rpms/xemacs/devel xemacs-21.5.29-image-overflow.patch, NONE, 1.1 xemacs-21.5.29-no-xft.patch, NONE, 1.1 xemacs-21.5.25-mk-nochk-features.patch, 1.1, 1.2 xemacs-21.5.25-x-paths.patch, 1.1, 1.2 xemacs-21.5.28-courier-default.patch, 1.2, 1.3 xemacs.spec, 1.50, 1.51
Jerry James
jjames at fedoraproject.org
Mon Aug 24 21:11:52 UTC 2009
- Previous message (by thread): rpms/xemacs/F-11 xemacs-21.5.29-image-overflow.patch, NONE, 1.1 xemacs-21.5.29-no-xft.patch, NONE, 1.1 xemacs-21.5.25-mk-nochk-features.patch, 1.1, 1.2 xemacs-21.5.25-x-paths.patch, 1.1, 1.2 xemacs-21.5.28-courier-default.patch, 1.2, 1.3 xemacs.spec, 1.48, 1.49
- Next message (by thread): rpms/sssd/F-11 .cvsignore, 1.10, 1.11 sources, 1.10, 1.11 sssd.spec, 1.21, 1.22 sssd-0.4.1-conf_check.patch, 1.1, NONE sssd-0.4.1-cve-2009-2410.patch, 1.1, NONE sssd-0.4.1-debug_fn.patch, 1.1, NONE sssd-0.4.1-reload_conf.patch, 1.1, NONE sssd-0.4.1-reload_conf_2.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jjames
Update of /cvs/pkgs/rpms/xemacs/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5098
Modified Files:
xemacs-21.5.25-mk-nochk-features.patch
xemacs-21.5.25-x-paths.patch
xemacs-21.5.28-courier-default.patch xemacs.spec
Added Files:
xemacs-21.5.29-image-overflow.patch
xemacs-21.5.29-no-xft.patch
Log Message:
* Mon Aug 24 2009 Jerry James <loganjerry at gmail.com> - 21.5.29-3
- Fix image overflow bug (CVE-2009-2688).
- Fix calling xft-font-create-object in non-Xft builds (#512623).
- Rebase patches to eliminate fuzz/offsets.
xemacs-21.5.29-image-overflow.patch:
glyphs-eimage.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
--- NEW FILE xemacs-21.5.29-image-overflow.patch ---
--- xemacs-21.5.29/src/glyphs-eimage.c 2009-05-18 08:51:08.000000000 -0600
+++ xemacs-21.5.29/src/glyphs-eimage.c 2009-08-24 10:21:21.274947236 -0600
@@ -409,6 +409,7 @@
*/
{
+ UINT_64_BIT pixels_sq;
int jpeg_gray = 0; /* if we're dealing with a grayscale */
/* Step 4: set parameters for decompression. */
@@ -431,7 +432,10 @@
jpeg_start_decompress (&cinfo);
/* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
-
+ pixels_sq =
+ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
+ if (pixels_sq > ((size_t) -1) / 3)
+ signal_image_error ("JPEG image too large to instantiate", instantiator);
unwind.eimage =
xnew_binbytes (cinfo.output_width * cinfo.output_height * 3);
if (!unwind.eimage)
@@ -677,6 +681,7 @@
{
ColorMapObject *cmo = unwind.giffile->SColorMap;
int i, j, row, pass, interlace, slice;
+ UINT_64_BIT pixels_sq;
Binbyte *eip;
/* interlaced gifs have rows in this order:
0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */
@@ -685,6 +690,9 @@
height = unwind.giffile->SHeight;
width = unwind.giffile->SWidth;
+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
+ signal_image_error ("GIF image too large to instantiate", instantiator);
unwind.eimage =
xnew_binbytes (width * height * 3 * unwind.giffile->ImageCount);
if (!unwind.eimage)
@@ -948,11 +956,15 @@
{
int y;
Binbyte **row_pointers;
+ UINT_64_BIT pixels_sq;
height = info_ptr->height;
width = info_ptr->width;
+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+ if (pixels_sq > ((size_t) -1) / 3)
+ signal_image_error ("PNG image too large to instantiate", instantiator);
/* Wow, allocate all the memory. Truly, exciting. */
- unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
+ unwind.eimage = xnew_array_and_zero (Binbyte, (size_t) (pixels_sq * 3));
/* libpng expects that the image buffer passed in contains a
picture to draw on top of if the png has any transparencies.
