Add patches for CVE-2018-20539, CVE-2018-20537, CVE-2018-20536, CVE-2018-20540

2020-04-14 20:25:49 +02:00
5 changed files with 105 additions and 3 deletions
--- a/liblas.spec
+++ b/liblas.spec
@ -1,20 +1,36 @@
 Name:		liblas
 Version:	1.8.1
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	Library for reading and writing the very common LAS LiDAR format

 License:	BSD and Boost
 URL:		https://www.liblas.org
 Source0:	https://download.osgeo.org/%{name}/libLAS-%{version}.tar.bz2
 # https://github.com/libLAS/libLAS/issues/140 for both:
-Patch0001:      https://gitweb.gentoo.org/repo/gentoo.git/plain/sci-geosciences/liblas/files/liblas-1.8.1-fix-overload-call.patch
-Patch0002:      https://gitweb.gentoo.org/repo/gentoo.git/plain/sci-geosciences/liblas/files/liblas-1.8.0_remove-std-c++98.patch
+Patch0001:      liblas-1.8.1-fix-overload-call.patch
+Patch0002:      liblas-1.8.0_remove-std-c++98.patch
 # Fix build against recent gdal3+
 # https://github.com/libLAS/libLAS/issues/164
 # From https://github.com/OSGeo/gdal/blob/master/gdal/MIGRATION_GUIDE.TXT:
 #  removal of OSRFixup() and OSRFixupOrdering(): no longer needed since objects constructed are always valid
 Patch0003:      liblas_gdal3.patch

+# https://bugzilla.redhat.com/show_bug.cgi?id=1652609
+# https://github.com/libLAS/libLAS/issues/159
+Patch0004:      liblas_CVE-2018-20539.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1652611
+# https://github.com/libLAS/libLAS/issues/160
+Patch0005:      liblas_CVE-2018-20537.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1652610
+# https://github.com/libLAS/libLAS/issues/161
+Patch0006:      liblas_CVE-2018-20536.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1652612
+# https://github.com/libLAS/libLAS/issues/181
+Patch0007:      liblas_CVE-2018-20540.patch
+
 BuildRequires:  gcc-c++
 BuildRequires:	boost-devel >= 1.53
 BuildRequires:	cmake
@ -93,6 +109,9 @@ make %{?_smp_mflags}
 %{_bindir}/*

 %changelog
+* Tue Apr 14 2020 Sandro Mani <manisandro@gmail.com> - 1.8.1-5
+- Add patches for CVE-2018-20539, CVE-2018-20537, CVE-2018-20536, CVE-2018-20540
+
 * Tue Mar 03 2020 Sandro Mani <manisandro@gmail.com> - 1.8.1-4
 - Rebuild (gdal)

