[pkgsrc/pkgsrc-2008Q2]: pkgsrc/misc/openoffice2 Pullup ticket #2508 - request...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/24dfaae7ff28
branches:  pkgsrc-2008Q2
changeset: 544292:24dfaae7ff28
user:      tron <tron%pkgsrc.org@localhost>
date:      Sat Aug 30 18:46:33 2008 +0000

description:
Pullup ticket #2508 - requested by hira
openoffice2: security patch

Revisions pulled up:
- misc/openoffice2/Makefile             1.48
- misc/openoffice2/distinfo             1.41
- misc/openoffice2/patches/patch-de     1.1
---
Module Name:    pkgsrc
Committed By:   hira
Date:           Fri Aug 29 08:08:11 UTC 2008

Modified Files:
        pkgsrc/misc/openoffice2: Makefile distinfo
Added Files:
        pkgsrc/misc/openoffice2/patches: patch-de

Log Message:
Fix CVE-2008-3282 (OpenOffice.org "rtl_allocateMemory()" Truncation
Vulnerability).

Bump PKGREVISION.

diffstat:

 misc/openoffice2/Makefile         |   3 ++-
 misc/openoffice2/distinfo         |   3 ++-
 misc/openoffice2/patches/patch-de |  39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 43 insertions(+), 2 deletions(-)

diffs (70 lines):

diff -r ee80a41b7939 -r 24dfaae7ff28 misc/openoffice2/Makefile
--- a/misc/openoffice2/Makefile Sat Aug 30 12:11:23 2008 +0000
+++ b/misc/openoffice2/Makefile Sat Aug 30 18:46:33 2008 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.47 2008/06/13 11:20:14 hira Exp $
+# $NetBSD: Makefile,v 1.47.4.1 2008/08/30 18:46:33 tron Exp $
 #
 
 OO_VER=                        2.4.1
+PKGREVISION=           1
 DISTNAME=              openoffice-${OO_VER}
 PKGNAME=               openoffice2-${OO_VER}
 CATEGORIES=            misc
diff -r ee80a41b7939 -r 24dfaae7ff28 misc/openoffice2/distinfo
--- a/misc/openoffice2/distinfo Sat Aug 30 12:11:23 2008 +0000
+++ b/misc/openoffice2/distinfo Sat Aug 30 18:46:33 2008 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.40 2008/06/13 11:20:14 hira Exp $
+$NetBSD: distinfo,v 1.40.4.1 2008/08/30 18:46:33 tron Exp $
 
 SHA1 (openoffice-2.4.1/OOo_2.4.1_src_binfilter.tar.bz2) = a50c7f317643b756c2b0e8937fa9d64b99f05ed9
 RMD160 (openoffice-2.4.1/OOo_2.4.1_src_binfilter.tar.bz2) = 04ffce167f94a250f94f05923a70af0b0744c417
@@ -66,3 +66,4 @@
 SHA1 (patch-da) = c2c9332dcf22d2d201215813ac9fc7e7ac401c6d
 SHA1 (patch-dc) = 125ae2e943946cb96c6f7513dccced0c9d8797af
 SHA1 (patch-dd) = 6f791b6be13e37a59b3115ab338587489079b89d
+SHA1 (patch-de) = 138fbea73fec80c744c3eede57dfe5f1cddef573
diff -r ee80a41b7939 -r 24dfaae7ff28 misc/openoffice2/patches/patch-de
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/misc/openoffice2/patches/patch-de Sat Aug 30 18:46:33 2008 +0000
@@ -0,0 +1,39 @@
+$NetBSD: patch-de,v 1.1.2.2 2008/08/30 18:46:33 tron Exp $
+
+Fix CVE-2008-3282.
+
+--- sal/rtl/source/alloc_global.c.orig 2008-05-21 21:53:26.000000000 +0900
++++ sal/rtl/source/alloc_global.c      2008-08-29 08:18:14.000000000 +0900
+@@ -214,9 +214,7 @@
+               char *     addr;
+               sal_Size   size = RTL_MEMORY_ALIGN(n + RTL_MEMALIGN, RTL_MEMALIGN);
+ 
+-              int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
+               OSL_ASSERT(RTL_MEMALIGN >= sizeof(sal_Size));
+-
+               if (n >= SAL_MAX_SIZE - (RTL_MEMALIGN + RTL_MEMALIGN - 1))
+               {
+                       /* requested size too large for roundup alignment */
+@@ -224,8 +222,8 @@
+               }
+ 
+ try_alloc:
+-              if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
+-                      addr = (char*)rtl_cache_alloc (g_alloc_table[index]);
++              if (size <= RTL_MEMORY_CACHED_LIMIT)
++                      addr = (char*)rtl_cache_alloc(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT]);
+               else
+                       addr = (char*)rtl_arena_alloc (gp_alloc_arena, &size);
+ 
+@@ -255,9 +253,8 @@
+               char *   addr = (char*)(p) - RTL_MEMALIGN;
+               sal_Size size = ((sal_Size*)(addr))[0];
+ 
+-              int index = (size - 1) >> RTL_MEMALIGN_SHIFT;
+-              if (index < RTL_MEMORY_CACHED_LIMIT >> RTL_MEMALIGN_SHIFT)
+-                      rtl_cache_free (g_alloc_table[index], addr);
++              if (size <= RTL_MEMORY_CACHED_LIMIT)
++                      rtl_cache_free(g_alloc_table[(size - 1) >> RTL_MEMALIGN_SHIFT], addr);
+               else
+                       rtl_arena_free (gp_alloc_arena, addr, size);
+       }