From cee9ba70871f7952bb6cb3f28e43beddbe97f775 Mon Sep 17 00:00:00 2001 From: joerg Date: Wed, 13 Sep 2006 12:27:26 +0000 Subject: Fixes for CVE-2006-2006-3739 and CVE-2006-3740. Bump revision. --- x11/xorg-libs/Makefile | 4 ++-- x11/xorg-libs/distinfo | 5 +++- x11/xorg-libs/patches/patch-cg | 27 ++++++++++++++++++++++ x11/xorg-libs/patches/patch-ch | 52 ++++++++++++++++++++++++++++++++++++++++++ x11/xorg-libs/patches/patch-ci | 15 ++++++++++++ 5 files changed, 100 insertions(+), 3 deletions(-) create mode 100644 x11/xorg-libs/patches/patch-cg create mode 100644 x11/xorg-libs/patches/patch-ch create mode 100644 x11/xorg-libs/patches/patch-ci (limited to 'x11') diff --git a/x11/xorg-libs/Makefile b/x11/xorg-libs/Makefile index 882c4d133d6..633ec3dc3be 100644 --- a/x11/xorg-libs/Makefile +++ b/x11/xorg-libs/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.42 2006/08/26 15:20:44 joerg Exp $ +# $NetBSD: Makefile,v 1.43 2006/09/13 12:27:26 joerg Exp $ DISTNAME= ${DISTFILES} PKGNAME= xorg-libs-${XORG_VER} -PKGREVISION= 8 +PKGREVISION= 9 CATEGORIES= x11 MASTER_SITES= ${MASTER_SITE_XORG} DISTFILES= X11R${XORG_VER}-src1.tar.gz X11R${XORG_VER}-src2.tar.gz \ diff --git a/x11/xorg-libs/distinfo b/x11/xorg-libs/distinfo index 6e198784790..993a9fd26b6 100644 --- a/x11/xorg-libs/distinfo +++ b/x11/xorg-libs/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.52 2006/08/22 18:12:14 joerg Exp $ +$NetBSD: distinfo,v 1.53 2006/09/13 12:27:26 joerg Exp $ SHA1 (X11R6.9.0-src1.tar.gz) = a6c077ed8fdeee5fe1956a427c4cb0bc266e1bef RMD160 (X11R6.9.0-src1.tar.gz) = d12270a4f41a3ceee4bfd5da22d387a3aa707df8 @@ -59,3 +59,6 @@ SHA1 (patch-cc) = d5d72e525f9564eda7f2ea21ddb179800fb153b5 SHA1 (patch-cd) = e4bb522f4f3e896627aab68e39b0c643e4a6a5be SHA1 (patch-ce) = ce68c16dde6a924dbb43b44653bd4bc7c26c34ef SHA1 (patch-cf) = ec178ce36dbcd9b65d49584aa80e080b6f11132a +SHA1 (patch-cg) = 82b40c8e39305bd320a88498c7202dc6e1e11743 +SHA1 (patch-ch) = e09e3fe3dd14caa70d2bcee1b58a72db0851632c +SHA1 (patch-ci) = eaba43892d9968cf268ce1c0efe31a14c1a56ed5 diff --git a/x11/xorg-libs/patches/patch-cg b/x11/xorg-libs/patches/patch-cg new file mode 100644 index 00000000000..b811dc030b6 --- /dev/null +++ b/x11/xorg-libs/patches/patch-cg @@ -0,0 +1,27 @@ +$NetBSD: patch-cg,v 1.1 2006/09/13 12:27:26 joerg Exp $ + +Fixes for CVE-2006-2006-3739 and CVE-2006-3740. + +--- lib/font/Type1/afm.c.orig 2006-09-13 14:17:16.000000000 +0200 ++++ lib/font/Type1/afm.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #else + #include "Xmd.h" /* For INT32 declaration */ + #include "Xdefs.h" /* For Bool */ +@@ -118,6 +119,12 @@ int CIDAFM(FILE *fd, FontInfo **pfi) { + + fi->nChars = atoi(p); + ++ if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) { ++ xfree(afmbuf); ++ xfree(fi); ++ return(1); ++ } ++ + fi->metrics = (Metrics *)xalloc(fi->nChars * + sizeof(Metrics)); + if (fi->metrics == NULL) { diff --git a/x11/xorg-libs/patches/patch-ch b/x11/xorg-libs/patches/patch-ch new file mode 100644 index 00000000000..562487dedcb --- /dev/null +++ b/x11/xorg-libs/patches/patch-ch @@ -0,0 +1,52 @@ +$NetBSD: patch-ch,v 1.1 2006/09/13 12:27:26 joerg Exp $ + +Fixes for CVE-2006-2006-3739 and CVE-2006-3740. + +--- lib/font/Type1/scanfont.c.orig 2006-09-13 14:18:59.000000000 +0200 ++++ lib/font/Type1/scanfont.c +@@ -57,6 +57,7 @@ + + #ifndef FONTMODULE + #include ++#include + #else + #include "Xdefs.h" /* Bool declaration */ + #include "Xmd.h" /* INT32 declaration */ +@@ -654,6 +655,7 @@ getFDArray(psobj *arrayP) + arrayP->data.valueP = tokenStartP; + + /* allocate FDArray */ ++ /* No integer overflow since arrayP->len is unsigned short */ + FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); + if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); + +@@ -850,7 +852,8 @@ BuildSubrs(psfont *FontP) + } + return(SCAN_OK); + } +- ++ if (N > INT_MAX / sizeof(psobj)) ++ return (SCAN_ERROR); + arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); + if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); + FontP->Subrs.len = N; +@@ -911,7 +914,7 @@ BuildCharStrings(psfont *FontP) + } + else return(rc); /* if next token was not an Int */ + } +- if (N<=0) return(SCAN_ERROR); ++ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); + /* save number of entries in the dictionary */ + + dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); +@@ -1719,6 +1722,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres + if (tokenType == TOKEN_INTEGER) + rangecnt = tokenValue.integer; + ++ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { ++ rc = SCAN_ERROR; ++ break; ++ } + /* ==> tokenLength, tokenTooLong, tokenType, and */ + /* tokenValue are now set */ + diff --git a/x11/xorg-libs/patches/patch-ci b/x11/xorg-libs/patches/patch-ci new file mode 100644 index 00000000000..c598bb4319e --- /dev/null +++ b/x11/xorg-libs/patches/patch-ci @@ -0,0 +1,15 @@ +$NetBSD: patch-ci,v 1.1 2006/09/13 12:27:26 joerg Exp $ + +Fixes for CVE-2006-2006-3739 and CVE-2006-3740. + +--- lib/font/Type1/util.c.orig 2006-09-13 14:22:13.000000000 +0200 ++++ lib/font/Type1/util.c +@@ -104,7 +104,7 @@ vm_alloc(int bytes) + bytes = (bytes + 7) & ~7; + + /* Allocate the space, if it is available */ +- if (bytes <= vm_free) { ++ if (bytes > 0 && bytes <= vm_free) { + answer = vm_next; + vm_free -= bytes; + vm_next += bytes; -- cgit v1.2.3