rpms/enscript/F-8 enscript-CVE-2008-3863+CVE-2008-4306.patch, NONE, 1.1 enscript.spec, 1.37, 1.38

Adam Tkac atkac at fedoraproject.org
Mon Nov 3 13:44:28 UTC 2008 

Author: atkac

Update of /cvs/pkgs/rpms/enscript/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20054

Modified Files:
	enscript.spec 
Added Files:
	enscript-CVE-2008-3863+CVE-2008-4306.patch 
Log Message:
- fixed various buffer overflows (CVE-2008-3863, CVE-2008-4306)


enscript-CVE-2008-3863+CVE-2008-4306.patch:

--- NEW FILE enscript-CVE-2008-3863+CVE-2008-4306.patch ---
--- src/psgen.c
+++ src/psgen.c	2008-10-29 10:43:08.512598143 +0100
@@ -24,6 +24,7 @@
  * Boston, MA 02111-1307, USA.
  */
 
+#include <limits.h>
 #include "gsint.h"
 
 /*
@@ -124,7 +125,7 @@ struct gs_token_st
 	  double xscale;
 	  double yscale;
 	  int llx, lly, urx, ury; /* Bounding box. */
-	  char filename[512];
+	  char filename[PATH_MAX];
 	  char *skipbuf;
 	  unsigned int skipbuf_len;
 	  unsigned int skipbuf_pos;
@@ -135,11 +136,11 @@ struct gs_token_st
       Color bgcolor;
       struct
 	{
-	  char name[512];
+	  char name[PATH_MAX];
 	  FontPoint size;
 	  InputEncoding encoding;
 	} font;
-      char filename[512];
+      char filename[PATH_MAX];
     } u;
 };
 
@@ -248,7 +249,7 @@ static int do_print = 1;
 static int user_fontp = 0;
 
 /* The user ^@font{}-defined font. */
-static char user_font_name[256];
+static char user_font_name[PATH_MAX];
 static FontPoint user_font_pt;
 static InputEncoding user_font_encoding;
 
@@ -978,7 +979,8 @@ large for page\n"),
 			FATAL ((stderr,
 				_("user font encoding can be only the system's default or `ps'")));
 
-		      strcpy (user_font_name, token.u.font.name);
+		      memset  (user_font_name, 0, sizeof(user_font_name));
+		      strncpy (user_font_name, token.u.font.name, sizeof(user_font_name) - 1);
 		      user_font_pt.w = token.u.font.size.w;
 		      user_font_pt.h = token.u.font.size.h;
 		      user_font_encoding = token.u.font.encoding;
@@ -1444,7 +1446,7 @@ read_special_escape (InputStream *is, To
 	  buf[i] = ch;
 	  if (i + 1 >= sizeof (buf))
 	    FATAL ((stderr, _("too long argument for %s escape:\n%.*s"),
-		    escapes[i].name, i, buf));
+		    escapes[e].name, i, buf));
 	}
       buf[i] = '\0';
 
@@ -1452,7 +1454,8 @@ read_special_escape (InputStream *is, To
       switch (escapes[e].escape)
 	{
 	case ESC_FONT:
-	  strcpy (token->u.font.name, buf);
+	  memset  (token->u.font.name, 0, sizeof(token->u.font.name));
+	  strncpy (token->u.font.name, buf, sizeof(token->u.font.name) - 1);
 
 	  /* Check for the default font. */
 	  if (strcmp (token->u.font.name, "default") == 0)
@@ -1465,7 +1468,8 @@ read_special_escape (InputStream *is, To
 		FATAL ((stderr, _("malformed font spec for ^@font escape: %s"),
 			token->u.font.name));
 
-	      strcpy (token->u.font.name, cp);
+	      memset  (token->u.font.name, 0, sizeof(token->u.font.name));
+	      strncpy (token->u.font.name, cp, sizeof(token->u.font.name) - 1);
 	      xfree (cp);
 	    }
 	  token->type = tFONT;
@@ -1544,7 +1548,8 @@ read_special_escape (InputStream *is, To
 	  break;
 
 	case ESC_SETFILENAME:
-	  strcpy (token->u.filename, buf);
+	  memset  (token->u.filename, 0, sizeof(token->u.font.name));
+	  strncpy (token->u.filename, buf, sizeof(token->u.filename) - 1);
 	  token->type = tSETFILENAME;
 	  break;


Index: enscript.spec
===================================================================
RCS file: /cvs/pkgs/rpms/enscript/F-8/enscript.spec,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- enscript.spec	22 Aug 2007 11:27:42 -0000	1.37
+++ enscript.spec	3 Nov 2008 13:43:58 -0000	1.38
@@ -1,7 +1,7 @@
 Summary: A plain ASCII to PostScript converter.
 Name: enscript
 Version: 1.6.4
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2
 Group: Applications/Publishing
 Source0: http://www.iki.fi/mtr/genscript/enscript-%{version}.tar.gz
@@ -16,6 +16,7 @@
 Patch6: enscript-1.6.1-CAN-2004-1185.patch
 Patch7: enscript-1.6.1-CAN-2004-1186.patch
 Patch8: enscript-wrap_header.patch
+Patch9: enscript-CVE-2008-3863+CVE-2008-4306.patch
 URL: http://www.codento.com/people/mtr/genscript/
 Prereq: /sbin/install-info
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
@@ -37,6 +38,7 @@
 %patch6 -p1 -b .CAN-2004-1185
 %patch7 -p1 -b .CAN-2004-1186
 %patch8 -p1 -b .wrap_header
+%patch9 -p0 -b .CVE-2008-3863+CVE-2008-4306
 %{__tar} -C states/hl -zxf %{SOURCE1} ruby.st
 install -pm 644 %{SOURCE2} states/hl/php.st
 
@@ -90,6 +92,9 @@
 
 
 %changelog
+* Mon Nov 03 2008 Adam Tkac <atkac redhat com> 1.6.4-9
+- fixed various buffer overflows (CVE-2008-3863, CVE-2008-4306)
+
 * Wed Aug 22 2007 Adam Tkac <atkac redhat com> 1.6.4-8
 - rebuild (BuildID feature)
 - change license to GPLv2

More information about the fedora-extras-commits mailing list