From 89ac5bdadb6ce9d412a87cd3fd4ef466e2d5480f Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 21 Jan 2020 18:32:10 -0500
Subject: [PATCH] import liblouis-2.6.2-19.el8

---
 SOURCES/liblouis-2.6.2-CVE-2018-11577.patch | 51 +++++++++++++++++++++
 SOURCES/liblouis-2.6.2-CVE-2018-11684.patch | 34 ++++++++++++++
 SOURCES/liblouis-2.6.2-CVE-2018-11685.patch | 21 +++++++++
 SOURCES/liblouis-2.6.2-CVE-2018-12085.patch | 25 ++++++++++
 SOURCES/liblouis-2.6.2-coverity-fixes.patch | 20 ++++++++
 SPECS/liblouis.spec                         | 29 +++++++++++-
 6 files changed, 179 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/liblouis-2.6.2-CVE-2018-11577.patch
 create mode 100644 SOURCES/liblouis-2.6.2-CVE-2018-11684.patch
 create mode 100644 SOURCES/liblouis-2.6.2-CVE-2018-11685.patch
 create mode 100644 SOURCES/liblouis-2.6.2-CVE-2018-12085.patch
 create mode 100644 SOURCES/liblouis-2.6.2-coverity-fixes.patch

diff --git a/SOURCES/liblouis-2.6.2-CVE-2018-11577.patch b/SOURCES/liblouis-2.6.2-CVE-2018-11577.patch
new file mode 100644
index 0000000..3d5cf56
--- /dev/null
+++ b/SOURCES/liblouis-2.6.2-CVE-2018-11577.patch
@@ -0,0 +1,51 @@
+From 7e135b9313ad06218dfcf9ed63070edede7745a1 Mon Sep 17 00:00:00 2001
+From: Christian Egli <christian.egli@sbs.ch>
+Date: Thu, 31 May 2018 12:08:56 +0200
+Subject: [PATCH] Fix yet another buffer overflow in the braille table parser
+
+Reported by Edward-L
+
+Fixes #582
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index 777e1da..b6bd010 100644
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -2855,6 +2855,10 @@ compilePassOpcode (FileInfo * nested, TranslationTableOpcode opcode)
+       passLinepos = 0;
+       while (passLinepos <= endTest)
+ 	{
++        if (passIC >= MAXSTRING) {
++          compileError(passNested, "Test part in multipass operand too long");
++          return 0;
++	  }
+ 	  switch ((passSubOp = passLine.chars[passLinepos]))
+ 	    {
+ 	    case pass_lookback:
+@@ -3050,6 +3054,10 @@ compilePassOpcode (FileInfo * nested, TranslationTableOpcode opcode)
+       while (passLinepos < passLine.length &&
+ 	     passLine.chars[passLinepos] > 32)
+ 	{
++        if (passIC >= MAXSTRING) {
++          compileError(passNested, "Action part in multipass operand too long");
++          return 0;
++          }
+ 	  switch ((passSubOp = passLine.chars[passLinepos]))
+ 	    {
+ 	    case pass_string:
+@@ -3077,8 +3085,15 @@ compilePassOpcode (FileInfo * nested, TranslationTableOpcode opcode)
+ 	      if (passHoldString.length == 0)
+ 		return 0;
+ 	      passInstructions[passIC++] = passHoldString.length;
+-	      for (kk = 0; kk < passHoldString.length; kk++)
++              for (kk = 0; kk < passHoldString.length; kk++)
++	        {
++                  if (passIC >= MAXSTRING)
++		    {
++                      compileError(passNested, "@ operand in action part of multipass operand too long");
++                      return 0;
++                }
+ 		passInstructions[passIC++] = passHoldString.chars[kk];
++              }
+ 	      break;
+ 	    case pass_variable:
+ 	      passLinepos++;
diff --git a/SOURCES/liblouis-2.6.2-CVE-2018-11684.patch b/SOURCES/liblouis-2.6.2-CVE-2018-11684.patch
new file mode 100644
index 0000000..6a67f90
--- /dev/null
+++ b/SOURCES/liblouis-2.6.2-CVE-2018-11684.patch
@@ -0,0 +1,34 @@
+From fb2bfce4ed49ac4656a8f7e5b5526e4838da1dde Mon Sep 17 00:00:00 2001
+From: Christian Egli <christian.egli@sbs.ch>
+Date: Mon, 4 Jun 2018 14:11:50 +0200
+Subject: [PATCH] Fix yet another buffer overflow in the braille table parser
+
+Reported by Henri Salo
+
+Fixes #592
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index 2dc4c46..81a2ea1 100644
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -4789,6 +4789,10 @@ includeFile (FileInfo * nested, CharsString * includedFile)
+   int rv;
+   for (k = 0; k < includedFile->length && k < MAXSTRING; k++)
+     includeThis[k] = (char) includedFile->chars[k];
