1 |
pacho 11/01/18 09:04:51 |
2 |
|
3 |
Added: evince-2.32.0-libdocument-segfault.patch |
4 |
evince-2.32.0-dvi-CVEs.patch |
5 |
evince-2.32.0-pk-fonts.patch |
6 |
Removed: evince-2.27.4-smclient-configure.patch |
7 |
Log: |
8 |
Revision bump including upstream patches for fixing security bugs in dvi backend, libdocument segfaults and problem with pk fonts after applying security patch. Remove old. |
9 |
|
10 |
(Portage version: 2.1.9.31/cvs/Linux x86_64) |
11 |
|
12 |
Revision Changes Path |
13 |
1.1 app-text/evince/files/evince-2.32.0-libdocument-segfault.patch |
14 |
|
15 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-libdocument-segfault.patch?rev=1.1&view=markup |
16 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-libdocument-segfault.patch?rev=1.1&content-type=text/plain |
17 |
|
18 |
Index: evince-2.32.0-libdocument-segfault.patch |
19 |
=================================================================== |
20 |
From a933a516e9b6a4199d22055f9041747e00498901 Mon Sep 17 00:00:00 2001 |
21 |
From: José Aliste <jaliste@×××××××××.org> |
22 |
Date: Wed, 29 Sep 2010 16:22:32 +0000 |
23 |
Subject: [libdocument] Check for NULL in synctex_backward_search. |
24 |
|
25 |
Fixes bug #630845 |
26 |
--- |
27 |
diff --git a/libdocument/ev-document.c b/libdocument/ev-document.c |
28 |
index 70349dc..742b51c 100644 |
29 |
--- a/libdocument/ev-document.c |
30 |
+++ b/libdocument/ev-document.c |
31 |
@@ -419,11 +419,16 @@ ev_document_synctex_backward_search (EvDocument *document, |
32 |
/* We assume that a backward search returns either zero or one result_node */ |
33 |
node = synctex_next_result (scanner); |
34 |
if (node != NULL) { |
35 |
- result = g_new (EvSourceLink, 1); |
36 |
- result->filename = synctex_scanner_get_name (scanner, |
37 |
- synctex_node_tag (node)); |
38 |
- result->line = synctex_node_line (node); |
39 |
- result->col = synctex_node_column (node); |
40 |
+ const gchar *filename; |
41 |
+ |
42 |
+ filename = synctex_scanner_get_name (scanner, synctex_node_tag (node)); |
43 |
+ |
44 |
+ if (filename) { |
45 |
+ result = g_new (EvSourceLink, 1); |
46 |
+ result->filename = filename; |
47 |
+ result->line = synctex_node_line (node); |
48 |
+ result->col = synctex_node_column (node); |
49 |
+ } |
50 |
} |
51 |
} |
52 |
|
53 |
-- |
54 |
cgit v0.8.3.1 |
55 |
|
56 |
|
57 |
|
58 |
1.1 app-text/evince/files/evince-2.32.0-dvi-CVEs.patch |
59 |
|
60 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-dvi-CVEs.patch?rev=1.1&view=markup |
61 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-dvi-CVEs.patch?rev=1.1&content-type=text/plain |
62 |
|
63 |
Index: evince-2.32.0-dvi-CVEs.patch |
64 |
=================================================================== |
65 |
From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001 |
66 |
From: José Aliste <jaliste@×××××××××.org> |
67 |
Date: Tue, 07 Dec 2010 18:56:47 +0000 |
68 |
Subject: backends: Fix several security issues in the dvi-backend. |
69 |
|
70 |
See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643. |
71 |
--- |
72 |
diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c |
73 |
index 164366b..361e23d 100644 |
74 |
--- a/backend/dvi/mdvi-lib/afmparse.c |
75 |
+++ b/backend/dvi/mdvi-lib/afmparse.c |
76 |
@@ -160,7 +160,7 @@ static char *token(FILE *stream) |
77 |
|
78 |
idx = 0; |
79 |
while (ch != EOF && ch != ' ' && ch != lineterm |
80 |
- && ch != '\t' && ch != ':' && ch != ';') |
81 |
+ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME) |
82 |
{ |
83 |
ident[idx++] = ch; |
84 |
ch = fgetc(stream); |
85 |
diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c |
86 |
index 97b7b84..ac98068 100644 |
87 |
--- a/backend/dvi/mdvi-lib/dviread.c |
88 |
+++ b/backend/dvi/mdvi-lib/dviread.c |
89 |
@@ -1537,6 +1537,10 @@ int special(DviContext *dvi, int opcode) |
90 |
Int32 arg; |
91 |
|
92 |
arg = dugetn(dvi, opcode - DVI_XXX1 + 1); |
93 |
+ if (arg <= 0) { |
94 |
+ dvierr(dvi, _("malformed special length\n")); |
95 |
+ return -1; |
96 |
+ } |
97 |
s = mdvi_malloc(arg + 1); |
98 |
dread(dvi, s, arg); |
99 |
s[arg] = 0; |
