Hello community, here is the log from the commit of package libwmf checked in at Wed Jul 12 20:39:25 CEST 2006. -------- --- libwmf/libwmf.changes 2006-06-27 18:34:02.000000000 +0200 +++ libwmf/libwmf.changes 2006-07-12 17:33:32.000000000 +0200 @@ -1,0 +2,5 @@ +Wed Jul 12 17:31:29 CEST 2006 - nadvornik@suse.cz + +- fixed integer overflow [CVE-2006-3376. #189924] + +------------------------------------------------------------------- New: ---- libwmf-0.2.8.4-overflow-CVE-2006-3376.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libwmf.spec ++++++ --- /var/tmp/diff_new_pack.BnMYLn/_old 2006-07-12 20:36:26.000000000 +0200 +++ /var/tmp/diff_new_pack.BnMYLn/_new 2006-07-12 20:36:26.000000000 +0200 @@ -18,13 +18,14 @@ Group: System/Libraries Autoreqprov: on Version: 0.2.8.4 -Release: 1 +Release: 2 Summary: Library and Utilities for Displaying and Converting Metafile Images URL: http://wvWare.sourceforge.net/ Source: libwmf-%{version}.tar.bz2 Patch: libwmf-%{version}-ia64.patch Patch1: libwmf-%{version}-fix.patch Patch2: libwmf-%{version}-config.patch +Patch3: libwmf-%{version}-overflow-CVE-2006-3376.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -64,6 +65,7 @@ %patch %patch1 %patch2 +%patch3 %build %{?suse_update_config:%{suse_update_config -f }} @@ -135,6 +137,8 @@ %doc %{_defaultdocdir}/libwmf/html %changelog -n libwmf +* Wed Jul 12 2006 - nadvornik@suse.cz +- fixed integer overflow [CVE-2006-3376. #189924] * Tue Jun 27 2006 - nadvornik@suse.cz - updated to bugfix release 0.2.8.4 * fixes various compiler warnings [#185398] ++++++ libwmf-0.2.8.4-overflow-CVE-2006-3376.patch ++++++ --- src/player.c +++ src/player.c @@ -132,6 +132,13 @@ } } + if (MAX_REC_SIZE(API) * 2 / 2 != MAX_REC_SIZE(API)) + { + WMF_ERROR (API,"wmf_scan: max_rec_size too big!"); + API->err = wmf_E_BadFormat; + return (API->err); + } + /* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...