[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
05/07: gnu: t1lib: Fix CVE-2010-2642, CVE-2011-{0764, 1552, 1553, 1554}.
From: |
Efraim Flashner |
Subject: |
05/07: gnu: t1lib: Fix CVE-2010-2642, CVE-2011-{0764, 1552, 1553, 1554}. |
Date: |
Mon, 30 May 2016 09:09:31 +0000 (UTC) |
efraim pushed a commit to branch master
in repository guix.
commit 4f3e02f198719c98a46aa3060fbd9bececa20f87
Author: Efraim Flashner <address@hidden>
Date: Mon May 30 11:46:12 2016 +0300
gnu: t1lib: Fix CVE-2010-2642, CVE-2011-{0764, 1552, 1553, 1554}.
* gnu/packages/fontutils.scm (t1lib)[source]: Add patches.
* gnu/packages/patches/t1lib-CVE-2010-2642.patch,
gnu/packages/patches/t1lib-CVE-2011-0764.patch,
gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch:
New variables.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 3 +
gnu/packages/fontutils.scm | 6 +-
gnu/packages/patches/t1lib-CVE-2010-2642.patch | 24 ++++
gnu/packages/patches/t1lib-CVE-2011-0764.patch | 32 +++++
...CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch | 133 ++++++++++++++++++++
5 files changed, 197 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index 63ac668..1f2c2dd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -741,6 +741,9 @@ dist_patch_DATA =
\
%D%/packages/patches/sudo-CVE-2015-5602.patch \
%D%/packages/patches/superlu-dist-scotchmetis.patch \
%D%/packages/patches/synfig-build-fix.patch \
+ %D%/packages/patches/t1lib-CVE-2010-2642.patch \
+ %D%/packages/patches/t1lib-CVE-2011-0764.patch \
+ %D%/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch
\
%D%/packages/patches/tar-d_ino_in_dirent-fix.patch \
%D%/packages/patches/tar-skip-unreliable-tests.patch \
%D%/packages/patches/tcl-mkindex-deterministic.patch \
diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm
index 3847cfb..73ce685 100644
--- a/gnu/packages/fontutils.scm
+++ b/gnu/packages/fontutils.scm
@@ -286,7 +286,11 @@ high quality, anti-aliased and subpixel rendered text on a
display.")
(string-append "https://fossies.org/linux/misc/old/"
name "-" version ".tar.gz")))
(sha256 (base32
- "0nbvjpnmcznib1nlgg8xckrmsw3haa154byds2h90y2g0nsjh4w2"))))
+ "0nbvjpnmcznib1nlgg8xckrmsw3haa154byds2h90y2g0nsjh4w2"))
+ (patches (search-patches
+ "t1lib-CVE-2010-2642.patch"
+ "t1lib-CVE-2011-0764.patch"
+
"t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch"))))
(build-system gnu-build-system)
(arguments
;; Making the documentation requires latex, but t1lib is also an input
diff --git a/gnu/packages/patches/t1lib-CVE-2010-2642.patch
b/gnu/packages/patches/t1lib-CVE-2010-2642.patch
new file mode 100644
index 0000000..cd54889
--- /dev/null
+++ b/gnu/packages/patches/t1lib-CVE-2010-2642.patch
@@ -0,0 +1,24 @@
+diff --git a/lib/t1lib/parseAFM.c b/lib/t1lib/parseAFM.c
+index 6a31d7f..ba64541 100644
+--- a/lib/t1lib/parseAFM.c
++++ b/lib/t1lib/parseAFM.c
+@@ -199,7 +199,9 @@ static char *token(stream)
+ idx = 0;
+
+ while (ch != EOF && ch != ' ' && ch != CR && ch != LF &&
+- ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'){
++ ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'
++ && idx < (MAX_NAME -1))
++ {
+ ident[idx++] = ch;
+ ch = fgetc(stream);
+ } /* while */
+@@ -235,7 +237,7 @@ static char *linetoken(stream)
+ while ((ch = fgetc(stream)) == ' ' || ch == '\t' );
+
+ idx = 0;
+- while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z)
++ while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z && idx <
(MAX_NAME - 1))
+ {
+ ident[idx++] = ch;
+ ch = fgetc(stream);
diff --git a/gnu/packages/patches/t1lib-CVE-2011-0764.patch
b/gnu/packages/patches/t1lib-CVE-2011-0764.patch
new file mode 100644
index 0000000..c2d9e17
--- /dev/null
+++ b/gnu/packages/patches/t1lib-CVE-2011-0764.patch
@@ -0,0 +1,32 @@
+Description: Don't lookup previous point if there isn't any
+Author: Marc Deslauriers <address@hidden>
+Forwarded: no
+
+Index: t1lib-5.1.2/lib/type1/type1.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/type1.c 2011-12-13 14:24:14.280965637 -0600
++++ t1lib-5.1.2/lib/type1/type1.c 2011-12-13 14:25:25.893320747 -0600
+@@ -1700,6 +1700,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous segment! */
++ if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x,
curry-ppoints[numppoints-2].y, dx, dy);
+
+ /* Allocate a new path point and pre-setup data */
+@@ -1728,6 +1729,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous point! */
++ if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x,
curry-ppoints[numppoints-2].y, dx1, dy1);
+
+ /* Allocate three new path points and pre-setup data */
+@@ -1903,6 +1905,7 @@
+ FindStems( currx, curry, 0, 0, dx, dy);
+ }
+ else {
++ if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
+ FindStems( currx, curry, ppoints[numppoints-2].x,
ppoints[numppoints-2].y, dx, dy);
+ }
+
diff --git
a/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch
b/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch
new file mode 100644
index 0000000..aaa31f7
--- /dev/null
+++ b/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch
@@ -0,0 +1,133 @@
+Author: Jaroslav Škarvada <address@hidden>
+Description: Fix more crashes on oversized fonts
+Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909
+Index: t1lib-5.1.2/lib/type1/lines.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.000000000 -0600
++++ t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.000000000 -0600
+@@ -67,6 +67,10 @@
+ None.
