ports/90067: Update port: print/teTeX-base xpdf security issue
Marcus Alves Grando
mnag at FreeBSD.org
Wed Dec 7 13:30:04 UTC 2005
>Number: 90067
>Category: ports
>Synopsis: Update port: print/teTeX-base xpdf security issue
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Wed Dec 07 13:30:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Marcus Alves Grando
>Release: FreeBSD 6.0-STABLE i386
>Organization:
Grupos Internet S/A
>Environment:
System: FreeBSD marcus.grupos.com.br 6.0-STABLE FreeBSD 6.0-STABLE #16: Tue Dec 6 00:43:44 BRST 2005 root at marcus.grupos.com.br:/usr/obj/usr/src/sys/MARCUS i386
>Description:
Backport xpdf vendor patch
Bump PORTREVISION
Add SHA256
Security: http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=343&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=344&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=345&type=vulnerabilities
http://secunia.com/advisories/17897/
CVE-2005-3191, CVE-2005-3192, CVE-2005-3193
>How-To-Repeat:
>Fix:
--- teTeX-base.patch begins here ---
Index: Makefile
===================================================================
RCS file: /home/pcvs/ports/print/teTeX-base/Makefile,v
retrieving revision 1.87
diff -u -r1.87 Makefile
--- Makefile 20 Nov 2005 17:57:05 -0000 1.87
+++ Makefile 7 Dec 2005 13:16:57 -0000
@@ -7,7 +7,7 @@
PORTNAME= teTeX-base
PORTVERSION= 3.0
-PORTREVISION= 5
+PORTREVISION= 6
CATEGORIES= print
MASTER_SITES= ${MASTER_SITE_TEX_CTAN} \
ftp://ftp.ascii.co.jp/pub/TeX/ascii-ptex/dvips/:1
Index: distinfo
===================================================================
RCS file: /home/pcvs/ports/print/teTeX-base/distinfo,v
retrieving revision 1.24
diff -u -r1.24 distinfo
--- distinfo 8 Feb 2005 06:43:30 -0000 1.24
+++ distinfo 7 Dec 2005 13:16:57 -0000
@@ -1,2 +1,3 @@
MD5 (teTeX/tetex-src-3.0.tar.gz) = 944a4641e79e61043fdaf8f38ecbb4b3
+SHA256 (teTeX/tetex-src-3.0.tar.gz) = 9c0f7eaeb5ba6dc6f66433404d264941bf95cded2fa798b1f7a9dd580c21649b
SIZE (teTeX/tetex-src-3.0.tar.gz) = 12749314
Index: files/patch-SA17897
===================================================================
RCS file: files/patch-SA17897
diff -N files/patch-SA17897
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-SA17897 7 Dec 2005 13:16:57 -0000
@@ -0,0 +1,120 @@
+--- libs/xpdf/xpdf/JPXStream.cc.orig Mon May 17 15:11:49 2004
++++ libs/xpdf/xpdf/JPXStream.cc Tue Dec 6 18:07:18 2005
+@@ -666,7 +666,7 @@
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+- Guint segLen, capabilities, comp, i, j, r;
++ Guint segLen, capabilities, nTiles, comp, i, j, r;
+
+ //----- main header
+ haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,8 +701,13 @@
+ / img.xTileSize;
+ img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+- sizeof(JPXTile));
++ nTiles = img.nXTiles * img.nYTiles;
++ // check for overflow before allocating memory
++ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+ for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+ sizeof(JPXTileComp));
+--- libs/xpdf/xpdf/Stream.cc.orig Mon May 17 16:37:57 2004
++++ libs/xpdf/xpdf/Stream.cc Tue Dec 6 18:05:14 2005
+@@ -407,18 +407,33 @@
+
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ int widthA, int nCompsA, int nBitsA) {
++ int totalBits;
++
+ str = strA;
+ predictor = predictorA;
+ width = widthA;
+ nComps = nCompsA;
+ nBits = nBitsA;
++ predLine = NULL;
++ ok = gFalse;
+
+ nVals = width * nComps;
++ totalBits = nVals * nBits;
++ if (totalBits == 0 ||
++ (totalBits / nBits) / nComps != width ||
++ totalBits + 7 < 0) {
++ return;
++ }
+ pixBytes = (nComps * nBits + 7) >> 3;
+- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++ if (rowBytes < 0) {
++ return;
++ }
+ predLine = (Guchar *)gmalloc(rowBytes);
+ memset(predLine, 0, rowBytes);
+ predIdx = rowBytes;
++
++ ok = gTrue;
+ }
+
+ StreamPredictor::~StreamPredictor() {
+@@ -1012,6 +1027,10 @@
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+@@ -2897,6 +2916,14 @@
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
++ if (numComps <= 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -3255,6 +3282,10 @@
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+--- libs/xpdf/xpdf/Stream.h.orig Mon May 17 16:37:57 2004
++++ libs/xpdf/xpdf/Stream.h Tue Dec 6 18:05:14 2005
+@@ -233,6 +233,8 @@
+
+ ~StreamPredictor();
+
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+
+@@ -250,6 +252,7 @@
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+
+ //------------------------------------------------------------------------
--- teTeX-base.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list