100 |
diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c |
101 |
index a579186..08377e6 100644 |
102 |
--- a/backend/dvi/mdvi-lib/pk.c |
103 |
+++ b/backend/dvi/mdvi-lib/pk.c |
104 |
@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font) |
105 |
} |
106 |
if(feof(p)) |
107 |
break; |
108 |
+ |
109 |
+ /* Although the PK format support bigger char codes, |
110 |
+ * XeTeX and other extended TeX engines support charcodes up to |
111 |
+ * 65536, while normal TeX engine supports only charcode up to 255.*/ |
112 |
+ if (cc < 0 || cc > 65536) { |
113 |
+ mdvi_error (_("%s: unexpected charcode (%d)\n"), |
114 |
+ font->fontname,cc); |
115 |
+ goto error; |
116 |
+ } |
117 |
if(cc < loc) |
118 |
loc = cc; |
119 |
if(cc > hic) |
120 |
@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font) |
121 |
} |
122 |
|
123 |
/* resize font char data */ |
124 |
- if(loc > 0 || hic < maxch-1) { |
125 |
+ if(loc > 0 && hic < maxch-1) { |
126 |
memmove(font->chars, font->chars + loc, |
127 |
(hic - loc + 1) * sizeof(DviFontChar)); |
128 |
font->chars = xresize(font->chars, |
129 |
diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c |
130 |
index 73ebf26..8c2a30b 100644 |
131 |
--- a/backend/dvi/mdvi-lib/tfmfile.c |
132 |
+++ b/backend/dvi/mdvi-lib/tfmfile.c |
133 |
@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info) |
134 |
/* We read the entire TFM file into core */ |
135 |
if(fstat(fileno(in), &st) < 0) |
136 |
return -1; |
137 |
- if(st.st_size == 0) |
138 |
+ /* according to the spec, TFM files are smaller than 16K */ |
139 |
+ if(st.st_size == 0 || st.st_size >= 16384) |
140 |
goto bad_tfm; |
141 |
|
142 |
/* allocate a word-aligned buffer to hold the file */ |
143 |
diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c |
144 |
index fb49847..a5ae3bb 100644 |
145 |
--- a/backend/dvi/mdvi-lib/vf.c |
146 |
+++ b/backend/dvi/mdvi-lib/vf.c |
147 |
@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font) |
148 |
cc = fuget1(p); |
149 |
tfm = fuget3(p); |
150 |
} |
151 |
+ if (cc < 0 || cc > 65536) { |
152 |
+ /* TeX engines do not support char codes bigger than 65535 */ |
153 |
+ mdvi_error(_("(vf) %s: unexpected character %d\n"), |
154 |
+ font->fontname, cc); |
155 |
+ goto error; |
156 |
+ } |
157 |
if(loc < 0 || cc < loc) |
158 |
loc = cc; |
159 |
if(hic < 0 || cc > hic) |
160 |
-- |
161 |
cgit v0.8.3.1 |
162 |
|
163 |
|
164 |
|
165 |
1.1 app-text/evince/files/evince-2.32.0-pk-fonts.patch |
166 |
|
167 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-pk-fonts.patch?rev=1.1&view=markup |
168 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-text/evince/files/evince-2.32.0-pk-fonts.patch?rev=1.1&content-type=text/plain |
169 |
|
170 |
Index: evince-2.32.0-pk-fonts.patch |
171 |
=================================================================== |
172 |
From 0a6e8aabcc46d47b5d84e5414cd0e07d57ef171b Mon Sep 17 00:00:00 2001 |
173 |
From: José Aliste <jaliste@×××××××××.org> |
174 |
Date: Mon, 17 Jan 2011 17:30:00 +0000 |
175 |
Subject: Fix problem with some pk fonts. |
176 |
|
177 |
--- |
178 |
diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c |
179 |
index 08377e6..a911613 100644 |
180 |
--- a/backend/dvi/mdvi-lib/pk.c |
181 |
+++ b/backend/dvi/mdvi-lib/pk.c |
182 |
@@ -328,13 +328,14 @@ static int pk_load_font(DviParams *unused, DviFont *font) |
183 |
{ |
184 |
int i; |
185 |
int flag_byte; |
186 |
- int loc, hic, maxch; |
187 |
+ int hic, maxch; |
188 |
Int32 checksum; |
189 |
FILE *p; |
190 |
#ifndef NODEBUG |
191 |
char s[256]; |
192 |
#endif |
193 |
long alpha, beta, z; |
194 |
+ unsigned int loc; |
195 |
|
196 |
font->chars = xnalloc(DviFontChar, 256); |
197 |
p = font->in; |
198 |
@@ -521,7 +522,7 @@ static int pk_load_font(DviParams *unused, DviFont *font) |
199 |
} |
200 |
|
201 |
/* resize font char data */ |
202 |
- if(loc > 0 && hic < maxch-1) { |
203 |
+ if(loc > 0 || hic < maxch-1) { |
204 |
memmove(font->chars, font->chars + loc, |
205 |
(hic - loc + 1) * sizeof(DviFontChar)); |
206 |
font->chars = xresize(font->chars, |
207 |
-- |
208 |
cgit v0.8.3.1 |