diff options
| author | salo <salo@pkgsrc.org> | 2005-10-30 17:58:58 +0000 |
|---|---|---|
| committer | salo <salo@pkgsrc.org> | 2005-10-30 17:58:58 +0000 |
| commit | 222b9936797c9ff980b509d20b086cbc532b5a3f (patch) | |
| tree | e44f1e581af8f37e53b6c58fdb79cea155ff7d93 /graphics/xli/patches | |
| parent | 92854abe0546d41cd0dcc31cedcc68e8ae8e8077 (diff) | |
| download | pkgsrc-222b9936797c9ff980b509d20b086cbc532b5a3f.tar.gz | |
Security fix for CVE-2005-3178:
"Buffer overflow in xli might allow user-complicit attackers to execute
arbitrary code via a long title name in a NIFF file, which triggers the
overflow during zoom, reduce, or rotate operations."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3178
Patch from Debian.
Diffstat (limited to 'graphics/xli/patches')
| -rw-r--r-- | graphics/xli/patches/patch-ae | 16 | ||||
| -rw-r--r-- | graphics/xli/patches/patch-af | 40 |
2 files changed, 56 insertions, 0 deletions
diff --git a/graphics/xli/patches/patch-ae b/graphics/xli/patches/patch-ae new file mode 100644 index 00000000000..78be8b31155 --- /dev/null +++ b/graphics/xli/patches/patch-ae @@ -0,0 +1,16 @@ +$NetBSD: patch-ae,v 1.1 2005/10/30 17:58:58 salo Exp $ + +Security fix for CVE-2005-3178, from Debian. + +--- reduce.c.orig 1999-10-25 04:15:02.000000000 +0200 ++++ reduce.c 2005-10-30 18:49:53.000000000 +0100 +@@ -178,7 +178,8 @@ + /* get destination image */ + depth = colorsToDepth(OutColors); + new_image = newRGBImage(image->width, image->height, depth); +- sprintf(buf, "%s (%d colors)", image->title, OutColors); ++ snprintf(buf, BUFSIZ, "%s (%d colors)", image->title, OutColors); ++ buf[BUFSIZ-1] = '\0'; + new_image->title = dupString(buf); + new_image->gamma = image->gamma; + diff --git a/graphics/xli/patches/patch-af b/graphics/xli/patches/patch-af new file mode 100644 index 00000000000..7e4565ee9b7 --- /dev/null +++ b/graphics/xli/patches/patch-af @@ -0,0 +1,40 @@ +$NetBSD: patch-af,v 1.1 2005/10/30 17:58:58 salo Exp $ + +Security fix for CVE-2005-3178, from Debian. + +--- zoom.c.orig 2005-02-28 01:42:39.000000000 +0100 ++++ zoom.c 2005-10-30 18:50:04.000000000 +0100 +@@ -52,28 +52,29 @@ + if (verbose) + printf(" Zooming image Y axis by %d%%...", yzoom); + if (changetitle) +- sprintf(buf, "%s (Y zoom %d%%)", oimage->title, yzoom); ++ snprintf(buf, BUFSIZ, "%s (Y zoom %d%%)", oimage->title, yzoom); + } + else if (!yzoom) { + if (verbose) + printf(" Zooming image X axis by %d%%...", xzoom); + if (changetitle) +- sprintf(buf, "%s (X zoom %d%%)", oimage->title, xzoom); ++ snprintf(buf, BUFSIZ, "%s (X zoom %d%%)", oimage->title, xzoom); + } + else if (xzoom == yzoom) { + if (verbose) + printf(" Zooming image by %d%%...", xzoom); + if (changetitle) +- sprintf(buf, "%s (%d%% zoom)", oimage->title, xzoom); ++ snprintf(buf, BUFSIZ, "%s (%d%% zoom)", oimage->title, xzoom); + } + else { + if (verbose) + printf(" Zooming image X axis by %d%% and Y axis by %d%%...", + xzoom, yzoom); + if (changetitle) +- sprintf(buf, "%s (X zoom %d%% Y zoom %d%%)", oimage->title, ++ snprintf(buf, BUFSIZ, "%s (X zoom %d%% Y zoom %d%%)", oimage->title, + xzoom, yzoom); + } ++ buf[BUFSIZ-1] = '\0'; + if (!changetitle) + strcpy(buf,oimage->title); + |