diff options
| author | salo <salo@pkgsrc.org> | 2006-08-20 21:38:45 +0000 |
|---|---|---|
| committer | salo <salo@pkgsrc.org> | 2006-08-20 21:38:45 +0000 |
| commit | 8f7a834d4ece239e9049f025b5750d72af13a178 (patch) | |
| tree | be275a1715c76f5f3a015ae8945d8a2db4eee7e2 | |
| parent | 61037551327a00c3ff14b5f0593a2a6b0a595da0 (diff) | |
| download | pkgsrc-8f7a834d4ece239e9049f025b5750d72af13a178.tar.gz | |
Security fix for CVE-2006-3376:
"A vulnerability in libwmf can be potentially exploited by malicious
people to compromise an application using the vulnerable library.
The vulnerability is caused due to an integer overflow error when
allocating memory based on a value taken directly from a WMF file
without performing any checks. This can be exploited to cause a
heap-based buffer overflow when a specially crafted WMF file is
processed.
Successful exploitation may allow execution of arbitrary code."
http://secunia.com/advisories/20921/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376
Patch from Red Hat. Bump PKGREVISION.
| -rw-r--r-- | graphics/libwmf/Makefile | 4 | ||||
| -rw-r--r-- | graphics/libwmf/distinfo | 3 | ||||
| -rw-r--r-- | graphics/libwmf/patches/patch-ae | 31 |
3 files changed, 35 insertions, 3 deletions
diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile index 5ec053bff61..32c50512027 100644 --- a/graphics/libwmf/Makefile +++ b/graphics/libwmf/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.59 2006/04/17 13:46:00 wiz Exp $ +# $NetBSD: Makefile,v 1.60 2006/08/20 21:38:45 salo Exp $ DISTNAME= libwmf-0.2.8.4 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= graphics devel MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=wvware/} diff --git a/graphics/libwmf/distinfo b/graphics/libwmf/distinfo index 4cec03d233f..6256186c176 100644 --- a/graphics/libwmf/distinfo +++ b/graphics/libwmf/distinfo @@ -1,6 +1,7 @@ -$NetBSD: distinfo,v 1.13 2006/01/18 22:04:58 adam Exp $ +$NetBSD: distinfo,v 1.14 2006/08/20 21:38:45 salo Exp $ SHA1 (libwmf-0.2.8.4.tar.gz) = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89 RMD160 (libwmf-0.2.8.4.tar.gz) = 98cd631adb5bb332d9224d04bc8a265c105435f2 Size (libwmf-0.2.8.4.tar.gz) = 2169375 bytes SHA1 (patch-ad) = b74be16c5da490394b86403009f5f35d80ba4bfa +SHA1 (patch-ae) = 644684733090c26250a1ce0e2c5a6c978bd54b74 diff --git a/graphics/libwmf/patches/patch-ae b/graphics/libwmf/patches/patch-ae new file mode 100644 index 00000000000..11c39521681 --- /dev/null +++ b/graphics/libwmf/patches/patch-ae @@ -0,0 +1,31 @@ +$NetBSD: patch-ae,v 1.1 2006/08/20 21:38:45 salo Exp $ + +Security fix for CVE-2006-3376, from Red Hat. + +--- src/player.c.orig 2002-12-10 20:30:26.000000000 +0100 ++++ src/player.c 2006-08-20 23:29:44.000000000 +0200 +@@ -42,6 +42,7 @@ + #include "player/defaults.h" /* Provides: default settings */ + #include "player/record.h" /* Provides: parameter mechanism */ + #include "player/meta.h" /* Provides: record interpreters */ ++#include <stdint.h> + + /** + * @internal +@@ -132,8 +133,14 @@ + } + } + +-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); +- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ if (MAX_REC_SIZE(API) > UINT32_MAX/ 2) ++ { ++ API->err = wmf_E_InsMem; ++ WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); |