From fc3785910a95a2cf79cd4f53fc3b77a842af07a5 Mon Sep 17 00:00:00 2001 From: tron Date: Tue, 8 Jun 2010 18:22:06 +0000 Subject: Pullup ticket #3143 - requested by minskim print/dvipsk: security patch Revisions pulled up: - print/dvipsk/Makefile 1.6 - print/dvipsk/distinfo 1.5 - print/dvipsk/patches/patch-ab 1.4 --- Module Name: pkgsrc Committed By: minskim Date: Tue Jun 8 15:17:05 UTC 2010 Modified Files: pkgsrc/print/dvipsk: Makefile distinfo pkgsrc/print/dvipsk/patches: patch-ab Log Message: Fix CVE-2010-1440. Patch from TeX Live repository. Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739. --- print/dvipsk/Makefile | 4 ++-- print/dvipsk/distinfo | 4 ++-- print/dvipsk/patches/patch-ab | 28 ++++++++++++++++++++++------ 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/print/dvipsk/Makefile b/print/dvipsk/Makefile index c926c0b8f48..9c0f9d6eae2 100644 --- a/print/dvipsk/Makefile +++ b/print/dvipsk/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.4.2.1 2010/04/20 21:26:19 tron Exp $ +# $NetBSD: Makefile,v 1.4.2.2 2010/06/08 18:22:06 tron Exp $ DISTNAME= texlive-20091011-source PKGNAME= dvipsk-5.98 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= print MASTER_SITES= ${MASTER_SITE_TEX_CTAN:=systems/texlive/Source/} EXTRACT_SUFX= .tar.xz diff --git a/print/dvipsk/distinfo b/print/dvipsk/distinfo index 36d4cc322da..0b456aa8fc4 100644 --- a/print/dvipsk/distinfo +++ b/print/dvipsk/distinfo @@ -1,7 +1,7 @@ -$NetBSD: distinfo,v 1.3.2.1 2010/04/20 21:26:19 tron Exp $ +$NetBSD: distinfo,v 1.3.2.2 2010/06/08 18:22:06 tron Exp $ SHA1 (texlive-20091011-source.tar.xz) = 82fc9fcdb82c63a00f4b08a51733c761cbda897d RMD160 (texlive-20091011-source.tar.xz) = 81b86cd93e629d6b1b3d7918848dd76babc0d5a9 Size (texlive-20091011-source.tar.xz) = 29683728 bytes SHA1 (patch-aa) = 825b091fecb17e8cc9135a0341b90e49ffd56baf -SHA1 (patch-ab) = 4acf55b8027b9b2edc64c01568d3c22b50b7eafa +SHA1 (patch-ab) = 0ecb16e2073813d23a8d13809de58a01bfe38e8a diff --git a/print/dvipsk/patches/patch-ab b/print/dvipsk/patches/patch-ab index 7d3bac81ccb..d5988885391 100644 --- a/print/dvipsk/patches/patch-ab +++ b/print/dvipsk/patches/patch-ab @@ -1,17 +1,33 @@ -$NetBSD: patch-ab,v 1.3.2.2 2010/04/20 21:26:19 tron Exp $ +$NetBSD: patch-ab,v 1.3.2.3 2010/06/08 18:22:06 tron Exp $ + +- CVE-2010-0739 +- CVE-2010-1440 --- dospecial.c.orig 2009-06-23 09:46:14.000000000 +0000 +++ dospecial.c -@@ -334,6 +334,12 @@ predospecial(integer numbytes, Boolean s +@@ -333,7 +333,11 @@ predospecial(integer numbytes, Boolean s + int j ; static int omega_specials = 0; - if (nextstring + numbytes > maxstring) { -+ if (numbytes < 0 -+ || (numbytes > 0 && 2 > INT_MAX / numbytes) -+ || 2 * numbytes > 1000 + 2 * numbytes) { +- if (nextstring + numbytes > maxstring) { ++ if (numbytes < 0 || numbytes > maxstring - nextstring) { ++ if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) { + error("! Integer overflow in predospecial"); + exit(1); + } p = nextstring = mymalloc(1000 + 2 * numbytes) ; maxstring = nextstring + 2 * numbytes + 700 ; } +@@ -918,7 +922,11 @@ bbdospecial(int nbytes) + char seen[NKEYS] ; + float valseen[NKEYS] ; + +- if (nextstring + nbytes > maxstring) { ++ if (nbytes < 0 || nbytes > maxstring - nextstring) { ++ if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) { ++ error("! Integer overflow in bbdospecial"); ++ exit(1); ++ } + p = nextstring = mymalloc(1000 + 2 * nbytes) ; + maxstring = nextstring + 2 * nbytes + 700 ; + } -- cgit v1.2.3