diff --git a/30_figparserstack.patch b/30_figparserstack.patch new file mode 100644 index 0000000..70d3912 --- /dev/null +++ b/30_figparserstack.patch @@ -0,0 +1,56 @@ +From: Hans de Goede +Subject: Fix Stack-based buffer overflow by loading malformed .FIG files +Bug: https://bugzilla.redhat.com/show_bug.cgi?id=543905 +Bug-Debian: http://bugs.debian.org/559274 + +--- a/f_readold.c ++++ b/f_readold.c +@@ -471,7 +471,7 @@ + F_text *t; + int n; + int dum; +- char buf[128]; ++ char buf[512]; + PR_SIZE tx_dim; + + if ((t = create_text()) == NULL) +@@ -485,22 +485,34 @@ + t->pen_style = -1; + t->angle = 0.0; + t->next = NULL; ++ if (!fgets(buf, sizeof(buf), fp)) { ++ file_msg("Incomplete text data"); ++ free((char *) t); ++ return (NULL); ++ } ++ ++ /* Note using strlen(buf) here will waste a few bytes, as the ++ various text attributes are counted into this length too. */ ++ if ((t->cstring = new_string(strlen(buf))) == NULL) ++ return (NULL); ++ + /* ascent and length will be recalculated later */ +- n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]", ++ n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]", + &t->font, &dum, &dum, &t->ascent, &t->length, +- &t->base_x, &t->base_y, buf); ++ &t->base_x, &t->base_y, t->cstring); + if (n != 8) { + file_msg("Incomplete text data"); ++ free(t->cstring); + free((char *) t); + return (NULL); + } +- if ((t->cstring = new_string(strlen(buf))) == NULL) { ++ ++ if (!strlen(t->cstring)) { ++ free(t->cstring); + free((char *) t); + file_msg("Empty text string at line %d.", line_no); + return (NULL); + } +- /* put string in structure */ +- strcpy(t->cstring, buf); + + /* get the font struct */ + t->zoom = zoomscale; diff --git a/xfig.spec b/xfig.spec index c2fbfd6..691792c 100644 --- a/xfig.spec +++ b/xfig.spec @@ -3,7 +3,7 @@ Summary: An X Window System tool for drawing basic vector graphics Name: xfig Version: 3.2.5 -Release: 31.b%{?dist} +Release: 32.b%{?dist} License: MIT Group: Applications/Multimedia URL: http://www.xfig.org/ @@ -22,6 +22,7 @@ Patch19: xfig-3.2.5-debian.patch Patch20: xfig-3.2.5b-fix-eps-reading.patch Patch21: xfig-3.2.5b-fix-fig-buffer-overflow.patch Patch22: 36_libpng15.dpatch +Patch23: 30_figparserstack.patch BuildRequires: libjpeg-devel BuildRequires: libpng-devel @@ -96,6 +97,7 @@ Files common to both the plain Xaw and the Xaw3d version of xfig. %patch20 -p1 %patch21 %patch22 -p1 -b .libpng +%patch23 -p1 iconv -f ISO-8859-1 -t UTF8 CHANGES > tmp; touch -r CHANGES tmp; mv tmp CHANGES rm Doc/html/images/sav1a0.tmp chmod -x `find -type f` @@ -121,8 +123,6 @@ make XFIGDOCDIR=%{_docdir}/%{name}-%{version} \ %install -rm -rf %{buildroot} - make DESTDIR=%{buildroot} XFIGDOCDIR=%{_docdir}/%{name}-%{version} \ INSTALL="install -p" install.all install -p -m 644 CHANGES README LATEX.AND.XFIG* FIGAPPS \ @@ -165,15 +165,12 @@ fi %files -%defattr(-,root,root,-) %{_bindir}/%{name}-Xaw3d %files plain -%defattr(-,root,root,-) %{_bindir}/%{name}-plain %files common -%defattr(-,root,root,-) %doc %{_docdir}/%{name}-%{version} %{_bindir}/%{name} %{_datadir}/%{name} @@ -184,6 +181,9 @@ fi %changelog +* Sun Aug 12 2012 Hans de Goede - 3.2.5-32.b +- Fix a stack overflow when importing 1.3 files (CVE-2009-4227) (rhbz#543905) + * Sun Jul 22 2012 Fedora Release Engineering - 3.2.5-31.b - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild