r26184 - in /desktop/unstable/evince/debian: changelog patches/01_dvi_security.patch patches/series
joss at users.alioth.debian.org
joss at users.alioth.debian.org
Mon Jan 10 13:24:32 UTC 2011
Author: joss
Date: Mon Jan 10 13:24:30 2011
New Revision: 26184
URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=26184
Log:
01_dvi_security.patch: security fix from upstream git.
CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643.
Closes: #609534.
Added:
desktop/unstable/evince/debian/patches/01_dvi_security.patch
Modified:
desktop/unstable/evince/debian/changelog
desktop/unstable/evince/debian/patches/series
Modified: desktop/unstable/evince/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/evince/debian/changelog?rev=26184&op=diff
==============================================================================
--- desktop/unstable/evince/debian/changelog [utf-8] (original)
+++ desktop/unstable/evince/debian/changelog [utf-8] Mon Jan 10 13:24:30 2011
@@ -1,6 +1,9 @@
-evince (2.30.3-2) UNRELEASED; urgency=low
+evince (2.30.3-2) UNRELEASED; urgency=medium
* Fix PostScript capitalization. Closes: #591872.
+ * 01_dvi_security.patch: security fix from upstream git.
+ CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643.
+ Closes: #609534.
-- Josselin Mouette <joss at debian.org> Mon, 16 Aug 2010 15:43:52 +0200
Added: desktop/unstable/evince/debian/patches/01_dvi_security.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/evince/debian/patches/01_dvi_security.patch?rev=26184&op=file
==============================================================================
--- desktop/unstable/evince/debian/patches/01_dvi_security.patch (added)
+++ desktop/unstable/evince/debian/patches/01_dvi_security.patch [utf-8] Mon Jan 10 13:24:30 2011
@@ -1,0 +1,97 @@
+From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001
+From: José Aliste <jaliste at src.gnome.org>
+Date: Tue, 07 Dec 2010 18:56:47 +0000
+Subject: backends: Fix several security issues in the dvi-backend.
+
+See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643.
+---
+diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
+index 164366b..361e23d 100644
+--- a/backend/dvi/mdvi-lib/afmparse.c
++++ b/backend/dvi/mdvi-lib/afmparse.c
+@@ -160,7 +160,7 @@ static char *token(FILE *stream)
+
+ idx = 0;
+ while (ch != EOF && ch != ' ' && ch != lineterm
+- && ch != '\t' && ch != ':' && ch != ';')
++ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
+ {
+ ident[idx++] = ch;
+ ch = fgetc(stream);
+diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
+index 97b7b84..ac98068 100644
+--- a/backend/dvi/mdvi-lib/dviread.c
++++ b/backend/dvi/mdvi-lib/dviread.c
+@@ -1537,6 +1537,10 @@ int special(DviContext *dvi, int opcode)
+ Int32 arg;
+
+ arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
++ if (arg <= 0) {
++ dvierr(dvi, _("malformed special length\n"));
++ return -1;
++ }
+ s = mdvi_malloc(arg + 1);
+ dread(dvi, s, arg);
+ s[arg] = 0;
+diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
+index a579186..08377e6 100644
+--- a/backend/dvi/mdvi-lib/pk.c
++++ b/backend/dvi/mdvi-lib/pk.c
+@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font)
+ }
+ if(feof(p))
+ break;
++
++ /* Although the PK format support bigger char codes,
++ * XeTeX and other extended TeX engines support charcodes up to
++ * 65536, while normal TeX engine supports only charcode up to 255.*/
++ if (cc < 0 || cc > 65536) {
++ mdvi_error (_("%s: unexpected charcode (%d)\n"),
++ font->fontname,cc);
++ goto error;
++ }
+ if(cc < loc)
+ loc = cc;
+ if(cc > hic)
+@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
+ }
+
+ /* resize font char data */
+- if(loc > 0 || hic < maxch-1) {
++ if(loc > 0 && hic < maxch-1) {
+ memmove(font->chars, font->chars + loc,
+ (hic - loc + 1) * sizeof(DviFontChar));
+ font->chars = xresize(font->chars,
+diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
+index 73ebf26..8c2a30b 100644
+--- a/backend/dvi/mdvi-lib/tfmfile.c
++++ b/backend/dvi/mdvi-lib/tfmfile.c
+@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info)
+ /* We read the entire TFM file into core */
+ if(fstat(fileno(in), &st) < 0)
+ return -1;
+- if(st.st_size == 0)
++ /* according to the spec, TFM files are smaller than 16K */
++ if(st.st_size == 0 || st.st_size >= 16384)
+ goto bad_tfm;
+
+ /* allocate a word-aligned buffer to hold the file */
+diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
+index fb49847..a5ae3bb 100644
+--- a/backend/dvi/mdvi-lib/vf.c
++++ b/backend/dvi/mdvi-lib/vf.c
+@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font)
+ cc = fuget1(p);
+ tfm = fuget3(p);
+ }
++ if (cc < 0 || cc > 65536) {
++ /* TeX engines do not support char codes bigger than 65535 */
++ mdvi_error(_("(vf) %s: unexpected character %d\n"),
++ font->fontname, cc);
++ goto error;
++ }
+ if(loc < 0 || cc < loc)
+ loc = cc;
+ if(hic < 0 || cc > hic)
+--
+cgit v0.8.3.1
Modified: desktop/unstable/evince/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/evince/debian/patches/series?rev=26184&op=diff
==============================================================================
--- desktop/unstable/evince/debian/patches/series [utf-8] (original)
+++ desktop/unstable/evince/debian/patches/series [utf-8] Mon Jan 10 13:24:30 2011
@@ -1,0 +1,1 @@
+01_dvi_security.patch
More information about the pkg-gnome-commits
mailing list