This could be a good place to pass that in... */
@@ -1299,6 +1311,7 @@
uint32 *raster;
Binbyte *ep;
+ UINT_64_BIT pixels_sq;
assert (!NILP (data));
@@ -1321,12 +1334,15 @@
TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
- unwind.eimage = xnew_binbytes (width * height * 3);
+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+ if (pixels_sq >= 1 << 29)
+ signal_image_error ("TIFF image too large to instantiate", instantiator);
+ unwind.eimage = xnew_binbytes ((size_t) pixels_sq * 3);
/* #### This is little more than proof-of-concept/function testing.
It needs to be reimplemented via scanline reads for both memory
compactness. */
- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
+ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
if (raster != NULL)
{
int i, j;
xemacs-21.5.29-no-xft.patch:
font.el | 1 +
1 file changed, 1 insertion(+)
--- NEW FILE xemacs-21.5.29-no-xft.patch ---
--- xemacs-21.5.29/lisp/font.el 2009-05-18 08:51:06.000000000 -0600
+++ xemacs-21.5.29/lisp/font.el 2009-08-24 13:24:14.634385245 -0600
@@ -582,6 +582,7 @@
(if (or (not (stringp fontname))
(not (string-match font-x-font-regexp fontname)))
(if (and (stringp fontname)
+ (featurep 'xft-fonts)
(string-match font-xft-font-regexp fontname))
;; Return an XFT font.
(xft-font-create-object fontname)
xemacs-21.5.25-mk-nochk-features.patch:
Makefile.in.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: xemacs-21.5.25-mk-nochk-features.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/devel/xemacs-21.5.25-mk-nochk-features.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- xemacs-21.5.25-mk-nochk-features.patch 6 Apr 2006 16:27:53 -0000 1.1
+++ xemacs-21.5.25-mk-nochk-features.patch 24 Aug 2009 21:11:51 -0000 1.2
@@ -1,6 +1,6 @@
--- xemacs-21.5.25/Makefile.in.in.orig 2005-12-31 14:41:23.000000000 +0200
+++ xemacs-21.5.25/Makefile.in.in 2006-03-30 23:53:48.000000000 +0300
-@@ -375,7 +375,7 @@
+@@ -387,7 +387,7 @@
install-only: ${MAKE_SUBDIR} check-features install-arch-dep install-arch-indep
xemacs-21.5.25-x-paths.patch:
Emacs.ad | 2 +-
xemacs.1 | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
Index: xemacs-21.5.25-x-paths.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/devel/xemacs-21.5.25-x-paths.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- xemacs-21.5.25-x-paths.patch 6 Apr 2006 16:27:53 -0000 1.1
+++ xemacs-21.5.25-x-paths.patch 24 Aug 2009 21:11:51 -0000 1.2
@@ -11,7 +11,7 @@
! personal customizations should be put into ~/.Xresources instead.)
--- xemacs-21.5.25/etc/xemacs.1.orig 2001-04-12 21:20:52.000000000 +0300
+++ xemacs-21.5.25/etc/xemacs.1 2006-03-30 23:36:47.000000000 +0300
-@@ -293,7 +293,7 @@
+@@ -288,7 +288,7 @@
Sets the color of the text.
