Security fix for CVE-2006-3376:

"A vulnerability in libwmf can be potentially exploited by malicious people to compromise an application using the vulnerable library. The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken directly from a WMF file without performing any checks. This can be exploited to cause a heap-based buffer overflow when a specially crafted WMF file is processed. Successful exploitation may allow execution of arbitrary code." http://secunia.com/advisories/20921/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376 Patch from Red Hat. Bump PKGREVISION.
author: salo <salo@pkgsrc.org> 2006-08-20 21:38:45 +0000
committer: salo <salo@pkgsrc.org> 2006-08-20 21:38:45 +0000
commit: 8f7a834d4ece239e9049f025b5750d72af13a178 (patch)
tree: be275a1715c76f5f3a015ae8945d8a2db4eee7e2 /graphics/libwmf
parent: 61037551327a00c3ff14b5f0593a2a6b0a595da0 (diff)
download: pkgsrc-8f7a834d4ece239e9049f025b5750d72af13a178.tar.gz
3 files changed, 35 insertions, 3 deletions
diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile
index 5ec053bff61..32c50512027 100644
--- a/graphics/libwmf/Makefile
+++ b/graphics/libwmf/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.59 2006/04/17 13:46:00 wiz Exp $
+# $NetBSD: Makefile,v 1.60 2006/08/20 21:38:45 salo Exp $
 
 DISTNAME=	libwmf-0.2.8.4
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	graphics devel
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=wvware/}
 
diff --git a/graphics/libwmf/distinfo b/graphics/libwmf/distinfo
index 4cec03d233f..6256186c176 100644
--- a/graphics/libwmf/distinfo
+++ b/graphics/libwmf/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.13 2006/01/18 22:04:58 adam Exp $
+$NetBSD: distinfo,v 1.14 2006/08/20 21:38:45 salo Exp $
 
 SHA1 (libwmf-0.2.8.4.tar.gz) = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89
 RMD160 (libwmf-0.2.8.4.tar.gz) = 98cd631adb5bb332d9224d04bc8a265c105435f2
 Size (libwmf-0.2.8.4.tar.gz) = 2169375 bytes
 SHA1 (patch-ad) = b74be16c5da490394b86403009f5f35d80ba4bfa
+SHA1 (patch-ae) = 644684733090c26250a1ce0e2c5a6c978bd54b74
diff --git a/graphics/libwmf/patches/patch-ae b/graphics/libwmf/patches/patch-ae
new file mode 100644
index 00000000000..11c39521681
--- /dev/null
+++ b/graphics/libwmf/patches/patch-ae
@@ -0,0 +1,31 @@
+$NetBSD: patch-ae,v 1.1 2006/08/20 21:38:45 salo Exp $
+
+Security fix for CVE-2006-3376, from Red Hat.
+
+--- src/player.c.orig	2002-12-10 20:30:26.000000000 +0100
++++ src/player.c	2006-08-20 23:29:44.000000000 +0200
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings               */
+ #include "player/record.h"   /* Provides: parameter mechanism            */
+ #include "player/meta.h"     /* Provides: record interpreters            */
++#include <stdint.h>
+ 
+ /**
+  * @internal
+@@ -132,8 +133,14 @@
+ 		}
+ 	}
+ 
+-/*	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++	if (MAX_REC_SIZE(API) > UINT32_MAX/ 2)
++	{
++		API->err = wmf_E_InsMem;
++		WMF_DEBUG (API,"bailing...");
++		return (API->err);
++	}
++	
++ 	P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+ 	if (ERR (API))
+ 	{	WMF_DEBUG (API,"bailing...");
author	salo <salo@pkgsrc.org>	2006-08-20 21:38:45 +0000
committer	salo <salo@pkgsrc.org>	2006-08-20 21:38:45 +0000
commit	8f7a834d4ece239e9049f025b5750d72af13a178 (patch)
tree	be275a1715c76f5f3a015ae8945d8a2db4eee7e2 /graphics/libwmf
parent	61037551327a00c3ff14b5f0593a2a6b0a595da0 (diff)
download	pkgsrc-8f7a834d4ece239e9049f025b5750d72af13a178.tar.gz