From 23f22f86e0f169333f53bd49c9985437e7257649 Mon Sep 17 00:00:00 2001
From: Petr Písař <ppisar@redhat.com>
Date: Jan 04 2013 12:57:43 +0000
Subject: Fix CVE-2012-6090


---

diff --git a/pl-5.10.2-CVE-2012-6090.patch b/pl-5.10.2-CVE-2012-6090.patch
new file mode 100644
index 0000000..1fc0210
--- /dev/null
+++ b/pl-5.10.2-CVE-2012-6090.patch
@@ -0,0 +1,119 @@
+From 212e2fcac834dec25a4fa0f4fd4652bfd19cdeea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 4 Jan 2013 13:35:27 +0100
+Subject: [PATCH 2/2] Fix CVE-2012-6090
+
+Upstream fix ported to 5.10.2:
+
+From b2c88972e7515ada025e97e7d3ce3e34f81cf33e Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Date: Sun, 16 Dec 2012 17:29:37 +0100
+Subject: [PATCH] SECURITY: Possible buffer overflows when expanding
+ file-names with long paths.  Affects expand_file_name/2.
+
+Can lead to crashes (DoS attacks) and possibly execution of arbitrary
+code if an attacker can control the names of the files searched for,
+e.g., if expand_file_name/2 is used in a directory to which an attacker
+can upload files for which he can control the name.
+---
+ src/pl-glob.c | 46 ++++++++++++++++++++++++++++------------------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/src/pl-glob.c b/src/pl-glob.c
+index 417a69c..1fad6ca 100644
+--- a/src/pl-glob.c
++++ b/src/pl-glob.c
+@@ -423,6 +423,7 @@ expand(const char *pattern, GlobInfo info)
+   compiled_pattern cbuf;
+   char prefix[MAXPATHLEN];		/* before first pattern */
+   char patbuf[MAXPATHLEN];		/* pattern buffer */
++  size_t prefix_len;
+   int end, dot;
+ 
+   initBuffer(&info->files);
+@@ -441,20 +442,25 @@ expand(const char *pattern, GlobInfo info)
+       switch( (c=*s++) )
+       { case EOS:
+ 	  if ( s > pat )		/* something left and expanded */
+-	  { un_escape(prefix, pat, s);
++	  { size_t prefix_len;
++
++	    un_escape(prefix, pat, s);
++	    prefix_len = strlen(prefix);
+ 
+ 	    end = info->end;
+ 	    for( ; info->start < end; info->start++ )
+ 	    { char path[MAXPATHLEN];
+-	      size_t plen;
+-
+-	      strcpy(path, expand_entry(info, info->start));
+-	      plen = strlen(path);
+-	      if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
+-		path[plen++] = '/';
+-	      strcpy(&path[plen], prefix);
+-	      if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
+-		add_path(path, info);
++	      const char *entry = expand_entry(info, info->start);
++	      size_t plen = strlen(entry);
++
++	      if ( plen+prefix_len+2 <= MAXPATHLEN )
++	      { strcpy(path, entry);
++		if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
++		  path[plen++] = '/';
++		strcpy(&path[plen], prefix);
++		if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
++		  add_path(path, info);
++	      }
+ 	    }
+ 	  }
+ 	  succeed;
+@@ -489,8 +495,9 @@ expand(const char *pattern, GlobInfo info)
+ */
+     un_escape(prefix, pat, head);
+     un_escape(patbuf, head, tail);
++    prefix_len = strlen(prefix);
+ 
+-    if ( !compilePattern(patbuf, &cbuf) )		/* syntax error */
++    if ( !compilePattern(patbuf, &cbuf) )	/* syntax error */
+       fail;
+     dot = (patbuf[0] == '.');			/* do dots as well */
+ 
+@@ -502,12 +509,16 @@ expand(const char *pattern, GlobInfo info)
+       char path[MAXPATHLEN];
+       char tmp[MAXPATHLEN];
+       const char *current = expand_entry(info, info->start);
++      size_t clen = strlen(current);
++
++      if ( clen+prefix_len+1 > sizeof(path) )
++	continue;
+ 
+       strcpy(path, current);
+-      strcat(path, prefix);
++      strcpy(&path[clen], prefix);
+ 
+       if ( (d=opendir(path[0] ? OsPath(path, tmp) : ".")) )
+-      { size_t plen = strlen(path);
++      { size_t plen = clen+prefix_len;
+ 
+ 	if ( plen > 0 && path[plen-1] != '/' )
+ 	  path[plen++] = '/';
+@@ -521,12 +532,11 @@ expand(const char *pattern, GlobInfo info)
+ 	       matchPattern(e->d_name, &cbuf) )
+ 	  { char newp[MAXPATHLEN];
+ 
+-	    strcpy(newp, path);
+-	    strcpy(&newp[plen], e->d_name);
+-/*	    if ( !tail[0] || ExistsDirectory(newp) )
+-	    Saves memory, but involves one more file-access
+-*/
++	    if ( plen+strlen(e->d_name)+1 < sizeof(newp) )
++	    { strcpy(newp, path);
++	      strcpy(&newp[plen], e->d_name);
+ 	      add_path(newp, info);
++	    }
+ 	  }
+ 	}
+ 	closedir(d);
+-- 
+1.7.11.7
+
diff --git a/pl.spec b/pl.spec
index bf8e962..ae7c3fa 100644
--- a/pl.spec
+++ b/pl.spec
@@ -40,6 +40,8 @@ Patch9:     xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.pat
 Patch10:    xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch
 # Fix CVE-2012-6089, in upstream 6.2.5, rhbz#891666
 Patch11:    %{name}-5.10.2-CVE-2012-6089.patch
+# Fix CVE-2012-6090, in upstream 6.2.5, bug #891666
+Patch12:    %{name}-5.10.2-CVE-2012-6090.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 # Base
@@ -159,6 +161,7 @@ cd packages/xpce
 %patch10 -p1 -b .validate_pixel_color
 )
 %patch11 -p1 -b .CVE-2012-6089
+%patch12 -p1 -b .CVE-2012-6090
 (
    cd src
    autoconf
@@ -344,6 +347,8 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Fri Jan 04 2013 Petr Pisar <ppisar@redhat.com> - 5.10.2-9
 - Fix CVE-2012-6089 (buffer overflows in path canonisation code) (bug #891666)
+- Fix CVE-2012-6090 (buffer overflows when expanding file-names with long
+  paths) (bug #891666)
 
 * Thu Mar 08 2012 Petr Pisar <ppisar@redhat.com> - 5.10.2-8
 - Fix JPL interface (bug #590499)