See the file
xemacs-21.5.28-courier-default.patch:
faces.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: xemacs-21.5.28-courier-default.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/devel/xemacs-21.5.28-courier-default.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- xemacs-21.5.28-courier-default.patch 12 Mar 2009 17:01:29 -0000 1.2
+++ xemacs-21.5.28-courier-default.patch 24 Aug 2009 21:11:51 -0000 1.3
@@ -1,7 +1,11 @@
---- src/faces.c 22 Apr 2007 19:58:59 -0000 1.55
-+++ src/faces.c 21 May 2007 14:51:50 -0000
-@@ -2399,3 +2399,3 @@
- (list1 (device_symbol),
+--- xemacs-21.5.28/src/faces.c 2009-05-18 14:51:08.000000000 -0000
++++ xemacs-21.5.28/src/faces.c 2009-08-24 17:07:03.000000000 -0000
+@@ -2411,7 +2411,7 @@
+ Fcons
+ (Fcons
+ (list1 (device_symbol),
- build_string ("-*-lucidatypewriter-medium-r-*-*-*-120-*-*-*-*-*-*")),
+ build_string ("-*-courier-medium-r-*-*-*-120-*-*-*-*-*-*")),
inst_list);
+
+ #endif /* !USE_XFT */
Index: xemacs.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/devel/xemacs.spec,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -p -r1.50 -r1.51
--- xemacs.spec 13 Aug 2009 11:46:46 -0000 1.50
+++ xemacs.spec 24 Aug 2009 21:11:52 -0000 1.51
@@ -21,7 +21,7 @@
Name: xemacs
Version: 21.5.29
-Release: 2%{?snap:.%{snap}}%{?dist}
+Release: 3%{?snap:.%{snap}}%{?dist}
Summary: Different version of Emacs
Group: Applications/Editors
@@ -40,9 +40,13 @@ Source5: xemacs-sitestart.el
Patch0: %{name}-21.5.26-utf8-fonts.patch
Patch1: %{name}-21.5.25-x-paths.patch
+# Applied upstream 2009-07-01
+Patch2: %{name}-21.5.29-image-overflow.patch
Patch3: %{name}-21.5.25-mk-nochk-features.patch
Patch4: %{name}-21.5.27-no-expdyn-ia64-106744.patch
Patch5: %{name}-21.5.25-wnnfix-128362.patch
+# Sent upstream 2009-08-24
+Patch6: %{name}-21.5.29-no-xft.patch
Patch8: %{name}-21.5.28-courier-default.patch
Patch9: %{name}-21.5.29-destdir.patch
# Sent upstream 2009-03-12
@@ -200,6 +204,7 @@ rm -f configure.in
sed -i -e /tetris/d lisp/menubar-items.el
%patch0 -p1
%patch1 -p1
+%patch2 -p1
%patch3 -p1
%ifarch ia64
touch -r aclocal.m4 aclocal.m4-stamp
@@ -207,7 +212,8 @@ touch -r aclocal.m4 aclocal.m4-stamp
touch -r aclocal.m4-stamp aclocal.m4
%endif
%patch5 -p1
-%patch8 -p0 -F 1
+%patch6 -p1
+%patch8 -p1
%patch9 -p1
%patch14 -p1
@@ -552,6 +558,11 @@ fi
%changelog
+* Mon Aug 24 2009 Jerry James <loganjerry at gmail.com> - 21.5.29-3
+- Fix image overflow bug (CVE-2009-2688).
+- Fix calling xft-font-create-object in non-Xft builds (#512623).
+- Rebase patches to eliminate fuzz/offsets.
+
* Mon Jul 27 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 21.5.29-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
- Previous message (by thread): rpms/xemacs/F-11 xemacs-21.5.29-image-overflow.patch, NONE, 1.1 xemacs-21.5.29-no-xft.patch, NONE, 1.1 xemacs-21.5.25-mk-nochk-features.patch, 1.1, 1.2 xemacs-21.5.25-x-paths.patch, 1.1, 1.2 xemacs-21.5.28-courier-default.patch, 1.2, 1.3 xemacs.spec, 1.48, 1.49
- Next message (by thread): rpms/sssd/F-11 .cvsignore, 1.10, 1.11 sources, 1.10, 1.11 sssd.spec, 1.21, 1.22 sssd-0.4.1-conf_check.patch, 1.1, NONE sssd-0.4.1-cve-2009-2410.patch, 1.1, NONE sssd-0.4.1-debug_fn.patch, 1.1, NONE sssd-0.4.1-reload_conf.patch, 1.1, NONE sssd-0.4.1-reload_conf_2.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list