rpms/compat-wxGTK26/F-11 wxGTK-2.6.4-CVE-2009-2369.patch, NONE, 1.1 wxGTK-2.6.4-gsocket-conflict.patch, NONE, 1.1 compat-wxGTK26.spec, 1.25, 1.26

Michael Schwendt mschwendt at fedoraproject.org
Wed Jul 15 19:14:38 UTC 2009 

Author: mschwendt

Update of /cvs/extras/rpms/compat-wxGTK26/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31361

Modified Files:
	compat-wxGTK26.spec 
Added Files:
	wxGTK-2.6.4-CVE-2009-2369.patch 
	wxGTK-2.6.4-gsocket-conflict.patch 
Log Message:
* Wed Jul 15 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 2.6.4-10
- apply rediffed fix for CVE-2009-2369 (#511279)


wxGTK-2.6.4-CVE-2009-2369.patch:

--- NEW FILE wxGTK-2.6.4-CVE-2009-2369.patch ---
diff -Nur wxGTK-2.6.4-orig/src/common/imagpng.cpp wxGTK-2.6.4/src/common/imagpng.cpp
--- wxGTK-2.6.4-orig/src/common/imagpng.cpp	2007-03-20 16:50:01.000000000 +0100
+++ wxGTK-2.6.4/src/common/imagpng.cpp	2009-07-15 21:07:50.000000000 +0200
@@ -570,18 +570,16 @@
     if (!image->Ok())
         goto error;
 
-    lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
+    // initialize all line pointers to NULL to ensure that they can be safely
+    // free()d if an error occurs before all of them could be allocated
+    lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
     if ( !lines )
         goto error;
 
     for (i = 0; i < height; i++)
     {
         if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
-        {
-            for ( unsigned int n = 0; n < i; n++ )
-                free( lines[n] );
             goto error;
-        }
     }
 
     png_read_image( png_ptr, lines );
diff -Nur wxGTK-2.6.4-orig/src/common/imagtiff.cpp wxGTK-2.6.4/src/common/imagtiff.cpp
--- wxGTK-2.6.4-orig/src/common/imagtiff.cpp	2007-03-20 16:50:01.000000000 +0100
+++ wxGTK-2.6.4/src/common/imagtiff.cpp	2009-07-15 21:08:08.000000000 +0200
@@ -232,15 +232,25 @@
     }
 
     uint32 w, h;
-    uint32 npixels;
     uint32 *raster;
 
     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
     TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h );
 
-    npixels = w * h;
+    // guard against integer overflow during multiplication which could result
+    // in allocating a too small buffer and then overflowing it
+    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+    {
+        if ( verbose )
+            wxLogError( _("TIFF: Image size is abnormally big.") );
+
+        TIFFClose(tif);
+
+        return false;
+    }
 
-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+    raster = (uint32*) _TIFFmalloc( bytesNeeded );
 
     if (!raster)
     {

wxGTK-2.6.4-gsocket-conflict.patch:

--- NEW FILE wxGTK-2.6.4-gsocket-conflict.patch ---
diff -Nur wxGTK-2.6.4-orig/src/gtk/gsockgtk.cpp wxGTK-2.6.4/src/gtk/gsockgtk.cpp
--- wxGTK-2.6.4-orig/src/gtk/gsockgtk.cpp	2007-03-20 16:50:07.000000000 +0100
+++ wxGTK-2.6.4/src/gtk/gsockgtk.cpp	2009-06-11 13:28:59.000000000 +0200
@@ -14,8 +14,16 @@
 #include <stdlib.h>
 #include <stdio.h>
 
-#include <gdk/gdk.h>
-#include <glib.h>
+// Cannot include full gdk.h as it pulls in giotypes.h with
+// new GSocket conflicts since 2.21/2.22
+#include <gdk/gdkinput.h>
+// deprecated, copy from gdk.h
+gint gdk_input_add        (gint              source,
+                           GdkInputCondition condition,
+                           GdkInputFunction  function,
+                           gpointer          data);
+void gdk_input_remove     (gint              tag);
+#include <glib/gtypes.h>
 
 #include "wx/gsocket.h"
 #include "wx/unix/gsockunx.h"


Index: compat-wxGTK26.spec
===================================================================
RCS file: /cvs/extras/rpms/compat-wxGTK26/F-11/compat-wxGTK26.spec,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -p -r1.25 -r1.26
--- compat-wxGTK26.spec	7 Jun 2009 16:03:16 -0000	1.25
+++ compat-wxGTK26.spec	15 Jul 2009 19:14:37 -0000	1.26
@@ -1,6 +1,6 @@
 Name:           compat-wxGTK26
 Version:        2.6.4
-Release:        8%{?dist}
+Release:        10%{?dist}
 Summary:        GTK2 port of the wxWidgets GUI library
 # The wxWindows licence is the LGPL with a specific exemption allowing
 # distribution of derived binaries under any terms. (This will eventually
@@ -17,6 +17,8 @@ Patch3:         wxGTK-2.6.3-g_thread_ini
 Patch5:         wxGTK-2.6.3-expat2.patch
 Patch6:         wxGTK-2.6.3-strconv.patch
 Patch7:         wxGTK-2.6.4-config-script.patch
+Patch8:         wxGTK-2.6.4-gsocket-conflict.patch
+Patch9:         wxGTK-2.6.4-CVE-2009-2369.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  gtk2-devel, zlib-devel >= 1.1.4
@@ -55,6 +57,9 @@ This package include files needed to lin
 %patch5 -p1 -b .expat2
 %patch6 -p1 -b .strconv
 %patch7 -p1 -b .config-script
+%patch8 -p1 -b .gsocket-conflict
+# http://trac.wxwidgets.org/ticket/10993
+%patch9 -p1 -b .CVE-2009-2369
 
 sed -i -e 's|/usr/lib\b|%{_libdir}|' configure
 
@@ -203,6 +208,14 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Wed Jul 15 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 2.6.4-10
+- apply rediffed fix for CVE-2009-2369 (#511279)
+
+* Thu Jun 11 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 2.6.4-9
+- glib2 2.21.1's gio in Rawhide F-12 introduces a GSocket that
+  conflicts with wxGTK's GSocket class (gsocket.h): reduce the glib/gdk
+  headers that are included during build to avoid conflicting redefinitions
+
 * Sun Jun  7 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 2.6.4-8
 - target sparcv9 => setup-sparc.h

More information about the fedora-extras-commits mailing list