pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/misc/openoffice2 - Fix CVE-2007-2834 (Manipulated TIFF...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/750157a664ae
branches:  trunk
changeset: 533792:750157a664ae
user:      hira <hira%pkgsrc.org@localhost>
date:      Sun Sep 30 12:27:40 2007 +0000

description:
- Fix CVE-2007-2834 (Manipulated TIFF files can lead to heap
   overflows and arbitrary code execution).
 - Use internal libwpd (fix buildlink error of gnome-vfs).

Bump PKGREVISION.

diffstat:

 misc/openoffice2/Makefile         |    6 +-
 misc/openoffice2/distinfo         |    3 +-
 misc/openoffice2/patches/patch-co |  104 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 108 insertions(+), 5 deletions(-)

diffs (154 lines):

diff -r 9967616b2059 -r 750157a664ae misc/openoffice2/Makefile
--- a/misc/openoffice2/Makefile Sun Sep 30 12:25:48 2007 +0000
+++ b/misc/openoffice2/Makefile Sun Sep 30 12:27:40 2007 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.23 2007/09/21 13:04:03 wiz Exp $
+# $NetBSD: Makefile,v 1.24 2007/09/30 12:27:40 hira Exp $
 #
 
 OO_VER=                        2.2.1
 DISTNAME=              openoffice-${OO_VER}
 PKGNAME=               openoffice2-${OO_VER}
-PKGREVISION=           2
+PKGREVISION=           3
 CATEGORIES=            misc
 MASTER_SITES=          ${MASTER_SITE_OPENOFFICE:=stable/${OO_VER}/}
 DIST_SUBDIR=           ${DISTNAME}
@@ -55,7 +55,6 @@
 CONFIGURE_ARGS+=       --enable-cairo
 CONFIGURE_ARGS+=       --disable-ldap
 CONFIGURE_ARGS+=       --with-system-freetype
-CONFIGURE_ARGS+=       --with-system-libwpd
 
 # `portable' supports all platforms.
 CONFIGURE_ARGS+=       --enable-epm --with-package-format=portable
@@ -142,7 +141,6 @@
 .  include "Makefile.${OPSYS}.${ARCH}"
 .endif
 
-.include "../../converters/libwpd/buildlink3.mk"
 .include "../../fonts/fontconfig/buildlink3.mk"
 .include "../../graphics/MesaLib/buildlink3.mk"
 .include "../../graphics/cairo/buildlink3.mk"
diff -r 9967616b2059 -r 750157a664ae misc/openoffice2/distinfo
--- a/misc/openoffice2/distinfo Sun Sep 30 12:25:48 2007 +0000
+++ b/misc/openoffice2/distinfo Sun Sep 30 12:27:40 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2007/06/22 03:52:20 hira Exp $
+$NetBSD: distinfo,v 1.21 2007/09/30 12:27:40 hira Exp $
 
