Pullup ticket #3143 - requested by minskim

print/dvipsk: security patch

Revisions pulled up:
- print/dvipsk/Makefile				1.6
- print/dvipsk/distinfo				1.5
- print/dvipsk/patches/patch-ab			1.4
---
Module Name:	pkgsrc
Committed By:	minskim
Date:		Tue Jun  8 15:17:05 UTC 2010

Modified Files:
	pkgsrc/print/dvipsk: Makefile distinfo
	pkgsrc/print/dvipsk/patches: patch-ab

Log Message:
Fix CVE-2010-1440.  Patch from TeX Live repository.

  Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX
  Live 2009 and earlier, and teTeX, allow remote attackers to cause a
  denial of service (application crash) or possibly execute arbitrary
  code via a special command in a DVI file, related to the (1)
  predospecial and (2) bbdospecial functions, a different
  vulnerability than CVE-2010-0739.

3 files changed, 26 insertions, 10 deletions

diff --git a/print/dvipsk/Makefile b/print/dvipsk/Makefile
index c926c0b8f48..9c0f9d6eae2 100644
--- a/print/dvipsk/Makefile
+++ b/print/dvipsk/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.4.2.1 2010/04/20 21:26:19 tron Exp $
+# $NetBSD: Makefile,v 1.4.2.2 2010/06/08 18:22:06 tron Exp $
 
 DISTNAME=	texlive-20091011-source
 PKGNAME=	dvipsk-5.98
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	print
 MASTER_SITES=	${MASTER_SITE_TEX_CTAN:=systems/texlive/Source/}
 EXTRACT_SUFX=	.tar.xz
diff --git a/print/dvipsk/distinfo b/print/dvipsk/distinfo
index 36d4cc322da..0b456aa8fc4 100644
--- a/print/dvipsk/distinfo
+++ b/print/dvipsk/distinfo
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.3.2.1 2010/04/20 21:26:19 tron Exp $
+$NetBSD: distinfo,v 1.3.2.2 2010/06/08 18:22:06 tron Exp $
 
 SHA1 (texlive-20091011-source.tar.xz) = 82fc9fcdb82c63a00f4b08a51733c761cbda897d
 RMD160 (texlive-20091011-source.tar.xz) = 81b86cd93e629d6b1b3d7918848dd76babc0d5a9
 Size (texlive-20091011-source.tar.xz) = 29683728 bytes
 SHA1 (patch-aa) = 825b091fecb17e8cc9135a0341b90e49ffd56baf
-SHA1 (patch-ab) = 4acf55b8027b9b2edc64c01568d3c22b50b7eafa
+SHA1 (patch-ab) = 0ecb16e2073813d23a8d13809de58a01bfe38e8a
diff --git a/print/dvipsk/patches/patch-ab b/print/dvipsk/patches/patch-ab
index 7d3bac81ccb..d5988885391 100644
--- a/print/dvipsk/patches/patch-ab
+++ b/print/dvipsk/patches/patch-ab
@@ -1,17 +1,33 @@
-$NetBSD: patch-ab,v 1.3.2.2 2010/04/20 21:26:19 tron Exp $
+$NetBSD: patch-ab,v 1.3.2.3 2010/06/08 18:22:06 tron Exp $
+
+- CVE-2010-0739
+- CVE-2010-1440
 
 --- dospecial.c.orig	2009-06-23 09:46:14.000000000 +0000
 +++ dospecial.c
-@@ -334,6 +334,12 @@ predospecial(integer numbytes, Boolean s
+@@ -333,7 +333,11 @@ predospecial(integer numbytes, Boolean s
+    int j ;
     static int omega_specials = 0;
  
-    if (nextstring + numbytes > maxstring) {
-+      if (numbytes < 0
-+          || (numbytes > 0 && 2 > INT_MAX / numbytes)
-+          || 2 * numbytes > 1000 + 2 * numbytes) {
+-   if (nextstring + numbytes > maxstring) {
++   if (numbytes < 0 || numbytes > maxstring - nextstring) {
++      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
 +         error("! Integer overflow in predospecial");
 +         exit(1);
 +      }
        p = nextstring = mymalloc(1000 + 2 * numbytes) ;
        maxstring = nextstring + 2 * numbytes + 700 ;
     }
+@@ -918,7 +922,11 @@ bbdospecial(int nbytes)
+    char seen[NKEYS] ;
+    float valseen[NKEYS] ;
+ 
+-   if (nextstring + nbytes > maxstring) {
++   if (nbytes < 0 || nbytes > maxstring - nextstring) {
++      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
++	 error("! Integer overflow in bbdospecial");
++	 exit(1);
++      }
+       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
+       maxstring = nextstring + 2 * nbytes + 700 ;
+    }