++  if (k >= MAXSTRING) {
++    compileError(nested, "Include statement too long: 'include %s'", includeThis);
++    return 0;
++  }
+   includeThis[k] = 0;
+   tableFiles = resolveTable (includeThis, nested->fileName);
+   if (tableFiles == NULL)
+@@ -4798,9 +4802,8 @@ includeFile (FileInfo * nested, CharsString * includedFile)
+     }
+   if (tableFiles[1] != NULL)
+     {
+-      errorCount++;
+       free_tablefiles(tableFiles);
+-      logMessage (LOG_ERROR, "Table list not supported in include statement: 'include %s'", includeThis);
++      compileError(nested, "Table list not supported in include statement: 'include %s'", includeThis);
+       return 0;
+     }
+   rv = compileFile (*tableFiles);
diff --git a/SOURCES/liblouis-2.6.2-CVE-2018-11685.patch b/SOURCES/liblouis-2.6.2-CVE-2018-11685.patch
new file mode 100644
index 0000000..3ee8787
--- /dev/null
+++ b/SOURCES/liblouis-2.6.2-CVE-2018-11685.patch
@@ -0,0 +1,21 @@
+From b5049cb17ae3d15b2b26890de0e24d0fecc080f5 Mon Sep 17 00:00:00 2001
+From: Christian Egli <christian.egli@sbs.ch>
+Date: Mon, 4 Jun 2018 15:47:28 +0200
+Subject: [PATCH] Fix yet another buffer overflow in the braille table parser
+
+Reported by Henri Salo
+
+Fixes #593
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index 81a2ea1..ba50064 100644
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -3596,7 +3596,7 @@ compileHyphenation (FileInfo * nested, CharsString * encoding)
+   HyphenationTrans *holdPointer;
+   HyphenHashTab *hashTab;
+   CharsString word;
+-  char pattern[MAXSTRING];
++  char pattern[MAXSTRING + 1];
+   unsigned int stateNum = 0, lastState = 0;
+   int i, j, k = encoding->length;
+   widechar ch;
diff --git a/SOURCES/liblouis-2.6.2-CVE-2018-12085.patch b/SOURCES/liblouis-2.6.2-CVE-2018-12085.patch
new file mode 100644
index 0000000..24b9fd0
--- /dev/null
+++ b/SOURCES/liblouis-2.6.2-CVE-2018-12085.patch
@@ -0,0 +1,25 @@
+From dbfa58bb128cae86729578ac596056b3385817ef Mon Sep 17 00:00:00 2001
+From: Christian Egli <christian.egli@sbs.ch>
+Date: Wed, 6 Jun 2018 16:41:53 +0200
+Subject: [PATCH] Check index before writing to result->chars
+
+Fixes #595
+
+Index: liblouis-2.6.4/liblouis/compileTranslationTable.c
+===================================================================
+--- liblouis-2.6.4.orig/liblouis/compileTranslationTable.c
++++ liblouis-2.6.4/liblouis/compileTranslationTable.c
+@@ -1517,12 +1517,12 @@ parseChars (FileInfo * nested, CharsStri
+ 		}
+ 	      in++;
+ 	    }
+-	  result->chars[out++] = (widechar) ch;
+ 	  if (out >= MAXSTRING)
+ 	    {
+ 	      result->length = out;
+ 	      return 1;
+ 	    }
++	  result->chars[out++] = (widechar) ch;
+ 	  continue;
+ 	}
+       lastOutSize = out;
diff --git a/SOURCES/liblouis-2.6.2-coverity-fixes.patch b/SOURCES/liblouis-2.6.2-coverity-fixes.patch
new file mode 100644
index 0000000..4956f57
--- /dev/null
+++ b/SOURCES/liblouis-2.6.2-coverity-fixes.patch
@@ -0,0 +1,20 @@
+diff -urN liblouis-2.6.2.old/liblouis/compileTranslationTable.c liblouis-2.6.2/liblouis/compileTranslationTable.c
+--- liblouis-2.6.2.old/liblouis/compileTranslationTable.c	2014-09-02 13:19:23.000000000 +0100
++++ liblouis-2.6.2/liblouis/compileTranslationTable.c	2019-12-05 11:57:39.794000000 +0000
+@@ -1836,6 +1823,7 @@
+       if (!(ch->attributes & CTC_Letter))
+ 	{
+ 	  compileError (nested, "a name may contain only letters");
++	  free(nameRule);
+ 	  return 0;
+ 	}
+       nameRule->name[k] = name->chars[k];
+@@ -4193,7 +4230,7 @@
+ 	      if (ruleDots.chars[0] == '#')
+ 		ruleDots.length = ruleDots.chars[0] = 0;
+ 	      else if (ruleDots.chars[0] == '\\' && ruleDots.chars[1] == '#')
+-		memcpy (&ruleDots.chars[0], &ruleDots.chars[1],
++		memmove (&ruleDots.chars[0], &ruleDots.chars[1],
+ 			ruleDots.length-- * CHARSIZE);
+ 	    }
+ 	}
diff --git a/SPECS/liblouis.spec b/SPECS/liblouis.spec
index 574b238..d38dc1b 100644
--- a/SPECS/liblouis.spec
+++ b/SPECS/liblouis.spec
@@ -12,7 +12,7 @@
 
