- resolves: #1984067

fix CVE-2019-25051
2021-07-20 17:03:17 +02:00 · 2021-07-20 17:03:17 +02:00 · 59eac5fa63
commit 59eac5fa63
parent 13e9fc63eb
2 changed files with 106 additions and 1 deletions
--- a/aspell-0.60.8-CVE-2019-25051.patch
+++ b/aspell-0.60.8-CVE-2019-25051.patch
@ -0,0 +1,99 @@
+From d60fc73a370c64209bd0ae6fc6d002f55be6eac9 Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 21 Dec 2019 20:32:47 +0000
+Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
+ to prevent a buffer overflow
+
+Bug found using OSS-Fuze.
+---
+ common/objstack.hpp | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/common/objstack.hpp b/common/objstack.hpp
+index 3997bf7..bd97ccd 100644
+--- a/common/objstack.hpp
+++ b/common/objstack.hpp
+@@ -5,6 +5,7 @@
+ #include "parm_string.hpp"
+ #include <stdlib.h>
+ #include <assert.h>
+#include <stddef.h>
+ 
+ namespace acommon {
+ 
+@@ -26,6 +27,12 @@ class ObjStack
+   byte * temp_end;
+   void setup_chunk();
+   void new_chunk();
+  bool will_overflow(size_t sz) const {
+    return offsetof(Node,data) + sz > chunk_size;
+  }
+  void check_size(size_t sz) {
+    assert(!will_overflow(sz));
+  }
+ 
+   ObjStack(const ObjStack &);
+   void operator=(const ObjStack &);
+@@ -56,7 +63,7 @@ public:
+   void * alloc_bottom(size_t size)  {
+     byte * tmp = bottom;
+     bottom += size;
+-    if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
+    if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
+     return tmp;
+   }
+   // This alloc_bottom will insure that the object is aligned based on the
+@@ -66,7 +73,7 @@ public:
+     align_bottom(align);
+     byte * tmp = bottom;
+     bottom += size;
+-    if (bottom > top) {new_chunk(); goto loop;}
+    if (bottom > top) {check_size(size); new_chunk(); goto loop;}
+     return tmp;
+   }
+   char * dup_bottom(ParmString str) {
+@@ -79,7 +86,7 @@ public:
+   // always be aligned as such.
+   void * alloc_top(size_t size) {
+     top -= size;
+-    if (top < bottom) {new_chunk(); top -= size;}
+    if (top < bottom) {check_size(size); new_chunk(); top -= size;}
+     return top;
+   }
+   // This alloc_top will insure that the object is aligned based on
+@@ -88,7 +95,7 @@ public:
+   {loop:
+     top -= size;
+     align_top(align);
+-    if (top < bottom) {new_chunk(); goto loop;}
+    if (top < bottom) {check_size(size); new_chunk(); goto loop;}
+     return top;
+   }
+   char * dup_top(ParmString str) {
+@@ -117,6 +124,7 @@ public:
+   void * alloc_temp(size_t size) {
+     temp_end = bottom + size;
+     if (temp_end > top) {
+      check_size(size);
+       new_chunk();
+       temp_end = bottom + size;
+     }
+@@ -131,6 +139,7 @@ public:
+     } else {
+       size_t s = temp_end - bottom;
+       byte * p = bottom;
+      check_size(size);
+       new_chunk();
+       memcpy(bottom, p, s);
+       temp_end = bottom + size;
+@@ -150,6 +159,7 @@ public:
+     } else {
+       size_t s = temp_end - bottom;
+       byte * p = bottom;
+      check_size(size);
+       new_chunk();
+       memcpy(bottom, p, s);
+       temp_end = bottom + size;
+-- 
+2.31.1
+
--- a/aspell.spec
+++ b/aspell.spec
@ -1,7 +1,7 @@
 Summary: Spell checker
 Name: aspell
 Version: 0.60.8
-Release: 6%{?dist}
+Release: 7%{?dist}
 Epoch: 12
 # LGPLv2+ .. common/gettext.h
 # LGPLv2  .. modules/speller/default/phonet.hpp,
@ -16,6 +16,7 @@ Source: ftp://ftp.gnu.org/gnu/aspell/aspell-%{version}.tar.gz
 Patch0: aspell-0.60.7-fileconflict.patch
 Patch1: aspell-0.60.7-pspell_conf.patch
 Patch2: aspell-0.60.7-mp.patch
+Patch3: aspell-0.60.8-CVE-2019-25051.patch

 BuildRequires: gcc-c++
 BuildRequires: chrpath, gettext, ncurses-devel, pkgconfig, perl-interpreter
@ -45,6 +46,7 @@ and header files needed for Aspell development.
 %patch0 -p1 -b .fc
 %patch1 -p1 -b .mlib
 %patch2 -p1 -b .ai
+%patch3 -p1 -b .CVE-2019-25051
 iconv -f iso-8859-2 -t utf-8 < manual/aspell.info > manual/aspell.info.aux
 mv manual/aspell.info.aux manual/aspell.info

@ -111,6 +113,10 @@ rm -f ${RPM_BUILD_ROOT}%{_infodir}/dir
 %{_mandir}/man1/pspell-config.1*

 %changelog
+* Tue Jul 20 2021 Nikola Forró <nforro@redhat.com> - 12:0.60.8-7
+- resolves: #1984067
+  fix CVE-2019-25051
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 12:0.60.8-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild