pacho       11/01/18 09:04:51

  Added:                evince-2.32.0-libdocument-segfault.patch
                        evince-2.32.0-dvi-CVEs.patch
                        evince-2.32.0-pk-fonts.patch
  Removed:              evince-2.27.4-smclient-configure.patch
  Log:
  Revision bump including upstream patches for fixing security bugs in dvi backend, libdocument segfaults and problem with pk fonts after applying security patch. Remove old.
  
  (Portage version: 2.1.9.31/cvs/Linux x86_64)

Revision  Changes    Path
1.1                  app-text/evince/files/evince-2.32.0-libdocument-segfault.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-libdocument-segfault.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-libdocument-segfault.patch?rev=1.1&content-type=text/plain

Index: evince-2.32.0-libdocument-segfault.patch
===================================================================
From a933a516e9b6a4199d22055f9041747e00498901 Mon Sep 17 00:00:00 2001
From: José Aliste <jaliste@...>
Date: Wed, 29 Sep 2010 16:22:32 +0000
Subject: [libdocument] Check for NULL in synctex_backward_search.

Fixes bug #630845
---
diff --git a/libdocument/ev-document.c b/libdocument/ev-document.c
index 70349dc..742b51c 100644
--- a/libdocument/ev-document.c
+++ b/libdocument/ev-document.c
@@ -419,11 +419,16 @@ ev_document_synctex_backward_search (EvDocument *document,
                 /* We assume that a backward search returns either zero or one result_node */
                 node = synctex_next_result (scanner);
                 if (node != NULL) {
-                        result = g_new (EvSourceLink, 1);
-                        result->filename = synctex_scanner_get_name (scanner,
-                                                                     synctex_node_tag (node));
-                        result->line = synctex_node_line (node);
-                        result->col = synctex_node_column (node);
+			const gchar *filename;
+
+			filename = synctex_scanner_get_name (scanner, synctex_node_tag (node));
+			
+			if (filename) {
+				result = g_new (EvSourceLink, 1);
+				result->filename = filename;
+				result->line = synctex_node_line (node);
+				result->col = synctex_node_column (node);
+			}
                 }
         }
 
--
cgit v0.8.3.1



1.1                  app-text/evince/files/evince-2.32.0-dvi-CVEs.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-dvi-CVEs.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-dvi-CVEs.patch?rev=1.1&content-type=text/plain

Index: evince-2.32.0-dvi-CVEs.patch
===================================================================
From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001
From: José Aliste <jaliste@...>
Date: Tue, 07 Dec 2010 18:56:47 +0000
Subject: backends: Fix several security issues in the dvi-backend.

See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and  CVE-2010-2643.
---
diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
index 164366b..361e23d 100644
--- a/backend/dvi/mdvi-lib/afmparse.c
+++ b/backend/dvi/mdvi-lib/afmparse.c
@@ -160,7 +160,7 @@ static char *token(FILE *stream)
     
     idx = 0;
     while (ch != EOF && ch != ' ' && ch != lineterm 
-           && ch != '\t' && ch != ':' && ch != ';') 
+           && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
     {
         ident[idx++] = ch;
         ch = fgetc(stream);
diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
index 97b7b84..ac98068 100644
--- a/backend/dvi/mdvi-lib/dviread.c
+++ b/backend/dvi/mdvi-lib/dviread.c
@@ -1537,6 +1537,10 @@ int	special(DviContext *dvi, int opcode)
 	Int32	arg;
 	
 	arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
+	if (arg <= 0) {
+		dvierr(dvi, _("malformed special length\n"));
+		return -1;
+	}
 	s = mdvi_malloc(arg + 1);
 	dread(dvi, s, arg);
 	s[arg] = 0;
diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
index a579186..08377e6 100644
--- a/backend/dvi/mdvi-lib/pk.c
+++ b/backend/dvi/mdvi-lib/pk.c
@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font)
 			}
 			if(feof(p))
 				break;
+
+			/* Although the PK format support bigger char codes,
+                         * XeTeX and other extended TeX engines support charcodes up to
+                         * 65536, while normal TeX engine supports only charcode up to 255.*/
+			if (cc < 0 || cc > 65536) {
+				mdvi_error (_("%s: unexpected charcode (%d)\n"),
+					    font->fontname,cc);
+				goto error;
+			} 
 			if(cc < loc)
 				loc = cc;
 			if(cc > hic)
@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
 	}
 
 	/* resize font char data */
-	if(loc > 0 || hic < maxch-1) {
+	if(loc > 0 && hic < maxch-1) {
 		memmove(font->chars, font->chars + loc, 
 			(hic - loc + 1) * sizeof(DviFontChar));
 		font->chars = xresize(font->chars,
diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
index 73ebf26..8c2a30b 100644
--- a/backend/dvi/mdvi-lib/tfmfile.c
+++ b/backend/dvi/mdvi-lib/tfmfile.c
@@ -172,7 +172,8 @@ int	tfm_load_file(const char *filename, TFMInfo *info)
 	/* We read the entire TFM file into core */
 	if(fstat(fileno(in), &st) < 0)
 		return -1;
-	if(st.st_size == 0)
+	/* according to the spec, TFM files are smaller than 16K */
+	if(st.st_size == 0 || st.st_size >= 16384)
 		goto bad_tfm;
 
 	/* allocate a word-aligned buffer to hold the file */
diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
index fb49847..a5ae3bb 100644
--- a/backend/dvi/mdvi-lib/vf.c
+++ b/backend/dvi/mdvi-lib/vf.c
@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font)
 			cc = fuget1(p);
 			tfm = fuget3(p);
 		}
+		if (cc < 0 || cc > 65536) {
+			/* TeX engines do not support char codes bigger than 65535 */
+			mdvi_error(_("(vf) %s: unexpected character %d\n"),
+				   font->fontname, cc);
+			goto error;
+		}
 		if(loc < 0 || cc < loc)
 			loc = cc;
 		if(hic < 0 || cc > hic)
--
cgit v0.8.3.1



1.1                  app-text/evince/files/evince-2.32.0-pk-fonts.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-pk-fonts.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-pk-fonts.patch?rev=1.1&content-type=text/plain

Index: evince-2.32.0-pk-fonts.patch
===================================================================
From 0a6e8aabcc46d47b5d84e5414cd0e07d57ef171b Mon Sep 17 00:00:00 2001
From: José Aliste <jaliste@...>
Date: Mon, 17 Jan 2011 17:30:00 +0000
Subject: Fix problem with some pk fonts.

---
diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
index 08377e6..a911613 100644
--- a/backend/dvi/mdvi-lib/pk.c
+++ b/backend/dvi/mdvi-lib/pk.c
@@ -328,13 +328,14 @@ static int pk_load_font(DviParams *unused, DviFont *font)
 {
 	int	i;
 	int	flag_byte;
-	int	loc, hic, maxch;
+	int	hic, maxch;
 	Int32	checksum;
 	FILE	*p;
 #ifndef NODEBUG
 	char	s[256];
 #endif
 	long	alpha, beta, z;
+	unsigned int loc;
 
 	font->chars = xnalloc(DviFontChar, 256);
 	p = font->in;
@@ -521,7 +522,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
 	}
 
 	/* resize font char data */
-	if(loc > 0 && hic < maxch-1) {
+	if(loc > 0 || hic < maxch-1) {
 		memmove(font->chars, font->chars + loc, 
 			(hic - loc + 1) * sizeof(DviFontChar));
 		font->chars = xresize(font->chars,
--
cgit v0.8.3.1