pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/misc/openoffice2 - Fix CVE-2007-2834 (Manipulated TIFF...
details: https://anonhg.NetBSD.org/pkgsrc/rev/750157a664ae
branches: trunk
changeset: 533792:750157a664ae
user: hira <hira%pkgsrc.org@localhost>
date: Sun Sep 30 12:27:40 2007 +0000
description:
- Fix CVE-2007-2834 (Manipulated TIFF files can lead to heap
overflows and arbitrary code execution).
- Use internal libwpd (fix buildlink error of gnome-vfs).
Bump PKGREVISION.
diffstat:
misc/openoffice2/Makefile | 6 +-
misc/openoffice2/distinfo | 3 +-
misc/openoffice2/patches/patch-co | 104 ++++++++++++++++++++++++++++++++++++++
3 files changed, 108 insertions(+), 5 deletions(-)
diffs (154 lines):
diff -r 9967616b2059 -r 750157a664ae misc/openoffice2/Makefile
--- a/misc/openoffice2/Makefile Sun Sep 30 12:25:48 2007 +0000
+++ b/misc/openoffice2/Makefile Sun Sep 30 12:27:40 2007 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.23 2007/09/21 13:04:03 wiz Exp $
+# $NetBSD: Makefile,v 1.24 2007/09/30 12:27:40 hira Exp $
#
OO_VER= 2.2.1
DISTNAME= openoffice-${OO_VER}
PKGNAME= openoffice2-${OO_VER}
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= misc
MASTER_SITES= ${MASTER_SITE_OPENOFFICE:=stable/${OO_VER}/}
DIST_SUBDIR= ${DISTNAME}
@@ -55,7 +55,6 @@
CONFIGURE_ARGS+= --enable-cairo
CONFIGURE_ARGS+= --disable-ldap
CONFIGURE_ARGS+= --with-system-freetype
-CONFIGURE_ARGS+= --with-system-libwpd
# `portable' supports all platforms.
CONFIGURE_ARGS+= --enable-epm --with-package-format=portable
@@ -142,7 +141,6 @@
. include "Makefile.${OPSYS}.${ARCH}"
.endif
-.include "../../converters/libwpd/buildlink3.mk"
.include "../../fonts/fontconfig/buildlink3.mk"
.include "../../graphics/MesaLib/buildlink3.mk"
.include "../../graphics/cairo/buildlink3.mk"
diff -r 9967616b2059 -r 750157a664ae misc/openoffice2/distinfo
--- a/misc/openoffice2/distinfo Sun Sep 30 12:25:48 2007 +0000
+++ b/misc/openoffice2/distinfo Sun Sep 30 12:27:40 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2007/06/22 03:52:20 hira Exp $
+$NetBSD: distinfo,v 1.21 2007/09/30 12:27:40 hira Exp $
SHA1 (openoffice-2.2.1/OOo_2.2.1_src_binfilter.tar.bz2) = aa2c316e0fab13a25c07c2cfd0eafb7a50c96678
RMD160 (openoffice-2.2.1/OOo_2.2.1_src_binfilter.tar.bz2) = a6194849bb8e2130709a7ff769a8e751a43f86c6
@@ -61,3 +61,4 @@
SHA1 (patch-ci) = 2861e8a4b21977cbc8abeabe4581093e966cdfa7
SHA1 (patch-cj) = c54fd98e5302a86ec849b90c617ebfcf339c936d
SHA1 (patch-cn) = 67afccde1d7bfa42ec4082067189da23ada97190
+SHA1 (patch-co) = cb8f2a38185a66f20f891946de7b0fba22bde481
diff -r 9967616b2059 -r 750157a664ae misc/openoffice2/patches/patch-co
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/misc/openoffice2/patches/patch-co Sun Sep 30 12:27:40 2007 +0000
@@ -0,0 +1,104 @@
+$NetBSD: patch-co,v 1.1 2007/09/30 12:27:40 hira Exp $
+
+NOTE: This patch fixes CVE-2007-2834. It's already fixed in OOo 2.3.0.
+
+--- goodies/source/filter.vcl/itiff/itiff.cxx.orig 2006-11-15 01:17:15.000000000 +0900
++++ goodies/source/filter.vcl/itiff/itiff.cxx 2007-09-30 18:12:19.000000000 +0900
+@@ -4,9 +4,9 @@
+ *
+ * $RCSfile: patch-co,v $
+ *
+- * $Revision: 1.1 $
++ * $Revision: 1.1 $
+ *
+- * last change: $Author: hira $ $Date: 2007/09/30 12:27:40 $
++ * last change: $Author: hira $ $Date: 2007/09/30 12:27:40 $
+ *
+ * The Contents of this file are made available subject to
+ * the terms of GNU Lesser General Public License Version 2.1.
