Hello community, here is the log from the commit of package tkimg checked in at Tue Jun 3 01:12:04 CEST 2008. -------- --- tkimg/tkimg.changes 2006-02-20 19:54:13.000000000 +0100 +++ /mounts/work_src_done/STABLE/tkimg/tkimg.changes 2008-05-21 20:36:34.000000000 +0200 @@ -1,0 +2,5 @@ +Wed May 21 20:35:12 CEST 2008 - max@suse.de + +- Fix a crash with malformed GIF images (bnc#386009, CVE-2008-0553) + +------------------------------------------------------------------- New: ---- tkimg-CVE-2008-0553.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tkimg.spec ++++++ --- /var/tmp/diff_new_pack.P21826/_old 2008-06-03 01:11:52.000000000 +0200 +++ /var/tmp/diff_new_pack.P21826/_new 2008-06-03 01:11:52.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package tkimg (Version 1.3) # -# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -10,19 +10,21 @@ # norootforbuild + Name: tkimg BuildRequires: libpng-devel libtiff-devel tk-devel xorg-x11-devel -URL: http://sourceforge.net/projects/tkimg +Url: http://sourceforge.net/projects/tkimg Summary: More Image Formats for Tk Version: 1.3 -Release: 36 -License: BSD +Release: 177 +License: BSD 3-Clause Group: Development/Libraries/Tcl Source0: %{name}%{version}.tar.bz2 Patch0: %name.patch Patch1: %name-syslibs.patch Patch2: %name-makedeps.patch Patch3: %name-warnings.patch +Patch4: tkimg-CVE-2008-0553.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -45,6 +47,7 @@ %patch1 %patch2 %patch3 +%patch4 %build for f in $(find -type d); do @@ -84,35 +87,36 @@ %doc ANNOUNCE ChangeLog README Reorganization.Notes.txt %doc changes license.terms doc/html demo %doc %_mandir/*/* - %tclscriptdir/* %_libdir/lib* %_libdir/tkimgConfig.sh %_includedir/* -%changelog -n tkimg -* Mon Feb 20 2006 - max@suse.de +%changelog +* Wed May 21 2008 max@suse.de +- Fix a crash with malformed GIF images (bnc#386009, CVE-2008-0553) +* Mon Feb 20 2006 max@suse.de - Fixed some serious warnings (#152208). -* Wed Jan 25 2006 - mls@suse.de +* Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires -* Mon Jan 16 2006 - max@suse.de +* Mon Jan 16 2006 max@suse.de - Disabled parallel make. -* Tue Dec 13 2005 - max@suse.de +* Tue Dec 13 2005 max@suse.de - Fixed a typo in tcl.m4 that broke configure with bash 3.1. -* Wed Jul 27 2005 - max@suse.de +* Wed Jul 27 2005 max@suse.de - Moved shared libs to libdir and script library to /usr/share/tcl. -* Wed Jul 06 2005 - max@suse.de +* Wed Jul 06 2005 max@suse.de - Added missing includes to allow lightweight buffer overflow checking. -* Thu Jun 02 2005 - ro@suse.de +* Thu Jun 02 2005 ro@suse.de - try to fix makefile deps -* Wed Apr 27 2005 - max@suse.de +* Wed Apr 27 2005 max@suse.de - Update to the final 1.3 version. -* Fri Nov 12 2004 - ro@suse.de +* Fri Nov 12 2004 ro@suse.de - fixed file list -* Wed Jul 28 2004 - max@suse.de +* Wed Jul 28 2004 max@suse.de - Added tkimg-syslibs.patch to use the system-supplied versions of libtiff, libjpeg, and libpng (Bug #43008). -* Mon Mar 01 2004 - max@suse.de +* Mon Mar 01 2004 max@suse.de - New package: tkimg-1.3rc2 - An image format extension for Tk. ++++++ tkimg-CVE-2008-0553.patch ++++++ --- gif/gif.c +++ gif/gif.c @@ -764,6 +764,12 @@ Tcl_PosixError(interp), (char *) NULL); return TCL_ERROR; } + + if (initialCodeSize > MAX_LWZ_BITS) { + Tcl_SetResult(interp, "malformed image", TCL_STATIC); + return TCL_ERROR; + } + if (transparent!=-1) { cmap[transparent][CM_RED] = 0; cmap[transparent][CM_GREEN] = 0; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org