 SHA1 (openoffice-2.2.1/OOo_2.2.1_src_binfilter.tar.bz2) = aa2c316e0fab13a25c07c2cfd0eafb7a50c96678
 RMD160 (openoffice-2.2.1/OOo_2.2.1_src_binfilter.tar.bz2) = a6194849bb8e2130709a7ff769a8e751a43f86c6
@@ -61,3 +61,4 @@
 SHA1 (patch-ci) = 2861e8a4b21977cbc8abeabe4581093e966cdfa7
 SHA1 (patch-cj) = c54fd98e5302a86ec849b90c617ebfcf339c936d
 SHA1 (patch-cn) = 67afccde1d7bfa42ec4082067189da23ada97190
+SHA1 (patch-co) = cb8f2a38185a66f20f891946de7b0fba22bde481
diff -r 9967616b2059 -r 750157a664ae misc/openoffice2/patches/patch-co
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/misc/openoffice2/patches/patch-co Sun Sep 30 12:27:40 2007 +0000
@@ -0,0 +1,104 @@
+$NetBSD: patch-co,v 1.1 2007/09/30 12:27:40 hira Exp $
+
+NOTE: This patch fixes CVE-2007-2834.  It's already fixed in OOo 2.3.0.
+
+--- goodies/source/filter.vcl/itiff/itiff.cxx.orig     2006-11-15 01:17:15.000000000 +0900
++++ goodies/source/filter.vcl/itiff/itiff.cxx  2007-09-30 18:12:19.000000000 +0900
+@@ -4,9 +4,9 @@
+  *
+  *  $RCSfile: patch-co,v $
+  *
+- *  $Revision: 1.1 $
++ *  $Revision: 1.1 $
+  *
+- *  last change: $Author: hira $ $Date: 2007/09/30 12:27:40 $
++ *  last change: $Author: hira $ $Date: 2007/09/30 12:27:40 $
+  *
+  *  The Contents of this file are made available subject to
+  *  the terms of GNU Lesser General Public License Version 2.1.
+@@ -132,7 +132,7 @@
+       double  ReadDoubleData();
+ 
+       void    ReadHeader();
+-      void    ReadTagData( USHORT nTagType, ULONG nDataLen );
++      void    ReadTagData( USHORT nTagType, sal_uInt32 nDataLen );
+ 
+       BOOL    ReadMap( ULONG nMinPercent, ULONG nMaxPercent );
+               // Liesst/dekomprimert die Bitmap-Daten, und fuellt pMap
+@@ -290,7 +290,7 @@
+ 
+ // ---------------------------------------------------------------------------------
+ 
+-void TIFFReader::ReadTagData( USHORT nTagType, ULONG nDataLen)
++void TIFFReader::ReadTagData( USHORT nTagType, sal_uInt32 nDataLen)
+ {
+       if ( bStatus == FALSE )
+               return;
+@@ -353,16 +353,25 @@
+               case 0x0111: { // Strip Offset(s)
+                       ULONG nOldNumSO, i, * pOldSO;
+                       pOldSO = pStripOffsets;
+-                      if ( pOldSO == NULL ) nNumStripOffsets = 0;     // Sicherheitshalber
++                      if ( pOldSO == NULL )
++                              nNumStripOffsets = 0;
+                       nOldNumSO = nNumStripOffsets;
+-                      nNumStripOffsets += nDataLen;
+-                      pStripOffsets = new ULONG[ nNumStripOffsets ];
+-                      for ( i = 0; i < nOldNumSO; i++ )
+-                              pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
+-                      for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
+-                              pStripOffsets[ i ] = ReadIntData() + nOrigPos;
+-                      if ( pOldSO != NULL )
++                      nDataLen += nOldNumSO;
++                      if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
++                      {
++                              nNumStripOffsets = nDataLen;
++                              pStripOffsets = new ULONG[ nNumStripOffsets ];
++                              if ( !pStripOffsets )
++                                      nNumStripOffsets = 0;
++                              else
++                              {
++                                      for ( i = 0; i < nOldNumSO; i++ )
++                                              pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
++                                      for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
++                                              pStripOffsets[ i ] = ReadIntData() + nOrigPos;
++                              }
+                               delete[] pOldSO;
++                      }
+                       OOODEBUG("StripOffsets (Anzahl:)",nDataLen);
+                       break;
+               }
+@@ -384,16 +393,25 @@
+               case 0x0117: { // Strip Byte Counts
+                       ULONG nOldNumSBC, i, * pOldSBC;
+                       pOldSBC = pStripByteCounts;
+-                      if ( pOldSBC == NULL ) nNumStripByteCounts = 0; // Sicherheitshalber
++                      if ( pOldSBC == NULL )
++                              nNumStripByteCounts = 0; // Sicherheitshalber
+                       nOldNumSBC = nNumStripByteCounts;
+-                      nNumStripByteCounts += nDataLen;
+-                      pStripByteCounts = new ULONG[ nNumStripByteCounts ];
+-                      for ( i = 0; i < nOldNumSBC; i++ )
+-                              pStripByteCounts[ i ] = pOldSBC[ i ];
+-                      for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
+-                              pStripByteCounts[ i ] = ReadIntData();
+-                      if ( pOldSBC != NULL )
++                      nDataLen += nOldNumSBC;
++                      if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
++                      {               
++                              nNumStripByteCounts = nDataLen;
++                              pStripByteCounts = new ULONG[ nNumStripByteCounts ];
++                              if ( !nNumStripByteCounts )
++                                      nNumStripByteCounts = 0;
++                              else
++                              {
++                                      for ( i = 0; i < nOldNumSBC; i++ )
++                                              pStripByteCounts[ i ] = pOldSBC[ i ];
++                                      for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
++                                              pStripByteCounts[ i ] = ReadIntData();
++                              }
+                               delete[] pOldSBC;
++                      }
+                       OOODEBUG("StripByteCounts (Anzahl:)",nDataLen);
+                       break;
+               }



Home | Main Index | Thread Index | Old Index