Security fix for CVE-2006-1550:

"Multiple buffer overflows in the xfig import code (xfig-import.c) in Dia 0.87 and later before 0.95-pre6 allow user-complicit attackers to have an unknown impact via a crafted xfig file, possibly involving an invalid (1) color index, (2) number of points, or (3) depth." http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1550 http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html Fix from Dia CVS.
author: salo <salo@pkgsrc.org> 2006-04-04 14:52:15 +0000
committer: salo <salo@pkgsrc.org> 2006-04-04 14:52:15 +0000
commit: 2a654f617f58d9ad64dc488765c7f7c33237d354 (patch)
tree: 911a33b4186f07bcb403fca71fa78766018c28d9 /graphics/dia
parent: 13334f61cffd0b7ce045ec1186aa593653c6db21 (diff)
download: pkgsrc-2a654f617f58d9ad64dc488765c7f7c33237d354.tar.gz
4 files changed, 215 insertions, 3 deletions
diff --git a/graphics/dia/Makefile b/graphics/dia/Makefile
index 1d703ccb169..d8fe0bfbb1a 100644
--- a/graphics/dia/Makefile
+++ b/graphics/dia/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.41 2006/03/21 06:00:45 jlam Exp $
+# $NetBSD: Makefile,v 1.42 2006/04/04 14:52:15 salo Exp $
 #
 
 .include "Makefile.common"
 
-PKGREVISION=	5
+PKGREVISION=	6
 
 USE_DIRS+=	xdg-1.1
 
diff --git a/graphics/dia/distinfo b/graphics/dia/distinfo
index 3a234c1054a..a9d6a7429e2 100644
--- a/graphics/dia/distinfo
+++ b/graphics/dia/distinfo
@@ -1,8 +1,10 @@
-$NetBSD: distinfo,v 1.14 2006/02/24 02:52:22 minskim Exp $
+$NetBSD: distinfo,v 1.15 2006/04/04 14:52:15 salo Exp $
 
