rpms/liblouis
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import liblouis-2.6.2-21.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-04-28 04:49:53 -04:00 committed by Andrew Lukoshko
parent 440f9397c5
commit bd90e66d3d
6 changed files with 247 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
SOURCES/liblouis-2.6.2-CVE-2018-11577.patch Normal file
View File

@ -0,0 +1,51 @@
From 7e135b9313ad06218dfcf9ed63070edede7745a1 Mon Sep 17 00:00:00 2001
From: Christian Egli <christian.egli@sbs.ch>
Date: Thu, 31 May 2018 12:08:56 +0200
Subject: [PATCH] Fix yet another buffer overflow in the braille table parser
Reported by Edward-L
Fixes #582
diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
index 777e1da..b6bd010 100644
--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
@@ -2855,6 +2855,10 @@ compilePassOpcode (FileInfo * nested, TranslationTableOpcode opcode)
passLinepos = 0;
while (passLinepos <= endTest)
{
+ if (passIC >= MAXSTRING) {
+ compileError(passNested, "Test part in multipass operand too long");
+ return 0;
+ }
switch ((passSubOp = passLine.chars[passLinepos]))
{
case pass_lookback:
@@ -3050,6 +3054,10 @@ compilePassOpcode (FileInfo * nested, TranslationTableOpcode opcode)
while (passLinepos < passLine.length &&
passLine.chars[passLinepos] > 32)
{
+ if (passIC >= MAXSTRING) {
+ compileError(passNested, "Action part in multipass operand too long");
+ return 0;
+ }
switch ((passSubOp = passLine.chars[passLinepos]))
{
case pass_string:
@@ -3077,8 +3085,15 @@ compilePassOpcode (FileInfo * nested, TranslationTableOpcode opcode)
if (passHoldString.length == 0)
return 0;
passInstructions[passIC++] = passHoldString.length;
- for (kk = 0; kk < passHoldString.length; kk++)
+ for (kk = 0; kk < passHoldString.length; kk++)
+ {
+ if (passIC >= MAXSTRING)
+ {
+ compileError(passNested, "@ operand in action part of multipass operand too long");
+ return 0;
+ }
passInstructions[passIC++] = passHoldString.chars[kk];
+ }
break;
case pass_variable:
passLinepos++;

34
SOURCES/liblouis-2.6.2-CVE-2018-11684.patch Normal file
View File

@ -0,0 +1,34 @@
From fb2bfce4ed49ac4656a8f7e5b5526e4838da1dde Mon Sep 17 00:00:00 2001
From: Christian Egli <christian.egli@sbs.ch>
Date: Mon, 4 Jun 2018 14:11:50 +0200
Subject: [PATCH] Fix yet another buffer overflow in the braille table parser
Reported by Henri Salo
Fixes #592
diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
index 2dc4c46..81a2ea1 100644
--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
@@ -4789,6 +4789,10 @@ includeFile (FileInfo * nested, CharsString * includedFile)
int rv;
for (k = 0; k < includedFile->length && k < MAXSTRING; k++)
includeThis[k] = (char) includedFile->chars[k];
+ if (k >= MAXSTRING) {
+ compileError(nested, "Include statement too long: 'include %s'", includeThis);
+ return 0;
+ }
includeThis[k] = 0;
tableFiles = resolveTable (includeThis, nested->fileName);
if (tableFiles == NULL)
@@ -4798,9 +4802,8 @@ includeFile (FileInfo * nested, CharsString * includedFile)
}
if (tableFiles[1] != NULL)
{
- errorCount++;
free_tablefiles(tableFiles);
- logMessage (LOG_ERROR, "Table list not supported in include statement: 'include %s'", includeThis);
+ compileError(nested, "Table list not supported in include statement: 'include %s'", includeThis);
return 0;
}
rv = compileFile (*tableFiles);

21
SOURCES/liblouis-2.6.2-CVE-2018-11685.patch Normal file
View File

@ -0,0 +1,21 @@
From b5049cb17ae3d15b2b26890de0e24d0fecc080f5 Mon Sep 17 00:00:00 2001
From: Christian Egli <christian.egli@sbs.ch>
Date: Mon, 4 Jun 2018 15:47:28 +0200
Subject: [PATCH] Fix yet another buffer overflow in the braille table parser
Reported by Henri Salo
Fixes #593
diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
index 81a2ea1..ba50064 100644
--- a/liblouis/compileTranslationTable.c
+++ b/liblouis/compileTranslationTable.c
@@ -3596,7 +3596,7 @@ compileHyphenation (FileInfo * nested, CharsString * encoding)
HyphenationTrans *holdPointer;
HyphenHashTab *hashTab;
CharsString word;
- char pattern[MAXSTRING];
+ char pattern[MAXSTRING + 1];
unsigned int stateNum = 0, lastState = 0;
int i, j, k = encoding->length;
widechar ch;

25
SOURCES/liblouis-2.6.2-CVE-2018-12085.patch Normal file
View File

@ -0,0 +1,25 @@
From dbfa58bb128cae86729578ac596056b3385817ef Mon Sep 17 00:00:00 2001
From: Christian Egli <christian.egli@sbs.ch>
Date: Wed, 6 Jun 2018 16:41:53 +0200
Subject: [PATCH] Check index before writing to result->chars
Fixes #595
Index: liblouis-2.6.4/liblouis/compileTranslationTable.c
===================================================================
--- liblouis-2.6.4.orig/liblouis/compileTranslationTable.c
+++ liblouis-2.6.4/liblouis/compileTranslationTable.c
@@ -1517,12 +1517,12 @@ parseChars (FileInfo * nested, CharsStri
}
in++;
}
- result->chars[out++] = (widechar) ch;
if (out >= MAXSTRING)
{
result->length = out;
return 1;
}
+ result->chars[out++] = (widechar) ch;
continue;
}
lastOutSize = out;

