rpms/autotrace
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Enabled pstoedit backend

Browse Source 
Fixed out of bounds write when using pstoedit backend
  Resolves: CVE-2016-7392
Fixed hardcoded version on source URL
Fixed bogus date in changelog (best effort)
This commit is contained in:
Jaroslav Škarvada 2017-01-20 18:18:18 +01:00
parent 72a936af8c
commit eb3e392089
3 changed files with 64 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
autotrace-0.31.1-CVE-2016-7392.patch Normal file
View File

@ -0,0 +1,16 @@
Subject: Fix heap-based buffer overflow in pstoedit_suffix_table_init
ID: CVE-2016-7392
Author: unknown (taken from DLA-621-1)
Bug-Debian: https://bugs.debian.org/837599
--- a/output-pstoedit.c
+++ b/output-pstoedit.c
@@ -84,7 +84,7 @@
dd_tmp = dd_start;
while (dd_tmp->symbolicname)
dd_tmp++;
- XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1);
+ XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1));
#if defined (OUTPUT_PSTOEDIT_DEBUG) && defined(__GNUC__)
fprintf(stderr, "OUTPUT PSTOEDIT BACKEND DEBUG(%s)\n", __FUNCTION__);

33
autotrace-0.31.1-pstoedit-detection-fix.patch Normal file
View File

@ -0,0 +1,33 @@
--- autotrace-0.31.1.orig/configure.in
+++ autotrace-0.31.1/configure.in
@@ -282,8 +300,12 @@ AC_CHECK_LIB(dl,main,[LIBLD_LDFLAGS=-ldl
if test "x${LIBLD_LDFLAGS}" != x; then
LIBPSTOEDIT_EXTRA_LIBS="${LIBPSTOEDIT_EXTRA_LIBS} ${LIBLD_LDFLAGS}"
fi
-
-echo '*** Checking pstoedit existence TWICE(if needed) ***'
+
+echo '*** Checking pstoedit existence THRICE(if needed)***'
+echo '*** This is the 0th check ***'
+PKG_CHECK_MODULES(LIBPSTOEDIT,[pstoedit >= 3.32.1],HAVE_LIBPSTOEDIT_321=yes)
+if test ${HAVE_LIBPSTOEDIT_321} != yes; then
+ echo '*** The 0th check failed ***'
echo '*** This is the 1st check ***'
AM_PATH_PSTOEDIT(3.32.1,HAVE_LIBPSTOEDIT_321=yes)
if test ${HAVE_LIBPSTOEDIT_321} != yes; then
@@ -310,6 +332,15 @@ else
LIBPSTOEDIT_LIBS="${PSTOEDIT_LIBS} ${LIBPSTOEDIT_EXTRA_LIBS}"
LIBPSTOEDIT_CFLAGS="${PSTOEDIT_CFLAGS}"
fi
+else
+ echo '*** The 0th check is passed. ***'
+ HAVE_LIBPSTOEDIT=yes
+
+ # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1415258
+ LIBPSTOEDIT_LIBS="${LIBPSTOEDIT_LIBS/@LIBPNG_LDFLAGS@/-lpng}"
+
+ AC_DEFINE(HAVE_LIBPSTOEDIT)
+fi
if test ${HAVE_LIBPSTOEDIT} = yes; then
AC_CHECK_FUNCS([mkstemp])

18
autotrace.spec
View File

@ -1,17 +1,19 @@
Name: autotrace Name: autotrace
Version: 0.31.1 Version: 0.31.1
Release: 42%{?dist} Release: 43%{?dist}
Summary: Utility for converting bitmaps to vector graphics Summary: Utility for converting bitmaps to vector graphics
Group: Applications/Multimedia Group: Applications/Multimedia
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: http://autotrace.sourceforge.net/ URL: http://autotrace.sourceforge.net/
Source0: http://download.sf.net/autotrace/autotrace-0.31.1.tar.gz Source0: http://download.sf.net/autotrace/%{name}-%{version}.tar.gz
Patch1: autotrace-0001-Modify-GetOnePixel-usage-to-build-against-current-Im.patch Patch1: autotrace-0001-Modify-GetOnePixel-usage-to-build-against-current-Im.patch
Patch2: autotrace-0002-Fixed-underquoted-AM_PATH_AUTOTRACE-definition.patch Patch2: autotrace-0002-Fixed-underquoted-AM_PATH_AUTOTRACE-definition.patch
Patch3: autotrace-0003-libpng-fix.patch Patch3: autotrace-0003-libpng-fix.patch
# Sent upstream # Sent upstream
Patch4: autotrace-0.31.1-CVE-2013-1953.patch Patch4: autotrace-0.31.1-CVE-2013-1953.patch
Patch5: autotrace-0.31.1-multilib-fix.patch Patch5: autotrace-0.31.1-multilib-fix.patch
Patch6: autotrace-0.31.1-pstoedit-detection-fix.patch
Patch7: autotrace-0.31.1-CVE-2016-7392.patch
BuildRequires: ImageMagick-devel BuildRequires: ImageMagick-devel
BuildRequires: libpng-devel > 2:1.2 BuildRequires: libpng-devel > 2:1.2
BuildRequires: libexif-devel BuildRequires: libexif-devel
@ -25,6 +27,7 @@ BuildRequires: pstoedit-devel
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pstoedit-devel
%description %description
@ -54,6 +57,8 @@ This package contains header files and development libraries for autotrace.
%patch3 -p1 -b .libpng15 %patch3 -p1 -b .libpng15
%patch4 -p1 -b .CVE-2013-1953 %patch4 -p1 -b .CVE-2013-1953
%patch5 -p1 -b .multilib-fix %patch5 -p1 -b .multilib-fix
%patch6 -p1 -b .pstoedit-detection-fix
%patch7 -p1 -b .CVE-2016-7392
autoreconf -ivf autoreconf -ivf
%build %build
@ -94,6 +99,13 @@ find $RPM_BUILD_ROOT -type f -name "*.a" -exec rm -f {} ';'
%changelog %changelog
* Fri Jan 20 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 0.31.1-43
- Enabled pstoedit backend
- Fixed out of bounds write when using pstoedit backend
Resolves: CVE-2016-7392
- Fixed hardcoded version on source URL
- Fixed bogus date in changelog (best effort)
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.31.1-42 * Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.31.1-42
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
@ -218,7 +230,7 @@ find $RPM_BUILD_ROOT -type f -name "*.a" -exec rm -f {} ';'
* Wed May 25 2005 Jeremy Katz <katzj@redhat.com> - 0.31.1-5 * Wed May 25 2005 Jeremy Katz <katzj@redhat.com> - 0.31.1-5
- rebuild - rebuild
* Fri Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net> * Thu Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
- rebuilt - rebuilt
* Sat Aug 21 2004 Marius L. Jøhndal <mariuslj at ifi.uio.no> - 0:0.31.1-3 * Sat Aug 21 2004 Marius L. Jøhndal <mariuslj at ifi.uio.no> - 0:0.31.1-3