diff --git a/0001-wrestool-Fix-get_resource_id_quoted-to-return-heap-a.patch b/0001-wrestool-Fix-get_resource_id_quoted-to-return-heap-a.patch new file mode 100644 index 0000000..3879a1f --- /dev/null +++ b/0001-wrestool-Fix-get_resource_id_quoted-to-return-heap-a.patch @@ -0,0 +1,86 @@ +From d72956a6de228c91d1fc48fd15448fadea9ab6cf Mon Sep 17 00:00:00 2001 +From: Frank Richter +Date: Sat, 10 Mar 2018 14:08:37 +0100 +Subject: [PATCH] wrestool: Fix get_resource_id_quoted() to return + heap-allocated string + +--- + NEWS | 4 ++++ + wrestool/restable.c | 21 +++++++++++++-------- + 2 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/NEWS b/NEWS +index 414bec4..086f8dc 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,3 +1,7 @@ ++2018-??-??: ++ wrestool: Fix get_resource_id_quoted() to return heap-allocated string. ++ Found by Jonathan Liu. ++ + 2018-03-07: icoutils 0.32.3 released. + Fixed a segfault. (Martin Gieseking, Savannah bug 52319) + Updated Gnulib stuff. +diff --git a/wrestool/restable.c b/wrestool/restable.c +index 0d47d94..4d99687 100644 +--- a/wrestool/restable.c ++++ b/wrestool/restable.c +@@ -23,6 +23,7 @@ + #define N_(s) gettext_noop(s) + #include "common/intutil.h" + #include "xalloc.h" /* Gnulib */ ++#include "xvasprintf.h" /* Gnulib */ + #include "minmax.h" /* Gnulib */ + #include "common/error.h" + #include "wrestool.h" +@@ -125,6 +126,7 @@ print_resources_callback (WinLibrary *fi, WinResource *wr, + const char *type, *offset; + int32_t id; + size_t size; ++ char *type_quoted, *name_quoted, *lang_quoted; + + /* get named resource type if possible */ + type = NULL; +@@ -136,28 +138,31 @@ print_resources_callback (WinLibrary *fi, WinResource *wr, + if (offset == NULL) + return; + ++ type_quoted = get_resource_id_quoted(type_wr); ++ name_quoted = get_resource_id_quoted(name_wr); ++ lang_quoted = get_resource_id_quoted(lang_wr); + printf(_("--type=%s --name=%s%s%s [%s%s%soffset=0x%x size=%zu]\n"), +- get_resource_id_quoted(type_wr), +- get_resource_id_quoted(name_wr), ++ type_quoted, ++ name_quoted, + (lang_wr->id[0] != '\0' ? _(" --language=") : ""), +- get_resource_id_quoted(lang_wr), ++ lang_quoted, + (type != NULL ? "type=" : ""), + (type != NULL ? type : ""), + (type != NULL ? " " : ""), + (uint32_t) (offset - fi->memory), size); ++ free(type_quoted); ++ free(name_quoted); ++ free(lang_quoted); + } + + /* return the resource id quoted if it's a string, otherwise just return it */ + static char * + get_resource_id_quoted (WinResource *wr) + { +- static char tmp[WINRES_ID_MAXLEN+2]; +- + if (wr->numeric_id || wr->id[0] == '\0') +- return wr->id; ++ return xstrdup(wr->id); + +- sprintf(tmp, "'%s'", wr->id); +- return tmp; ++ return xasprintf("'%s'", wr->id); + } + + static bool +-- +2.13.2 + diff --git a/icoutils.spec b/icoutils.spec index 6cdd8da..d3997e6 100644 --- a/icoutils.spec +++ b/icoutils.spec @@ -7,6 +7,10 @@ License: GPLv3+ URL: http://www.nongnu.org/icoutils/ Source0: http://savannah.nongnu.org/download/%{name}/%{name}-%{version}.tar.bz2 +# Possible security fix, at minimum it's a DoS. +# Upstream commit d72956a6de228c91d1fc48fd15448fadea9ab6cf +Patch1: 0001-wrestool-Fix-get_resource_id_quoted-to-return-heap-a.patch + BuildRequires: autoconf BuildRequires: automake BuildRequires: gcc @@ -25,6 +29,8 @@ libraries. %prep %setup -q +%patch1 -p1 + autoreconf -i for f in AUTHORS NEWS; do @@ -53,6 +59,9 @@ make install DESTDIR=%{buildroot} %changelog +* Tue Mar 13 2018 Richard W.M. Jones - 0.32.3-2 +- Add upstream post-0.32.3 commit which appears to fix crash/DoS. + * Mon Mar 12 2018 Martin Gieseking - 0.32.3-1 - Updated to version 0.32.3. - Dropped patch to fix https://savannah.nongnu.org/bugs/?52319 (applied upstream)