 SHA1 (dia-0.94.tar.gz) = a55128bd56e76295c9bc8217f25b6ec079727e25
 RMD160 (dia-0.94.tar.gz) = f7e20b294b7b739d5f408c34e0fbc533def5e3b9
 Size (dia-0.94.tar.gz) = 5241128 bytes
 SHA1 (patch-aa) = f556878638291a696894181c5a6907e688589530
 SHA1 (patch-ab) = f419cc82faa524ac1f02e88ae3264fcb9b453e09
+SHA1 (patch-ac) = ecc4ed32089980cf5fa1697c278386fe5856f8bb
+SHA1 (patch-ad) = 7e3874ebcaa1781e5d2ad406258a3e7ab1285503
 SHA1 (patch-be) = dab7626daefcd702b31f54d198311d9be921e1ff
diff --git a/graphics/dia/patches/patch-ac b/graphics/dia/patches/patch-ac
new file mode 100644
index 00000000000..9efb4dc2f97
--- /dev/null
+++ b/graphics/dia/patches/patch-ac
@@ -0,0 +1,14 @@
+$NetBSD: patch-ac,v 1.1 2006/04/04 14:52:15 salo Exp $
+
+Security fix for CVE-2006-1550, from Dia CVS.
+
+--- plug-ins/xfig/xfig.h.orig	2004-08-16 09:56:21.000000000 +0200
++++ plug-ins/xfig/xfig.h	2006-04-04 15:25:30.000000000 +0200
+@@ -6,6 +6,7 @@
+ 
+ #define FIG_MAX_DEFAULT_COLORS 32
+ #define FIG_MAX_USER_COLORS 512
++#define FIG_MAX_DEPTHS 1000
+ /* 1200 PPI */
+ #define FIG_UNIT 472.440944881889763779527559055118
+ /* 1/80 inch */
diff --git a/graphics/dia/patches/patch-ad b/graphics/dia/patches/patch-ad
new file mode 100644
index 00000000000..33c120ae66e
--- /dev/null
+++ b/graphics/dia/patches/patch-ad
@@ -0,0 +1,196 @@
+$NetBSD: patch-ad,v 1.1 2006/04/04 14:52:15 salo Exp $
+
+Security fix for CVE-2006-1550, from Dia CVS.
+
+--- plug-ins/xfig/xfig-import.c.orig	2004-08-16 09:56:21.000000000 +0200
++++ plug-ins/xfig/xfig-import.c	2006-04-04 15:25:30.000000000 +0200
+@@ -441,11 +441,17 @@
+ static Color
+ fig_color(int color_index) 
+ {
+-    if (color_index == -1) 
++    if (color_index <= -1) 
+         return color_black; /* Default color */
+-    if (color_index < FIG_MAX_DEFAULT_COLORS) 
++    else if (color_index < FIG_MAX_DEFAULT_COLORS) 
+         return fig_default_colors[color_index];
+-    else return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
++    else if (color_index < FIG_MAX_USER_COLORS) 
++	return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
++    else {
++	message_error(_("Color index %d too high, only 512 colors allowed. Using black instead."),
++		      color_index);
++	return color_black;
++    }
+ }
+ 
+ static Color
+@@ -563,23 +569,25 @@
+ static int
+ fig_read_n_points(FILE *file, int n, Point **points) {
+     int i;
+-    Point *new_points;
+-
+-    new_points = (Point*)g_malloc(sizeof(Point)*n);
++    GArray *points_list = g_array_sized_new(FALSE, FALSE, sizeof(Point), n);
+ 
+     for (i = 0; i < n; i++) {
+ 	int x,y;
++	Point p;
+ 	if (fscanf(file, " %d %d ", &x, &y) != 2) {
+ 	    message_error(_("Error while reading %dth of %d points: %s\n"),
+ 			  i, n, strerror(errno));
+-	    free(new_points);
++	    g_array_free(points_list, TRUE);
+ 	    return FALSE;
+ 	}
+-	new_points[i].x = x/FIG_UNIT;
+-	new_points[i].y = y/FIG_UNIT;
++	p.x = x/FIG_UNIT;
++	p.y = y/FIG_UNIT;
++	g_array_append_val(points_list, p);
+     }
+     fscanf(file, "\n");
+-    *points = new_points;
++    
++    *points = (Point *)points_list->data;
++    g_array_free(points_list, FALSE);
+     return TRUE;
+ }
+ 
+@@ -683,7 +691,7 @@
+     return text_buf;
+ }
+ 
+-static GList *depths[1000];
++static GList *depths[FIG_MAX_DEPTHS];
+ 
+ /* If there's something in the compound stack, we ignore the depth field,
+    as it will be determined by the group anyway */
+@@ -693,6 +701,26 @@
+    level.  Best we can do now. */
+ static int compound_depth;
+ 
++/** Add an object at a given depth.  This function checks for depth limits
++ * and updates the compound depth if needed.
++ *
++ * @param newobj An object to add.  If we're inside a compound, this
++ * doesn't really add the object.
++ * @param depth A depth as in the Fig format, max 999
++ */
++static void
++add_at_depth(DiaObject *newobj, int depth) {
++    if (depth < 0 || depth >= FIG_MAX_DEPTHS) {
++	message_error(_("Depth %d of of range, only 0-%d allowed.\n"),
++		      depth, FIG_MAX_DEPTHS-1);
++	depth = FIG_MAX_DEPTHS - 1;
++    }
++    if (compound_stack == NULL) 
++	depths[depth] = g_list_append(depths[depth], newobj);
++    else 
++	if (compound_depth > depth) compound_depth = depth;
++}
++
+ static DiaObject *
+ fig_read_ellipse(FILE *file, DiagramData *dia) {
+     int sub_type;
+@@ -749,10 +777,7 @@
+     /* Angle -- can't rotate yet */
+ 
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+ 
+     return newobj;
+ }
+@@ -885,10 +910,7 @@
+     /* Cap style */
+      
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+  exit:
+     prop_list_free(props);
+     g_free(forward_arrow_info);
+@@ -1111,10 +1133,7 @@
+     /* Cap style */
+      
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+  exit:
+     prop_list_free(props);
+     g_free(forward_arrow_info);
+@@ -1202,10 +1221,7 @@
+     /* Cap style */
+      
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+ 
+  exit:
+     g_free(forward_arrow_info);
+@@ -1298,10 +1314,7 @@
+     newobj->ops->set_props(newobj, props);
+     
+     /* Depth field */
+-    if (compound_stack == NULL)
+-	depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-	if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+ 
+  exit:
+     if (text_buf != NULL) free(text_buf);
+@@ -1347,6 +1360,12 @@
+ 	    return FALSE;
+ 	}
+ 
++	if (colornumber < 32 || colornumber > FIG_MAX_USER_COLORS) {
++	    message_error(_("Color number %d out of range 0..%d.  Discarding color.\n"),
++			  colornumber, FIG_MAX_USER_COLORS);
++	    return FALSE;
++	}
++
+ 	color.red = ((colorvalues & 0x00ff0000)>>16) / 255.0;
+ 	color.green = ((colorvalues & 0x0000ff00)>>8) / 255.0;
+ 	color.blue = (colorvalues & 0x000000ff) / 255.0;
+@@ -1393,7 +1412,7 @@
+ 	}
+ 	/* Group extends don't really matter */
+ 	if (compound_stack == NULL)
+-	    compound_depth = 999;
++	    compound_depth = FIG_MAX_DEPTHS - 1;
+ 	compound_stack = g_slist_append(compound_stack, NULL);
+ 	return TRUE;
+ 	break;
+@@ -1551,7 +1570,7 @@
+     for (i = 0; i < FIG_MAX_USER_COLORS; i++) {
+ 	fig_colors[i] = color_black;
+     }
+-    for (i = 0; i < 1000; i++) {
++    for (i = 0; i < FIG_MAX_DEPTHS; i++) {
+ 	depths[i] = NULL;
+     }
+ 
+@@ -1606,7 +1625,7 @@
+     } while (TRUE);
+ 
+     /* Now we can reorder for the depth fields */
+-    for (i = 0; i < 1000; i++) {
++    for (i = 0; i < FIG_MAX_DEPTHS; i++) {
+ 	if (depths[i] != NULL)
+ 	    layer_add_objects_first(dia->active_layer, depths[i]);
+     }
author	salo <salo@pkgsrc.org>	2006-04-04 14:52:15 +0000
committer	salo <salo@pkgsrc.org>	2006-04-04 14:52:15 +0000
commit	2a654f617f58d9ad64dc488765c7f7c33237d354 (patch)
tree	911a33b4186f07bcb403fca71fa78766018c28d9 /graphics/dia
parent	13334f61cffd0b7ce045ec1186aa593653c6db21 (diff)
download	pkgsrc-2a654f617f58d9ad64dc488765c7f7c33237d354.tar.gz