+@@ -132,7 +132,7 @@
+ double ReadDoubleData();
+
+ void ReadHeader();
+- void ReadTagData( USHORT nTagType, ULONG nDataLen );
++ void ReadTagData( USHORT nTagType, sal_uInt32 nDataLen );
+
+ BOOL ReadMap( ULONG nMinPercent, ULONG nMaxPercent );
+ // Liesst/dekomprimert die Bitmap-Daten, und fuellt pMap
+@@ -290,7 +290,7 @@
+
+ // ---------------------------------------------------------------------------------
+
+-void TIFFReader::ReadTagData( USHORT nTagType, ULONG nDataLen)
++void TIFFReader::ReadTagData( USHORT nTagType, sal_uInt32 nDataLen)
+ {
+ if ( bStatus == FALSE )
+ return;
+@@ -353,16 +353,25 @@
+ case 0x0111: { // Strip Offset(s)
+ ULONG nOldNumSO, i, * pOldSO;
+ pOldSO = pStripOffsets;
+- if ( pOldSO == NULL ) nNumStripOffsets = 0; // Sicherheitshalber
++ if ( pOldSO == NULL )
++ nNumStripOffsets = 0;
+ nOldNumSO = nNumStripOffsets;
+- nNumStripOffsets += nDataLen;
+- pStripOffsets = new ULONG[ nNumStripOffsets ];
+- for ( i = 0; i < nOldNumSO; i++ )
+- pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
+- for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
+- pStripOffsets[ i ] = ReadIntData() + nOrigPos;
+- if ( pOldSO != NULL )
++ nDataLen += nOldNumSO;
++ if ( ( nDataLen > nOldNumSO ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
++ {
++ nNumStripOffsets = nDataLen;
++ pStripOffsets = new ULONG[ nNumStripOffsets ];
++ if ( !pStripOffsets )
++ nNumStripOffsets = 0;
++ else
++ {
++ for ( i = 0; i < nOldNumSO; i++ )
++ pStripOffsets[ i ] = pOldSO[ i ] + nOrigPos;
++ for ( i = nOldNumSO; i < nNumStripOffsets; i++ )
++ pStripOffsets[ i ] = ReadIntData() + nOrigPos;
++ }
+ delete[] pOldSO;
++ }
+ OOODEBUG("StripOffsets (Anzahl:)",nDataLen);
+ break;
+ }
+@@ -384,16 +393,25 @@
+ case 0x0117: { // Strip Byte Counts
+ ULONG nOldNumSBC, i, * pOldSBC;
+ pOldSBC = pStripByteCounts;
+- if ( pOldSBC == NULL ) nNumStripByteCounts = 0; // Sicherheitshalber
++ if ( pOldSBC == NULL )
++ nNumStripByteCounts = 0; // Sicherheitshalber
+ nOldNumSBC = nNumStripByteCounts;
+- nNumStripByteCounts += nDataLen;
+- pStripByteCounts = new ULONG[ nNumStripByteCounts ];
+- for ( i = 0; i < nOldNumSBC; i++ )
+- pStripByteCounts[ i ] = pOldSBC[ i ];
+- for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
+- pStripByteCounts[ i ] = ReadIntData();
+- if ( pOldSBC != NULL )
++ nDataLen += nOldNumSBC;
++ if ( ( nDataLen > nOldNumSBC ) && ( nDataLen < SAL_MAX_UINT32 / sizeof( sal_uInt32 ) ) )
++ {
++ nNumStripByteCounts = nDataLen;
++ pStripByteCounts = new ULONG[ nNumStripByteCounts ];
++ if ( !nNumStripByteCounts )
++ nNumStripByteCounts = 0;
++ else
++ {
++ for ( i = 0; i < nOldNumSBC; i++ )
++ pStripByteCounts[ i ] = pOldSBC[ i ];
++ for ( i = nOldNumSBC; i < nNumStripByteCounts; i++)
++ pStripByteCounts[ i ] = ReadIntData();
++ }
+ delete[] pOldSBC;
++ }
+ OOODEBUG("StripByteCounts (Anzahl:)",nDataLen);
+ break;
+ }
Home |
Main Index |
Thread Index |
Old Index