Hello community, here is the log from the commit of package xfig for openSUSE:Factory checked in at 2012-09-29 15:38:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xfig (Old) and /work/SRC/openSUSE:Factory/.xfig.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xfig", Maintainer is "werner@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/xfig/xfig.changes 2012-06-01 07:25:04.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.xfig.new/xfig.changes 2012-09-29 15:38:10.000000000 +0200 @@ -1,0 +2,5 @@ +Fri Sep 28 14:13:06 UTC 2012 - werner@suse.de + +- Fix bnc #777469 - CVE-2009-4227: xfig: stack based overflows + +------------------------------------------------------------------- New: ---- xfig.3.2.5b-bnc777469.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xfig.spec ++++++ --- /var/tmp/diff_new_pack.BrVShx/_old 2012-09-29 15:38:12.000000000 +0200 +++ /var/tmp/diff_new_pack.BrVShx/_new 2012-09-29 15:38:12.000000000 +0200 @@ -63,6 +63,7 @@ Patch9: xfig.3.2.5b-libpng14.dif Patch10: xfig.3.2.5b-preview.dif Patch11: xfig.3.2.5b-bnc657393.dif +Patch12: xfig.3.2.5b-bnc777469.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)} %if "%_exec_prefix" == "/usr/X11R6" @@ -111,6 +112,7 @@ %patch9 -p0 -b .libpng14 %patch10 -p0 -b .preview %patch11 -p0 -b .vsprintf +%patch12 -p1 -b .ovflow cp %{S:1} . test ! -e Libraries/Examples/aircraft.fig || { echo forbidden file found 1>&2; exit 1; } ++++++ xfig.3.2.5b-bnc777469.diff ++++++ --- xfig.3.2.5b/f_readold.c +++ xfig.3.2.5b/f_readold.c 2009-12-04 10:20:36.000000000 +0000 @@ -471,7 +471,7 @@ read_1_3_textobject(FILE *fp) F_text *t; int n; int dum; - char buf[128]; + char buf[512]; PR_SIZE tx_dim; if ((t = create_text()) == NULL) @@ -485,22 +485,34 @@ read_1_3_textobject(FILE *fp) t->pen_style = -1; t->angle = 0.0; t->next = NULL; + if (!fgets(buf, sizeof(buf), fp)) { + file_msg("Incomplete text data"); + free((char *) t); + return (NULL); + } + + /* Note using strlen(buf) here will waste a few bytes, as the + various text attributes are counted into this length too. */ + if ((t->cstring = new_string(strlen(buf))) == NULL) + return (NULL); + /* ascent and length will be recalculated later */ - n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]", + n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]", &t->font, &dum, &dum, &t->ascent, &t->length, - &t->base_x, &t->base_y, buf); + &t->base_x, &t->base_y, t->cstring); if (n != 8) { file_msg("Incomplete text data"); + free(t->cstring); free((char *) t); return (NULL); } - if ((t->cstring = new_string(strlen(buf))) == NULL) { + + if (!strlen(t->cstring)) { + free(t->cstring); free((char *) t); file_msg("Empty text string at line %d.", line_no); return (NULL); } - /* put string in structure */ - strcpy(t->cstring, buf); /* get the font struct */ t->zoom = zoomscale; -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org