rpms/enscript
5
0
Fork 0
Code Issues Pull Requests Releases Activity

fix gnulib CVE

Browse Source
This commit is contained in:
Zdenek Dohnal 2019-01-30 13:28:45 +01:00
parent 7781998280
commit 62eb1df2a7
2 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
enscript-CVE-vasnprintf.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/intl/vasnprintf.c b/intl/vasnprintf.c
index 4a8e7f0..65ade71 100644
--- a/intl/vasnprintf.c
+++ b/intl/vasnprintf.c
@@ -758,7 +758,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
size_t a_len = a.nlimbs;
/* 0.03345 is slightly larger than log(2)/(9*log(10)). */
size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
- char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
+ /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
+ digits of a, followed by 1 byte for the terminating NUL. */
+ char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
if (c_ptr != NULL)
{
char *d_ptr = c_ptr;

15
enscript.spec
View File

@ -29,12 +29,24 @@ Patch15: enscript-bufpos-crash.patch
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1664367 # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1664367
# upstream patch: http://lists.gnu.org/archive/html/bug-enscript/2018-04/msg00008.html # upstream patch: http://lists.gnu.org/archive/html/bug-enscript/2018-04/msg00008.html
Patch16: 0001-enscript-newencodings.patch Patch16: 0001-enscript-newencodings.patch
# enscript bundles some gnulib source files, so some issues or CVEs in gnulib can be
# present in enscript
# gnulib CVE: https://bugzilla.redhat.com/show_bug.cgi?id=1635896
Patch17: enscript-CVE-vasnprintf.patch
# gcc is no longer in buildroot by default # gcc is no longer in buildroot by default
BuildRequires: gcc BuildRequires: gcc
BuildRequires: autoconf, automake, gettext BuildRequires: autoconf, automake, gettext
BuildRequires: gettext-devel BuildRequires: gettext-devel
# our downstreamed gnulib bundles some gnulib files, so we need to provide
# this one. I'm not sure why we have gnulib files there, because upstream
# does not have these files. The correct way would be to extract these files,
# fix Makefiles to link correct gnulib and requires gnulib-'something' in spec
# file, but enscript is lowly used+low maintenance+mostly dead upstream package,
# so there is a little merit of doing it...
Provides: bundled(gnulib)
%description %description
GNU enscript is a free replacement for Adobe's Enscript GNU enscript is a free replacement for Adobe's Enscript
program. Enscript converts ASCII files to PostScript(TM) and spools program. Enscript converts ASCII files to PostScript(TM) and spools
@ -53,6 +65,8 @@ includes many options for customizing printouts
%patch15 -p1 -b .bufpos-crash %patch15 -p1 -b .bufpos-crash
# 1664367 - [RFE] Add support for 885915 encoding in enscript # 1664367 - [RFE] Add support for 885915 encoding in enscript
%patch16 -p1 -b .newencodings %patch16 -p1 -b .newencodings
# CVE in gnulib
%patch17 -p1 -b .vasnprintf
%{__tar} -C states/hl -zxf %{SOURCE1} ruby.st %{__tar} -C states/hl -zxf %{SOURCE1} ruby.st
install -pm 644 %{SOURCE2} states/hl/php.st install -pm 644 %{SOURCE2} states/hl/php.st
@ -101,6 +115,7 @@ done
* Tue Jan 29 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1.6.6-19 * Tue Jan 29 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1.6.6-19
- 1664367 - [RFE] Add support for 885915 encoding in enscript - 1664367 - [RFE] Add support for 885915 encoding in enscript
- remove old Obsoletes/Provides - remove old Obsoletes/Provides
- fix gnulib CVE
* Tue Jul 24 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1.6.6-18 * Tue Jul 24 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1.6.6-18
- correcting license - correcting license