fix gnulib CVE
This commit is contained in:
Zdenek Dohnal
parent
7781998280
commit
62eb1df2a7
15
enscript-CVE-vasnprintf.patch
Normal file
15
enscript-CVE-vasnprintf.patch
Normal file
@ -0,0 +1,15 @@
|
||||
diff --git a/intl/vasnprintf.c b/intl/vasnprintf.c
|
||||
index 4a8e7f0..65ade71 100644
|
||||
--- a/intl/vasnprintf.c
|
||||
+++ b/intl/vasnprintf.c
|
||||
@@ -758,7 +758,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
|
||||
size_t a_len = a.nlimbs;
|
||||
/* 0.03345 is slightly larger than log(2)/(9*log(10)). */
|
||||
size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
|
||||
- char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
|
||||
+ /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
|
||||
+ digits of a, followed by 1 byte for the terminating NUL. */
|
||||
+ char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
|
||||
if (c_ptr != NULL)
|
||||
{
|
||||
char *d_ptr = c_ptr;
|
||||
@ -29,12 +29,24 @@ Patch15: enscript-bufpos-crash.patch
|
||||
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1664367
|
||||
# upstream patch: http://lists.gnu.org/archive/html/bug-enscript/2018-04/msg00008.html
|
||||
Patch16: 0001-enscript-newencodings.patch
|
||||
# enscript bundles some gnulib source files, so some issues or CVEs in gnulib can be
|
||||
# present in enscript
|
||||
# gnulib CVE: https://bugzilla.redhat.com/show_bug.cgi?id=1635896
|
||||
Patch17: enscript-CVE-vasnprintf.patch
|
||||
|
||||
# gcc is no longer in buildroot by default
|
||||
BuildRequires: gcc
|
||||
BuildRequires: autoconf, automake, gettext
|
||||
BuildRequires: gettext-devel
|
||||
|
||||
# our downstreamed gnulib bundles some gnulib files, so we need to provide
|
||||
# this one. I'm not sure why we have gnulib files there, because upstream
|
||||
# does not have these files. The correct way would be to extract these files,
|
||||
# fix Makefiles to link correct gnulib and requires gnulib-'something' in spec
|
||||
# file, but enscript is lowly used+low maintenance+mostly dead upstream package,
|
||||
# so there is a little merit of doing it...
|
||||
Provides: bundled(gnulib)
|
||||
|
||||
%description
|
||||
GNU enscript is a free replacement for Adobe's Enscript
|
||||
program. Enscript converts ASCII files to PostScript(TM) and spools
|
||||
@ -53,6 +65,8 @@ includes many options for customizing printouts
|
||||
%patch15 -p1 -b .bufpos-crash
|
||||
# 1664367 - [RFE] Add support for 885915 encoding in enscript
|
||||
%patch16 -p1 -b .newencodings
|
||||
# CVE in gnulib
|
||||
%patch17 -p1 -b .vasnprintf
|
||||
|
||||
%{__tar} -C states/hl -zxf %{SOURCE1} ruby.st
|
||||
install -pm 644 %{SOURCE2} states/hl/php.st
|
||||
@ -101,6 +115,7 @@ done
|
||||
* Tue Jan 29 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1.6.6-19
|
||||
- 1664367 - [RFE] Add support for 885915 encoding in enscript
|
||||
- remove old Obsoletes/Provides
|
||||
- fix gnulib CVE
|
||||
|
||||
* Tue Jul 24 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1.6.6-18
|
||||
- correcting license
|
||||
|
||||
Loading…
Reference in New Issue
Block a user