b .CVE-2007-0650
+# fix xpdf integer overflow CVE-2007-3387 (#248194)
+%patch25 -p1 -b .CVE-2007-3387
 
 %if %{enable_japanese}
 mkdir texmf/ptex-texmf
@@ -865,6 +865,10 @@
 %defattr(-,root,root)
 
 %changelog
+* Fri Aug 10 2007 Jindrich Novy <jnovy at redhat.com> 3.0-35
+- backport upstream fix for xpdf integer overflow CVE-2007-3387 (#251515)
+- don't mess up file contexts while running texhash (#235032)
+
 * Wed Apr 14 2007 Jindrich Novy <jnovy at redhat.com> 3.0-34
 - update nomencl package from CTAN (#234466)
 - texdoc now searches in $TEXDOCS instead of $TEXMF/doc (#232769)


--- tetex-3.0-mktexlsrfix.patch DELETED ---

More information about the fedora-cvs-commits mailing list