Security bugfixes

Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643 Resolves: #667573
2011-01-06 11:57:46 +01:00 · 2011-01-06 11:57:46 +01:00 · 668e42bc3b
commit 668e42bc3b
parent d767cc6c55
2 changed files with 105 additions and 1 deletions
--- a/evince-CVE-2010-2640_CVE-2010-2641_CVE-2010-2642_CVE-2010-2643.patch
+++ b/evince-CVE-2010-2640_CVE-2010-2641_CVE-2010-2642_CVE-2010-2643.patch
@ -0,0 +1,96 @@
+commit d4139205b010ed06310d14284e63114e88ec6de2
+Author: José Aliste <jaliste@src.gnome.org>
+Date:   Tue Dec 7 15:56:47 2010 -0300
+
+    backends: Fix several security issues in the dvi-backend.
+    
+    See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and  CVE-2010-2643.
+
+diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
+index 164366b..361e23d 100644
+--- a/backend/dvi/mdvi-lib/afmparse.c
+++ b/backend/dvi/mdvi-lib/afmparse.c
+@@ -160,7 +160,7 @@ static char *token(FILE *stream)
+     
+     idx = 0;
+     while (ch != EOF && ch != ' ' && ch != lineterm 
+-           && ch != '\t' && ch != ':' && ch != ';') 
+           && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
+     {
+         ident[idx++] = ch;
+         ch = fgetc(stream);
+diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
+index cd8cfa9..d014320 100644
+--- a/backend/dvi/mdvi-lib/dviread.c
+++ b/backend/dvi/mdvi-lib/dviread.c
+@@ -1507,6 +1507,10 @@ int	special(DviContext *dvi, int opcode)
+ 	Int32	arg;
+ 	
+ 	arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
+	if (arg <= 0) {
+		dvierr(dvi, _("malformed special length\n"));
+		return -1;
+	}
+ 	s = mdvi_malloc(arg + 1);
+ 	dread(dvi, s, arg);
+ 	s[arg] = 0;
+diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
+index a579186..08377e6 100644
+--- a/backend/dvi/mdvi-lib/pk.c
+++ b/backend/dvi/mdvi-lib/pk.c
+@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font)
+ 			}
+ 			if(feof(p))
+ 				break;
+
+			/* Although the PK format support bigger char codes,
+                         * XeTeX and other extended TeX engines support charcodes up to
+                         * 65536, while normal TeX engine supports only charcode up to 255.*/
+			if (cc < 0 || cc > 65536) {
+				mdvi_error (_("%s: unexpected charcode (%d)\n"),
+					    font->fontname,cc);
+				goto error;
+			} 
+ 			if(cc < loc)
+ 				loc = cc;
+ 			if(cc > hic)
+@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
+ 	}
+ 
+ 	/* resize font char data */
+-	if(loc > 0 || hic < maxch-1) {
+	if(loc > 0 && hic < maxch-1) {
+ 		memmove(font->chars, font->chars + loc, 
+ 			(hic - loc + 1) * sizeof(DviFontChar));
+ 		font->chars = xresize(font->chars,
+diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
+index 73ebf26..8c2a30b 100644
+--- a/backend/dvi/mdvi-lib/tfmfile.c
+++ b/backend/dvi/mdvi-lib/tfmfile.c
+@@ -172,7 +172,8 @@ int	tfm_load_file(const char *filename, TFMInfo *info)
+ 	/* We read the entire TFM file into core */
+ 	if(fstat(fileno(in), &st) < 0)
+ 		return -1;
+-	if(st.st_size == 0)
+	/* according to the spec, TFM files are smaller than 16K */
+	if(st.st_size == 0 || st.st_size >= 16384)
+ 		goto bad_tfm;
+ 
+ 	/* allocate a word-aligned buffer to hold the file */
+diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
+index fb49847..a5ae3bb 100644
+--- a/backend/dvi/mdvi-lib/vf.c
+++ b/backend/dvi/mdvi-lib/vf.c
+@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font)
+ 			cc = fuget1(p);
+ 			tfm = fuget3(p);
+ 		}
+		if (cc < 0 || cc > 65536) {
+			/* TeX engines do not support char codes bigger than 65535 */
+			mdvi_error(_("(vf) %s: unexpected character %d\n"),
+				   font->fontname, cc);
+			goto error;
+		}
+ 		if(loc < 0 || cc < loc)
+ 			loc = cc;
+ 		if(hic < 0 || cc > hic)
--- a/evince.spec
+++ b/evince.spec
@ -5,7 +5,7 @@

 Name:           evince
 Version:        2.91.3
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Document viewer

 License:        GPLv2+ and GFDL
@ -15,6 +15,9 @@ Source0:        http://download.gnome.org/sources/%{name}/2.91/%{name}-%{version
 # https://bugzilla.redhat.com/show_bug.cgi?id=562648
 Patch2:         evince-t1font-mapping.patch

+# https://bugzilla.redhat.com/show_bug.cgi?id=667573
+Patch3:         evince-CVE-2010-2640_CVE-2010-2641_CVE-2010-2642_CVE-2010-2643.patch
+
 BuildRequires:  gtk3-devel
 BuildRequires:  glib2-devel >= %{glib2_version}
 BuildRequires:  poppler-glib-devel >= %{poppler_version}
@ -107,6 +110,7 @@ It adds an additional tab called "Document" to the file properties dialog.
 %prep
 %setup -q
 %patch2 -p1 -b .t1font-map
+%patch3 -p1 -b .CVE-2010-2640_CVE-2010-2641_CVE-2010-2642_CVE-2010-2643

 %build
 automake
@ -240,6 +244,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas ||:
 %{_libdir}/nautilus/extensions-2.0/libevince-properties-page.so

 %changelog
+* Thu Jan  6 2011 Marek Kasik <mkasik@redhat.com> - 2.91.3-6
+- Fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643
+- Resolves: #667573
+
 * Sat Jan 01 2011 Rex Dieter <rdieter@fedoraproject.org> - 2.91.3-5
 - rebuild (poppler)