 Name:           liblouis
 Version:        2.6.2
-Release:        16%{?dist}
+Release:        19%{?dist}
 Summary:        Braille translation and back-translation library
 
 Group:          System Environment/Libraries
@@ -25,6 +25,16 @@ Patch0:         0001-Update-configure.ac-to-reconize-texi2any.patch
 # https://git.centos.org/raw/rpms/liblouis.git/9f94aa24d3308691c575e2659e42321f4aff1cf3/SOURCES!security-fixes.patch
 # fixes CVE-2014-8184, CVE-2017-13738, CVE-2017-13740, CVE-2017-13741, CVE-2017-13742, CVE-2017-13743, CVE-2017-13744
 Patch1:         %{name}-security-fixes.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1585906
+Patch2:         liblouis-2.6.2-CVE-2018-11577.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1588632
+Patch3:         liblouis-2.6.2-CVE-2018-11684.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1588637
+Patch4:         liblouis-2.6.2-CVE-2018-11685.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1589942
+Patch5:         liblouis-2.6.2-CVE-2018-12085.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1602585
+Patch6:         liblouis-2.6.2-coverity-fixes.patch
 
 BuildRequires:  chrpath
 BuildRequires:  help2man
@@ -124,6 +134,11 @@ This package provides the documentation for liblouis.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
 
 # For patch0
 autoreconf -fi
@@ -218,6 +233,18 @@ fi
 
 
 %changelog
+* Thu Dec 05 2019 David King <dking@redhat.com> - 2.6.2-19
+- Fix two issues found by Coverity (#1602585)
+
+* Wed Dec 04 2019 David King <dking@redhat.com> - 2.6.2-18
+- Apply patch for CVE-2018-12085 (#1589942)
+
+* Wed Dec 04 2019 David King <dking@redhat.com> - 2.6.2-17
+- Fix CVE-2018-11577 (#1585906)
+- Fix CVE-2018-11684 (#1588632)
+- Fix CVE-2018-11685 (#1588637)
+- Fix CVE-2018-12085 (#1589942)
+
 * Thu Jun 07 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.6.2-16
 - Conditionalize the python2 subpackage