From e019b9c1144b7569ff35f258a8652172fba0a6b4 Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Wed, 5 Feb 2020 13:07:20 +0100
Subject: [PATCH] fix bz#1798119 - buffer overflow in TexOpen() function,
 CVE-2019-19601

---
 texlive-base-20190410-CVE-2019-19601.patch | 16 ++++++++++++++++
 texlive-base.spec                          |  9 +++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 texlive-base-20190410-CVE-2019-19601.patch

diff --git a/texlive-base-20190410-CVE-2019-19601.patch b/texlive-base-20190410-CVE-2019-19601.patch
new file mode 100644
index 0000000..ac6c1f9
--- /dev/null
+++ b/texlive-base-20190410-CVE-2019-19601.patch
@@ -0,0 +1,16 @@
+diff -up texlive-base-20190410/source/texk/detex/detex-src/detex.l.me texlive-base-20190410/source/texk/detex/detex-src/detex.l
+--- texlive-base-20190410/source/texk/detex/detex-src/detex.l.me	2020-02-05 12:54:36.100840384 +0100
++++ texlive-base-20190410/source/texk/detex/detex-src/detex.l	2020-02-05 13:00:28.476320773 +0100
+@@ -898,10 +898,10 @@ TexOpen(char *sbFile)
+ #else
+ 	    if (*sbFile == '/') {	/* absolute path */
+ #endif
+-		(void)sprintf(sbFullPath, "%s", sbFile);
++		(void)snprintf(sbFullPath, PATH_MAX-1, "%s", sbFile);
+ 		iPath = csbInputPaths;	/* only check once */
+ 	    } else
+-		(void)sprintf(sbFullPath, "%s/%s", rgsbInputPaths[iPath], sbFile);
++		(void)snprintf(sbFullPath, PATH_MAX-1, "%s/%s", rgsbInputPaths[iPath], sbFile);
+ #ifdef OS2
+ 	    pch = sbFullPath;
+ 	    while (pch = strchr(pch, '\\'))
diff --git a/texlive-base.spec b/texlive-base.spec
index ed534d5..ec0f037 100644
--- a/texlive-base.spec
+++ b/texlive-base.spec
@@ -17,7 +17,7 @@
 
 Name: %{shortname}-base
 Version: %{source_date}
-Release: 11%{?dist}
+Release: 12%{?dist}
 Epoch: 7
 Summary: TeX formatting system
 # The only files in the base package are directories, cache, and license texts
@@ -440,7 +440,8 @@ Patch25: texlive-base-20190410-gcc10-mp-fix-global-var.patch
 Patch26: texlive-base-20190410-gcc10-luatex-fix-global-vars.patch
 # GCC10: Fix global vars in ttf2pk2
 Patch27: texlive-base-20190410-gcc10-ttf2pk2-fix-global-var.patch
-
+# bz#1798119, buffer overflow, CVE-2019-19601
+Patch28: texlive-base-20190410-CVE-2019-19601.patch
 
 # Can't do this because it causes everything else to be noarch
 # BuildArch: noarch
@@ -6562,6 +6563,7 @@ xz -dc %{SOURCE0} | tar x
 %patch25 -p1 -b .gcc10-mplib
 %patch26 -p1 -b .gcc10-luatex
 %patch27 -p1 -b .gcc10-ttf2pk2
+%patch28 -p1 -b .CVE-2019-19601
 
 # Setup copies of the licenses
 for l in `unxz -c %{SOURCE3} | tar t`; do
@@ -9047,6 +9049,9 @@ done <<< "$list"
 %doc %{_texdir}/texmf-dist/doc/latex/yplan/
 
 %changelog
+* Wed Feb 05 2020 Than Ngo <than@redhat.com> - 7:20190410-12
+- fix bz#1798119 - buffer overflow in TexOpen() function, CVE-2019-19601
+
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7:20190410-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild