From 488d4eb786675bb13a370f4dee4481f0c08c8185 Mon Sep 17 00:00:00 2001 From: salo Date: Sun, 20 Aug 2006 21:38:45 +0000 Subject: Security fix for CVE-2006-3376: "A vulnerability in libwmf can be potentially exploited by malicious people to compromise an application using the vulnerable library. The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken directly from a WMF file without performing any checks. This can be exploited to cause a heap-based buffer overflow when a specially crafted WMF file is processed. Successful exploitation may allow execution of arbitrary code." http://secunia.com/advisories/20921/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376 Patch from Red Hat. Bump PKGREVISION. --- graphics/libwmf/Makefile | 4 ++-- graphics/libwmf/distinfo | 3 ++- graphics/libwmf/patches/patch-ae | 31 +++++++++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 graphics/libwmf/patches/patch-ae (limited to 'graphics/libwmf') diff --git a/graphics/libwmf/Makefile b/graphics/libwmf/Makefile index 5ec053bff61..32c50512027 100644 --- a/graphics/libwmf/Makefile +++ b/graphics/libwmf/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.59 2006/04/17 13:46:00 wiz Exp $ +# $NetBSD: Makefile,v 1.60 2006/08/20 21:38:45 salo Exp $ DISTNAME= libwmf-0.2.8.4 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= graphics devel MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=wvware/} diff --git a/graphics/libwmf/distinfo b/graphics/libwmf/distinfo index 4cec03d233f..6256186c176 100644 --- a/graphics/libwmf/distinfo +++ b/graphics/libwmf/distinfo @@ -1,6 +1,7 @@ -$NetBSD: distinfo,v 1.13 2006/01/18 22:04:58 adam Exp $ +$NetBSD: distinfo,v 1.14 2006/08/20 21:38:45 salo Exp $ SHA1 (libwmf-0.2.8.4.tar.gz) = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89 RMD160 (libwmf-0.2.8.4.tar.gz) = 98cd631adb5bb332d9224d04bc8a265c105435f2 Size (libwmf-0.2.8.4.tar.gz) = 2169375 bytes SHA1 (patch-ad) = b74be16c5da490394b86403009f5f35d80ba4bfa +SHA1 (patch-ae) = 644684733090c26250a1ce0e2c5a6c978bd54b74 diff --git a/graphics/libwmf/patches/patch-ae b/graphics/libwmf/patches/patch-ae new file mode 100644 index 00000000000..11c39521681 --- /dev/null +++ b/graphics/libwmf/patches/patch-ae @@ -0,0 +1,31 @@ +$NetBSD: patch-ae,v 1.1 2006/08/20 21:38:45 salo Exp $ + +Security fix for CVE-2006-3376, from Red Hat. + +--- src/player.c.orig 2002-12-10 20:30:26.000000000 +0100 ++++ src/player.c 2006-08-20 23:29:44.000000000 +0200 +@@ -42,6 +42,7 @@ + #include "player/defaults.h" /* Provides: default settings */ + #include "player/record.h" /* Provides: parameter mechanism */ + #include "player/meta.h" /* Provides: record interpreters */ ++#include + + /** + * @internal +@@ -132,8 +133,14 @@ + } + } + +-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char)); +- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ if (MAX_REC_SIZE(API) > UINT32_MAX/ 2) ++ { ++ API->err = wmf_E_InsMem; ++ WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); -- cgit v1.2.3