82
SOURCES/liblouis-2.6.2-coverity-fixes.patch Normal file
View File

@ -0,0 +1,82 @@
diff -urN liblouis-2.6.2.new/liblouis/compileTranslationTable.c liblouis-2.6.2/liblouis/compileTranslationTable.c
--- liblouis-2.6.2.new/liblouis/compileTranslationTable.c 2020-02-25 09:58:32.322000000 +0000
+++ liblouis-2.6.2/liblouis/compileTranslationTable.c 2020-03-02 09:20:23.017000000 +0000
@@ -1517,9 +1517,10 @@
}
in++;
}
- if (out >= MAXSTRING)
+ if (out >= MAXSTRING - 1)
{
- result->length = out;
+ compileError(nested, "Token too long");
+ result->length = MAXSTRING - 1;
return 1;
}
result->chars[out++] = (widechar) ch;
@@ -1533,15 +1534,16 @@
utf32 = ch & (0XFF - first0Bit[numBytes]);
for (k = 0; k < numBytes; k++)
{
- if (in >= MAXSTRING)
+ if (in >= MAXSTRING - 1)
break;
if (token->chars[in] < 128 || (token->chars[in] & 0x0040))
{
compileWarning (nested, "invalid UTF-8. Assuming Latin-1.");
result->chars[out++] = token->chars[lastIn];
- if (out >= MAXSTRING)
+ if (out >= MAXSTRING - 1)
{
- result->length = out;
+ compileError(nested, "Token too long");
+ result->length = lastOutSize;
return 1;
}
in = lastIn + 1;
@@ -1552,8 +1554,9 @@
if (CHARSIZE == 2 && utf32 > 0xffff)
utf32 = 0xffff;
result->chars[out++] = (widechar) utf32;
- if (out >= MAXSTRING)
+ if (out >= MAXSTRING - 1)
{
+ compileError(nested, "Token too long");
result->length = lastOutSize;
return 1;
}
@@ -1823,6 +1826,7 @@
if (!(ch->attributes & CTC_Letter))
{
compileError (nested, "a name may contain only letters");
+ free(nameRule);
return 0;
}
nameRule->name[k] = name->chars[k];
@@ -2856,7 +2860,7 @@
passLinepos = 0;
while (passLinepos <= endTest)
{
- if (passIC >= MAXSTRING) {
+ if (passIC >= MAXSTRING - 5) {
compileError(passNested, "Test part in multipass operand too long");
return 0;
}
@@ -3055,7 +3059,7 @@
while (passLinepos < passLine.length &&
passLine.chars[passLinepos] > 32)
{
- if (passIC >= MAXSTRING) {
+ if (passIC >= MAXSTRING - 2) {
compileError(passNested, "Action part in multipass operand too long");
return 0;
}
@@ -4229,7 +4233,7 @@
if (ruleDots.chars[0] == '#')
ruleDots.length = ruleDots.chars[0] = 0;
else if (ruleDots.chars[0] == '\\' && ruleDots.chars[1] == '#')
- memcpy (&ruleDots.chars[0], &ruleDots.chars[1],
+ memmove (&ruleDots.chars[0], &ruleDots.chars[1],
ruleDots.length-- * CHARSIZE);
}
}

35
SPECS/liblouis.spec
View File

@ -12,7 +12,7 @@
Name: liblouis
Version: 2.6.2
Release: 16%{?dist}
Release: 21%{?dist}
Summary: Braille translation and back-translation library
Group: System Environment/Libraries
@ -25,6 +25,16 @@ Patch0: 0001-Update-configure.ac-to-reconize-texi2any.patch
# https://git.centos.org/raw/rpms/liblouis.git/9f94aa24d3308691c575e2659e42321f4aff1cf3/SOURCES!security-fixes.patch
# fixes CVE-2014-8184, CVE-2017-13738, CVE-2017-13740, CVE-2017-13741, CVE-2017-13742, CVE-2017-13743, CVE-2017-13744
Patch1: %{name}-security-fixes.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1585906
Patch2: liblouis-2.6.2-CVE-2018-11577.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1588632
Patch3: liblouis-2.6.2-CVE-2018-11684.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1588637
Patch4: liblouis-2.6.2-CVE-2018-11685.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1589942
Patch5: liblouis-2.6.2-CVE-2018-12085.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1602585
Patch6: liblouis-2.6.2-coverity-fixes.patch
BuildRequires: chrpath
BuildRequires: help2man
@ -124,6 +134,11 @@ This package provides the documentation for liblouis.
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
# For patch0
autoreconf -fi
@ -218,6 +233,24 @@ fi
%changelog
* Mon Mar 02 2020 David King <dking@redhat.com> - 2.6.2-21
- A further Coverity fix (#1602585)
* Thu Dec 19 2019 David King <dking@redhat.com> - 2.6.2-20
- Fix buffer overruns found by Coverity (#1602585)
* Thu Dec 05 2019 David King <dking@redhat.com> - 2.6.2-19
- Fix two issues found by Coverity (#1602585)
* Wed Dec 04 2019 David King <dking@redhat.com> - 2.6.2-18
- Apply patch for CVE-2018-12085 (#1589942)
* Wed Dec 04 2019 David King <dking@redhat.com> - 2.6.2-17
- Fix CVE-2018-11577 (#1585906)
- Fix CVE-2018-11684 (#1588632)
- Fix CVE-2018-11685 (#1588637)
- Fix CVE-2018-12085 (#1589942)
* Thu Jun 07 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.6.2-16
- Conditionalize the python2 subpackage