pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/libwmf Security fix for CVE-2006-3376:
details: https://anonhg.NetBSD.org/pkgsrc/rev/912d204cf14a
branches: trunk
changeset: 517718:912d204cf14a
user: salo <salo%pkgsrc.org@localhost>
date: Sun Aug 20 21:38:45 2006 +0000
description:
Security fix for CVE-2006-3376:
"A vulnerability in libwmf can be potentially exploited by malicious
people to compromise an application using the vulnerable library.
The vulnerability is caused due to an integer overflow error when
allocating memory based on a value taken directly from a WMF file
without performing any checks. This can be exploited to cause a
heap-based buffer overflow when a specially crafted WMF file is
processed.
Successful exploitation may allow execution of arbitrary code."
http://secunia.com/advisories/20921/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376
Patch from Red Hat. Bump PKGREVISION.
diffstat:
graphics/libwmf/Makefile | 4 ++--
graphics/libwmf/distinfo | 3 ++-
graphics/libwmf/patches/patch-ae | 31 +++++++++++++++++++++++++++++++
3 files changed, 35 insertions(+), 3 deletions(-)
diffs (60 lines):
diff -r a34c84e7de65 -r 912d204cf14a graphics/libwmf/Makefile
--- a/graphics/libwmf/Makefile Sun Aug 20 20:06:26 2006 +0000
+++ b/graphics/libwmf/Makefile Sun Aug 20 21:38:45 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.59 2006/04/17 13:46:00 wiz Exp $
+# $NetBSD: Makefile,v 1.60 2006/08/20 21:38:45 salo Exp $
DISTNAME= libwmf-0.2.8.4
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= graphics devel
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=wvware/}
diff -r a34c84e7de65 -r 912d204cf14a graphics/libwmf/distinfo
--- a/graphics/libwmf/distinfo Sun Aug 20 20:06:26 2006 +0000
+++ b/graphics/libwmf/distinfo Sun Aug 20 21:38:45 2006 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.13 2006/01/18 22:04:58 adam Exp $
+$NetBSD: distinfo,v 1.14 2006/08/20 21:38:45 salo Exp $
SHA1 (libwmf-0.2.8.4.tar.gz) = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89
RMD160 (libwmf-0.2.8.4.tar.gz) = 98cd631adb5bb332d9224d04bc8a265c105435f2
Size (libwmf-0.2.8.4.tar.gz) = 2169375 bytes
SHA1 (patch-ad) = b74be16c5da490394b86403009f5f35d80ba4bfa
+SHA1 (patch-ae) = 644684733090c26250a1ce0e2c5a6c978bd54b74
diff -r a34c84e7de65 -r 912d204cf14a graphics/libwmf/patches/patch-ae
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/libwmf/patches/patch-ae Sun Aug 20 21:38:45 2006 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-ae,v 1.1 2006/08/20 21:38:45 salo Exp $
+
+Security fix for CVE-2006-3376, from Red Hat.
+
+--- src/player.c.orig 2002-12-10 20:30:26.000000000 +0100
++++ src/player.c 2006-08-20 23:29:44.000000000 +0200
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings */
+ #include "player/record.h" /* Provides: parameter mechanism */
+ #include "player/meta.h" /* Provides: record interpreters */
++#include <stdint.h>
+
+ /**
+ * @internal
+@@ -132,8 +133,14 @@
+ }
+ }
+
+-/* P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ if (MAX_REC_SIZE(API) > UINT32_MAX/ 2)
++ {
++ API->err = wmf_E_InsMem;
++ WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
Home |
Main Index |
Thread Index |
Old Index