- fixed various buffer overflows (CVE-2008-3863, CVE-2008-4306)
This commit is contained in:
Adam Tkac
parent
9068b0453c
commit
0f3e894eaf
90
enscript-CVE-2008-3863+CVE-2008-4306.patch
Normal file
90
enscript-CVE-2008-3863+CVE-2008-4306.patch
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
--- src/psgen.c
|
||||||
|
+++ src/psgen.c 2008-10-29 10:43:08.512598143 +0100
|
||||||
|
@@ -24,6 +24,7 @@
|
||||||
|
* Boston, MA 02111-1307, USA.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#include <limits.h>
|
||||||
|
#include "gsint.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -124,7 +125,7 @@ struct gs_token_st
|
||||||
|
double xscale;
|
||||||
|
double yscale;
|
||||||
|
int llx, lly, urx, ury; /* Bounding box. */
|
||||||
|
- char filename[512];
|
||||||
|
+ char filename[PATH_MAX];
|
||||||
|
char *skipbuf;
|
||||||
|
unsigned int skipbuf_len;
|
||||||
|
unsigned int skipbuf_pos;
|
||||||
|
@@ -135,11 +136,11 @@ struct gs_token_st
|
||||||
|
Color bgcolor;
|
||||||
|
struct
|
||||||
|
{
|
||||||
|
- char name[512];
|
||||||
|
+ char name[PATH_MAX];
|
||||||
|
FontPoint size;
|
||||||
|
InputEncoding encoding;
|
||||||
|
} font;
|
||||||
|
- char filename[512];
|
||||||
|
+ char filename[PATH_MAX];
|
||||||
|
} u;
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -248,7 +249,7 @@ static int do_print = 1;
|
||||||
|
static int user_fontp = 0;
|
||||||
|
|
||||||
|
/* The user ^@font{}-defined font. */
|
||||||
|
-static char user_font_name[256];
|
||||||
|
+static char user_font_name[PATH_MAX];
|
||||||
|
static FontPoint user_font_pt;
|
||||||
|
static InputEncoding user_font_encoding;
|
||||||
|
|
||||||
|
@@ -978,7 +979,8 @@ large for page\n"),
|
||||||
|
FATAL ((stderr,
|
||||||
|
_("user font encoding can be only the system's default or `ps'")));
|
||||||
|
|
||||||
|
- strcpy (user_font_name, token.u.font.name);
|
||||||
|
+ memset (user_font_name, 0, sizeof(user_font_name));
|
||||||
|
+ strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1);
|
||||||
|
user_font_pt.w = token.u.font.size.w;
|
||||||
|
user_font_pt.h = token.u.font.size.h;
|
||||||
|
user_font_encoding = token.u.font.encoding;
|
||||||
|
@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To
|
||||||
|
buf[i] = ch;
|
||||||
|
if (i + 1 >= sizeof (buf))
|
||||||
|
FATAL ((stderr, _("too long argument for %s escape:\n%.*s"),
|
||||||
|
- escapes[i].name, i, buf));
|
||||||
|
+ escapes[e].name, i, buf));
|
||||||
|
}
|
||||||
|
buf[i] = '\0';
|
||||||
|
|
||||||
|
@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To
|
||||||
|
switch (escapes[e].escape)
|
||||||
|
{
|
||||||
|
case ESC_FONT:
|
||||||
|
- strcpy (token->u.font.name, buf);
|
||||||
|
+ memset (token->u.font.name, 0, sizeof(token->u.font.name));
|
||||||
|
+ strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1);
|
||||||
|
|
||||||
|
/* Check for the default font. */
|
||||||
|
if (strcmp (token->u.font.name, "default") == 0)
|
||||||
|
@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To
|
||||||
|
FATAL ((stderr, _("malformed font spec for ^@font escape: %s"),
|
||||||
|
token->u.font.name));
|
||||||
|
|
||||||
|
- strcpy (token->u.font.name, cp);
|
||||||
|
+ memset (token->u.font.name, 0, sizeof(token->u.font.name));
|
||||||
|
+ strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1);
|
||||||
|
xfree (cp);
|
||||||
|
}
|
||||||
|
token->type = tFONT;
|
||||||
|
@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To
|
||||||
|
break;
|
||||||
|
|
||||||
|
case ESC_SETFILENAME:
|
||||||
|
- strcpy (token->u.filename, buf);
|
||||||
|
+ memset (token->u.filename, 0, sizeof(token->u.font.name));
|
||||||
|
+ strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1);
|
||||||
|
token->type = tSETFILENAME;
|
||||||
|
break;
|
||||||
@ -1,7 +1,7 @@
|
|||||||
Summary: A plain ASCII to PostScript converter.
|
Summary: A plain ASCII to PostScript converter.
|
||||||
Name: enscript
|
Name: enscript
|
||||||
Version: 1.6.4
|
Version: 1.6.4
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: Applications/Publishing
|
Group: Applications/Publishing
|
||||||
Source0: http://www.iki.fi/mtr/genscript/enscript-%{version}.tar.gz
|
Source0: http://www.iki.fi/mtr/genscript/enscript-%{version}.tar.gz
|
||||||
@ -18,6 +18,7 @@ Patch7: enscript-1.6.1-CAN-2004-1186.patch
|
|||||||
Patch8: enscript-wrap_header.patch
|
Patch8: enscript-wrap_header.patch
|
||||||
Patch9: enscript-1.6.4-rh457719.patch
|
Patch9: enscript-1.6.4-rh457719.patch
|
||||||
Patch10:enscript-1.6.4-rh457720.patch
|
Patch10:enscript-1.6.4-rh457720.patch
|
||||||
|
Patch11:enscript-CVE-2008-3863+CVE-2008-4306.patch
|
||||||
URL: http://www.codento.com/people/mtr/genscript/
|
URL: http://www.codento.com/people/mtr/genscript/
|
||||||
Prereq: /sbin/install-info
|
Prereq: /sbin/install-info
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
||||||
@ -41,6 +42,7 @@ includes many options for customizing printouts.
|
|||||||
%patch8 -p1 -b .wrap_header
|
%patch8 -p1 -b .wrap_header
|
||||||
%patch9 -p1 -b .rh457719
|
%patch9 -p1 -b .rh457719
|
||||||
%patch10 -p1 -b .rh457720
|
%patch10 -p1 -b .rh457720
|
||||||
|
%patch11 -p0 -b .CVE-2008-3863+CVE-2008-4306
|
||||||
%{__tar} -C states/hl -zxf %{SOURCE1} ruby.st
|
%{__tar} -C states/hl -zxf %{SOURCE1} ruby.st
|
||||||
install -pm 644 %{SOURCE2} states/hl/php.st
|
install -pm 644 %{SOURCE2} states/hl/php.st
|
||||||
|
|
||||||
@ -94,6 +96,9 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 03 2008 Adam Tkac <atkac redhat com> 1.6.4-11
|
||||||
|
- fixed various buffer overflows (CVE-2008-3863, CVE-2008-4306)
|
||||||
|
|
||||||
* Fri Aug 08 2008 Adam Tkac <atkac redhat com> 1.6.4-10
|
* Fri Aug 08 2008 Adam Tkac <atkac redhat com> 1.6.4-10
|
||||||
- updated patches due rpm 4.6
|
- updated patches due rpm 4.6
|
||||||
- enscript -w is handled well (#457719)
|
- enscript -w is handled well (#457719)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user