--- a/liblas_CVE-2018-20536.patch
+++ b/liblas_CVE-2018-20536.patch
@ -0,0 +1,15 @@
+diff -rupN --no-dereference libLAS-1.8.1/src/spatialreference.cpp libLAS-1.8.1-new/src/spatialreference.cpp
+--- libLAS-1.8.1/src/spatialreference.cpp	2020-04-14 20:19:49.253097047 +0200
+++ libLAS-1.8.1-new/src/spatialreference.cpp	2020-04-14 20:19:49.255097046 +0200
+@@ -519,8 +519,9 @@ const GTIF* SpatialReference::GetGTIF()
+                 // The '+ 1' accounts for the header itself.
+                 int count = (header->numKeys + 1) * 4;
+                 short *data_s = reinterpret_cast<short *>( &(data[0]));
+-
+-                ST_SetKey(m_tiff, record.GetRecordId(), count, STT_SHORT, data_s);
+                if(std::size_t(count) <= data.size() / sizeof(short)) {
+                    ST_SetKey(m_tiff, record.GetRecordId(), count, STT_SHORT, data_s);
+                }
+             }
+         }
+ 
--- a/liblas_CVE-2018-20537.patch
+++ b/liblas_CVE-2018-20537.patch
@ -0,0 +1,20 @@
+diff -rupN --no-dereference libLAS-1.8.1/src/spatialreference.cpp libLAS-1.8.1-new/src/spatialreference.cpp
+--- libLAS-1.8.1/src/spatialreference.cpp	2020-04-14 20:19:49.228097062 +0200
+++ libLAS-1.8.1-new/src/spatialreference.cpp	2020-04-14 20:19:49.230097061 +0200
+@@ -525,14 +525,14 @@ const GTIF* SpatialReference::GetGTIF()
+         }
+ 
+         if (uid == record.GetUserId(true).c_str() &&
+-            34736 == record.GetRecordId())
+            34736 == record.GetRecordId() && !data.empty())
+         {
+             int count = data.size() / sizeof(double);
+             ST_SetKey(m_tiff, record.GetRecordId(), count, STT_DOUBLE, &(data[0]));
+         }
+ 
+         if (uid == record.GetUserId(true).c_str() &&
+-            34737 == record.GetRecordId())
+            34737 == record.GetRecordId() && !data.empty())
+         {
+             int count = data.size()/sizeof(uint8_t);
+             ST_SetKey(m_tiff, record.GetRecordId(), count, STT_ASCII, &(data[0]));
--- a/liblas_CVE-2018-20539.patch
+++ b/liblas_CVE-2018-20539.patch
@ -0,0 +1,24 @@
+diff -rupN --no-dereference libLAS-1.8.1/src/spatialreference.cpp libLAS-1.8.1-new/src/spatialreference.cpp
+--- libLAS-1.8.1/src/spatialreference.cpp	2016-08-22 15:06:34.000000000 +0200
+++ libLAS-1.8.1-new/src/spatialreference.cpp	2020-04-14 20:19:49.206097075 +0200
+@@ -513,12 +513,15 @@ const GTIF* SpatialReference::GetGTIF()
+ #pragma pack(pop)
+ 
+             ShortKeyHeader *header = (ShortKeyHeader *)data.data();
+-            // Calculate the number of shorts in the VLR data.
+-            // The '+ 1' accounts for the header itself.
+-            int count = (header->numKeys + 1) * 4;
+-            short *data_s = reinterpret_cast<short *>( &(data[0]));
+            if (header)
+            {
+                // Calculate the number of shorts in the VLR data.
+                // The '+ 1' accounts for the header itself.
+                int count = (header->numKeys + 1) * 4;
+                short *data_s = reinterpret_cast<short *>( &(data[0]));
+ 
+-            ST_SetKey(m_tiff, record.GetRecordId(), count, STT_SHORT, data_s);
+                ST_SetKey(m_tiff, record.GetRecordId(), count, STT_SHORT, data_s);
+            }
+         }
+ 
+         if (uid == record.GetUserId(true).c_str() &&
--- a/liblas_CVE-2018-20540.patch
+++ b/liblas_CVE-2018-20540.patch
@ -0,0 +1,24 @@
+diff -rupN --no-dereference libLAS-1.8.1/include/liblas/liblas.hpp libLAS-1.8.1-new/include/liblas/liblas.hpp
+--- libLAS-1.8.1/include/liblas/liblas.hpp	2016-08-22 15:06:34.000000000 +0200
+++ libLAS-1.8.1-new/include/liblas/liblas.hpp	2020-04-14 20:19:49.281097031 +0200
+@@ -121,12 +121,18 @@ inline std::istream* Open(std::string co
+     namespace io = boost::iostreams;
+     io::stream<io::file_source>* ifs = new io::stream<io::file_source>();
+     ifs->open(filename.c_str(), mode);
+-    if (ifs->is_open() == false) return NULL;
+    if (ifs->is_open() == false) {
+        delete ifs;
+        return NULL;
+    }
+     return ifs;
+ #else
+     std::ifstream* ifs = new std::ifstream();
+     ifs->open(filename.c_str(), mode);
+-    if (ifs->is_open() == false) return NULL;
+    if (ifs->is_open() == false) {
+        delete ifs;
+        return NULL;
+    }
+     return ifs;
+ #endif
+ }