Hello community, here is the log from the commit of package evince for openSUSE:Factory checked in at Mon Jan 10 11:06:47 CET 2011. -------- --- GNOME/evince/evince.changes 2010-09-27 22:31:38.000000000 +0200 +++ /mounts/work_src_done/STABLE/evince/evince.changes 2011-01-05 09:23:42.000000000 +0100 @@ -1,0 +2,6 @@ +Wed Jan 5 09:23:41 CET 2011 - vuntz@opensuse.org + +- Add evince-dvi-vulnerabilities.patch to fix CVE-2010-2640, + CVE-2010-2641, CVE-2010-2642, CVE-2010-2643. (bnc#660555). + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- evince-dvi-vulnerabilities.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ evince.spec ++++++ --- /var/tmp/diff_new_pack.iYb60y/_old 2011-01-10 11:04:50.000000000 +0100 +++ /var/tmp/diff_new_pack.iYb60y/_new 2011-01-10 11:04:50.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package evince (Version 2.32.0) # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,13 +20,15 @@ Name: evince Version: 2.32.0 -Release: 1 +Release: 2 %define _major_version 2.32 License: GPLv2+ Summary: GNOME Document Viewer Url: http://www.gnome.org/projects/evince/ Group: Productivity/Office/Other Source: ftp://ftp.gnome.org/pub/GNOME/sources/%{name}/0.4/%{name}-%{version}.tar.bz2 +# PATCH-FIX-UPSTREAM evince-dvi-vulnerabilities.patch vuntz@opensuse.org -- CVE-2010-2640, CVE-2010-2641, CVE-2010-2642, CVE-2010-2643 +Patch0: evince-dvi-vulnerabilities.patch BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gconf2-devel @@ -91,6 +93,7 @@ %prep %setup -q translation-update-upstream +%patch0 -p1 %build %configure --disable-static --with-pic\ ++++++ evince-dvi-vulnerabilities.patch ++++++
From f731c8ba30df809c6c568cfff97c7d946e55e921 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Aliste?=
Date: Tue, 7 Dec 2010 15:56:47 -0300 Subject: [PATCH] backends: Fix several security issues in the dvi-backend.
See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643. --- backend/dvi/mdvi-lib/afmparse.c | 2 +- backend/dvi/mdvi-lib/dviread.c | 4 ++++ backend/dvi/mdvi-lib/pk.c | 11 ++++++++++- backend/dvi/mdvi-lib/tfmfile.c | 3 ++- backend/dvi/mdvi-lib/vf.c | 6 ++++++ 5 files changed, 23 insertions(+), 3 deletions(-) diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c index 164366b..361e23d 100644 --- a/backend/dvi/mdvi-lib/afmparse.c +++ b/backend/dvi/mdvi-lib/afmparse.c @@ -160,7 +160,7 @@ static char *token(FILE *stream) idx = 0; while (ch != EOF && ch != ' ' && ch != lineterm - && ch != '\t' && ch != ':' && ch != ';') + && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME) { ident[idx++] = ch; ch = fgetc(stream); diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c index cd8cfa9..d014320 100644 --- a/backend/dvi/mdvi-lib/dviread.c +++ b/backend/dvi/mdvi-lib/dviread.c @@ -1507,6 +1507,10 @@ int special(DviContext *dvi, int opcode) Int32 arg; arg = dugetn(dvi, opcode - DVI_XXX1 + 1); + if (arg <= 0) { + dvierr(dvi, _("malformed special length\n")); + return -1; + } s = mdvi_malloc(arg + 1); dread(dvi, s, arg); s[arg] = 0; diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c index a579186..08377e6 100644 --- a/backend/dvi/mdvi-lib/pk.c +++ b/backend/dvi/mdvi-lib/pk.c @@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font) } if(feof(p)) break; + + /* Although the PK format support bigger char codes, + * XeTeX and other extended TeX engines support charcodes up to + * 65536, while normal TeX engine supports only charcode up to 255.*/ + if (cc < 0 || cc > 65536) { + mdvi_error (_("%s: unexpected charcode (%d)\n"), + font->fontname,cc); + goto error; + } if(cc < loc) loc = cc; if(cc > hic) @@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font) } /* resize font char data */ - if(loc > 0 || hic < maxch-1) { + if(loc > 0 && hic < maxch-1) { memmove(font->chars, font->chars + loc, (hic - loc + 1) * sizeof(DviFontChar)); font->chars = xresize(font->chars, diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c index 73ebf26..8c2a30b 100644 --- a/backend/dvi/mdvi-lib/tfmfile.c +++ b/backend/dvi/mdvi-lib/tfmfile.c @@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info) /* We read the entire TFM file into core */ if(fstat(fileno(in), &st) < 0) return -1; - if(st.st_size == 0) + /* according to the spec, TFM files are smaller than 16K */ + if(st.st_size == 0 || st.st_size >= 16384) goto bad_tfm; /* allocate a word-aligned buffer to hold the file */ diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c index fb49847..a5ae3bb 100644 --- a/backend/dvi/mdvi-lib/vf.c +++ b/backend/dvi/mdvi-lib/vf.c @@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font) cc = fuget1(p); tfm = fuget3(p); } + if (cc < 0 || cc > 65536) { + /* TeX engines do not support char codes bigger than 65535 */ + mdvi_error(_("(vf) %s: unexpected character %d\n"), + font->fontname, cc); + goto error; + } if(loc < 0 || cc < loc) loc = cc; if(hic < 0 || cc > hic) -- 1.7.3.2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org