+ */
+
++#define BITS (sizeof(LONG)*8)
++#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */
++#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
++
+ /*
+ :h2.StepLine() - Produces Run Ends for a Line After Checks
+
+@@ -84,6 +88,9 @@
+ IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
+ x1, y1, x2, y2);
+
++ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
++ abort("Lines this big not supported", 49);
++
+ dy = y2 - y1;
+
+ /*
+Index: t1lib-5.1.2/lib/type1/objects.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.000000000
-0600
++++ t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.000000000 -0600
+@@ -1137,12 +1137,13 @@
+ "Context: out of them", /* 46 */
+ "MatrixInvert: can't", /* 47 */
+ "xiStub called", /* 48 */
+- "Illegal access type1 abort() message" /* 49 */
++ "Lines this big not supported", /* 49 */
++ "Illegal access type1 abort() message" /* 50 */
+ };
+
+- /* no is valid from 1 to 48 */
+- if ( (number<1)||(number>48))
+- number=49;
++ /* no is valid from 1 to 49 */
++ if ( (number<1)||(number>49))
++ number=50;
+ return( err_msgs[number-1]);
+
+ }
+Index: t1lib-5.1.2/lib/type1/type1.c
+===================================================================
+--- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.000000000 -0600
++++ t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.000000000 -0600
+@@ -1012,6 +1012,7 @@
+ double nextdtana = 0.0; /* tangent of post-delta against horizontal line
*/
+ double nextdtanb = 0.0; /* tangent of post-delta against vertical line */
+
++ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous
point!\n");
+
+ /* setup default hinted position */
+ ppoints[numppoints-1].ax = ppoints[numppoints-1].x;
+@@ -1289,7 +1290,7 @@
+ static int DoRead(CodeP)
+ int *CodeP;
+ {
+- if (strindex >= CharStringP->len) return(FALSE); /* end of string */
++ if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of
string */
+ /* We handle the non-documented Adobe convention to use lenIV=-1 to
+ suppress charstring encryption. */
+ if (blues->lenIV==-1) {
+@@ -1700,7 +1701,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous segment! */
+- if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
++ if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous
point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x,
curry-ppoints[numppoints-2].y, dx, dy);
+
+ /* Allocate a new path point and pre-setup data */
+@@ -1729,7 +1730,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous point! */
+- if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
++ if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous
point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x,
curry-ppoints[numppoints-2].y, dx1, dy1);
+
+ /* Allocate three new path points and pre-setup data */
+@@ -1788,7 +1789,9 @@
+ long tmpind;
+ double deltax = 0.0;
+ double deltay = 0.0;
+-
++
++ if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous
point!");
++
+ /* If this ClosePath command together with the starting point of this
+ path completes to a segment aligned to a stem, we would miss
+ hinting for this point. --> Check and explicitly care for this! */
+@@ -1803,6 +1806,7 @@
+ deltax = ppoints[i].x - ppoints[numppoints-1].x;
+ deltay = ppoints[i].y - ppoints[numppoints-1].y;
+
++ if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No
previous point!");
+ /* save nummppoints and reset to move point */
+ tmpind = numppoints;
+ numppoints = i + 1;
+@@ -1905,7 +1909,7 @@
+ FindStems( currx, curry, 0, 0, dx, dy);
+ }
+ else {
+- if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
++ if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous
point!\n");
+ FindStems( currx, curry, ppoints[numppoints-2].x,
ppoints[numppoints-2].y, dx, dy);
+ }
+
+@@ -2155,6 +2159,7 @@
+ DOUBLE cx, cy;
+ DOUBLE ex, ey;
+
++ if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous
point!");
+
+ /* Our PPOINT list now contains 7 moveto commands which
+ are about to be consumed by the Flex mechanism. --> Remove these
+@@ -2324,6 +2329,7 @@
+ /* Returns currentpoint on stack */
+ static void FlxProc2()
+ {
++ if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous
point!");
+ /* Push CurrentPoint on fake PostScript stack */
+ PSFakePush( ppoints[numppoints-1].x);
+ PSFakePush( ppoints[numppoints-1].y);
- branch master updated (538884c -> 5f1ba08), Efraim Flashner, 2016/05/30
- 01/07: gnu: tinyproxy: Update to 1.8.4 [Fixes CVE-2012-3505]., Efraim Flashner, 2016/05/30
- 02/07: gnu: dtach: Update to 0.9 [Fixes CVE-2012-3368]., Efraim Flashner, 2016/05/30
- 03/07: gnu: dtach: Use 'modify-phases'., Efraim Flashner, 2016/05/30
- 04/07: download: Update Sourceforge mirrors., Efraim Flashner, 2016/05/30
- 06/07: gnu: vte-0.28: Fix CVE-2012-2738., Efraim Flashner, 2016/05/30
- 05/07: gnu: t1lib: Fix CVE-2010-2642, CVE-2011-{0764, 1552, 1553, 1554}.,
Efraim Flashner <=
- 07/07: gnu: gegl: Fix CVE-2012-4433., Efraim Flashner, 2016/05/30