From ee53d3aa008f195316f2bace82bed5bf86776f29 Mon Sep 17 00:00:00 2001 From: Jindrich Novy Date: May 10 2010 08:19:48 +0000 Subject: - fix CVE-2010-0739 and CVE-2010-1440 (#584795) - fix CVE-2010-0829 (#589607) - add missing defattr to filelists - fix directory ownership of /var/lib/texmf/web2c (#512459) - use official tarball for jpatch - fix post/postun scriptlets (#532466) --- diff --git a/.cvsignore b/.cvsignore index 53dd653..bcb6ac4 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,4 +1,4 @@ -dvipsk-jpatch-p1.7a.tar.bz2 mendexk2.6e.tar.gz ptex-src-3.1.10.tar.gz source-free.tar.bz2 +dvipsk-jpatch-p1.7a.tar.gz diff --git a/sources b/sources index 979f4f5..4e69808 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -de024c71383d35d2274f5ebc599057f7 dvipsk-jpatch-p1.7a.tar.bz2 fe07b8b7b83d1cb13f836dc1caf7bad8 mendexk2.6e.tar.gz 9738f48ec9d6b603b4b6550ba480876d ptex-src-3.1.10.tar.gz c67cdc1e1ecfeb87ccb9dfacc56a7a97 source-free.tar.bz2 +f8c7430ed070c127c6eefbc301525469 dvipsk-jpatch-p1.7a.tar.gz diff --git a/texlive-CVE-2010-0739,1440-integer-overflows.patch b/texlive-CVE-2010-0739,1440-integer-overflows.patch new file mode 100644 index 0000000..93b5e69 --- /dev/null +++ b/texlive-CVE-2010-0739,1440-integer-overflows.patch @@ -0,0 +1,29 @@ +diff -up texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440 texlive-2007/texk/dvipsk/dospecial.c +--- texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440 2006-12-07 23:39:19.000000000 +0100 ++++ texlive-2007/texk/dvipsk/dospecial.c 2010-05-09 10:35:33.724632292 +0200 +@@ -325,7 +325,11 @@ void predospecial P2C(integer, numbytes, + int j ; + static int omega_specials = 0; + +- if (nextstring + numbytes > maxstring) { ++ if (numbytes < 0 || numbytes > maxstring - nextstring) { ++ if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2) { ++ error("! Integer overflow in predospecial"); ++ exit(1); ++ } + p = nextstring = mymalloc(1000 + 2 * numbytes) ; + maxstring = nextstring + 2 * numbytes + 700 ; + } +@@ -903,7 +907,11 @@ float *bbdospecial P1C(int, nbytes) + char seen[NKEYS] ; + float valseen[NKEYS] ; + +- if (nextstring + nbytes > maxstring) { ++ if (nbytes < 0 || nbytes > maxstring - nextstring) { ++ if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2) { ++ error("! Integer overflow in bbdospecial"); ++ exit(1); ++ } + p = nextstring = mymalloc(1000 + 2 * nbytes) ; + maxstring = nextstring + 2 * nbytes + 700 ; + } diff --git a/texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch b/texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch new file mode 100644 index 0000000..9fa9e37 --- /dev/null +++ b/texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch @@ -0,0 +1,92 @@ +diff -up texlive-2007/texk/dvipng/draw.c.CVE-2010-0829 texlive-2007/texk/dvipng/draw.c +--- texlive-2007/texk/dvipng/draw.c.CVE-2010-0829 2006-11-07 21:40:00.000000000 +0100 ++++ texlive-2007/texk/dvipng/draw.c 2010-05-07 10:54:31.532938790 +0200 +@@ -99,7 +99,15 @@ dviunits SetChar(int32_t c) + + if (currentfont==NULL) + Fatal("faulty DVI, trying to set character from null font"); +- ptr = currentfont->chr[c]; ++ if (c<0 || c>LASTFNTCHAR) { ++ Warning("glyph index out of range (%d), skipping",c); ++ return(0); ++ } ++ ptr=currentfont->chr[c]; ++ if (ptr==NULL) { ++ Warning("unable to draw glyph %d, skipping",c); ++ return(0); ++ } + #ifdef DEBUG + switch (currentfont->type) { + case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n VF CHAR:\t")); break; +@@ -108,13 +116,13 @@ dviunits SetChar(int32_t c) + case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n FT CHAR:\t")); break; + default: DEBUG_PRINT(DEBUG_DVI,("\n NO CHAR:\t")) + } +- if (isprint(c)) ++ if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c)) + DEBUG_PRINT(DEBUG_DVI,("'%c' ",c)); + DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c,hh,vv,ptr?ptr->tfmw:0)); + #endif + if (currentfont->type==FONT_TYPE_VF) { +- return(SetVF(c)); +- } else if (ptr) { ++ return(SetVF(ptr)); ++ } else { + if (ptr->data == NULL) + switch(currentfont->type) { + case FONT_TYPE_PK: LoadPK(c, ptr); break; +@@ -128,7 +136,7 @@ dviunits SetChar(int32_t c) + Fatal("undefined fonttype %d",currentfont->type); + } + if (page_imagep != NULL) +- return(SetGlyph(c, hh, vv)); ++ return(SetGlyph(ptr, hh, vv)); + else { + /* Expand bounding box if necessary */ + min(x_min,hh - ptr->xOffset/shrinkfactor); +diff -up texlive-2007/texk/dvipng/dvipng.h.CVE-2010-0829 texlive-2007/texk/dvipng/dvipng.h +--- texlive-2007/texk/dvipng/dvipng.h.CVE-2010-0829 2006-12-24 01:02:30.000000000 +0100 ++++ texlive-2007/texk/dvipng/dvipng.h 2010-05-07 08:11:10.249916801 +0200 +@@ -387,9 +387,9 @@ void DrawPages(void); + void WriteImage(char*, int); + void LoadPK(int32_t, register struct char_entry *); + int32_t SetChar(int32_t); +-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv); ++dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv); + void Gamma(double gamma); +-int32_t SetVF(int32_t); ++int32_t SetVF(struct char_entry *ptr); + int32_t SetRule(int32_t, int32_t, int32_t, int32_t); + void SetSpecial(char *, int32_t, int32_t, int32_t); + void BeginVFMacro(struct font_entry*); +diff -up texlive-2007/texk/dvipng/set.c.CVE-2010-0829 texlive-2007/texk/dvipng/set.c +--- texlive-2007/texk/dvipng/set.c.CVE-2010-0829 2006-11-07 21:40:00.000000000 +0100 ++++ texlive-2007/texk/dvipng/set.c 2010-05-07 10:55:57.807931411 +0200 +@@ -202,10 +202,9 @@ void Gamma(double gamma) + } + } + +-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv) ++dviunits SetGlyph(struct char_entry *ptr, int32_t hh, int32_t vv) + /* gdImageChar can only do monochrome glyphs */ + { +- register struct char_entry *ptr = currentfont->chr[c]; + int dst_alpha,dst_weight,tot_weight,alpha; + int x,y,pos=0; + int bgColor,pixelgrey,pixelcolor; +diff -up texlive-2007/texk/dvipng/vf.c.CVE-2010-0829 texlive-2007/texk/dvipng/vf.c +--- texlive-2007/texk/dvipng/vf.c.CVE-2010-0829 2006-11-07 21:40:00.000000000 +0100 ++++ texlive-2007/texk/dvipng/vf.c 2010-05-07 08:11:10.252917007 +0200 +@@ -28,11 +28,10 @@ + #define VF_ID 202 + #define LONG_CHAR 242 + +-int32_t SetVF(int32_t c) ++int32_t SetVF(struct char_entry* ptr) + { + struct font_entry* currentvf; + unsigned char *command,*end; +- struct char_entry* ptr=currentfont->chr[c]; + + currentvf=currentfont; + BeginVFMacro(currentvf); diff --git a/texlive.spec b/texlive.spec index 4d18b1f..0b552a6 100644 --- a/texlive.spec +++ b/texlive.spec @@ -21,7 +21,7 @@ Name: texlive Version: %{texlive_ver} -Release: 46%{?dist} +Release: 47%{?dist} Summary: Binaries for the TeX formatting system Group: Applications/Publishing @@ -41,7 +41,7 @@ Source100: texlive-generate-tarball.sh %define __perl_requires %{SOURCE99} # 1000-: Japanese pTeX Source1000: ftp://ftp.ascii.co.jp/pub/TeX/ascii-ptex/tetex/ptex-src-%{ptex_src_ver}.tar.gz -Source1001: ftp://ftp.ascii.co.jp/pub/TeX/ascii-ptex/dvips/dvipsk-jpatch-%{pdvipsk_ver}.tar.bz2 +Source1001: ftp://ftp.ascii.co.jp/pub/TeX/ascii-ptex/dvips/dvipsk-jpatch-%{pdvipsk_ver}.tar.gz Source1002: ftp://ftp.ascii.co.jp/pub/TeX/ascii-ptex/mendex/mendexk%{mendexk_ver}.tar.gz # Don't run brp-python-bytecompile @@ -78,6 +78,8 @@ Patch31: texlive-elif.patch Patch32: texlive-getline.patch Patch33: texlive-poolfix.patch Patch34: texlive-dvipsconfig.patch +Patch35: texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch +Patch36: texlive-CVE-2010-0739,1440-integer-overflows.patch ###### # mpeters contributed patches @@ -400,6 +402,8 @@ chmod -x texk/dvipdfm/encodings.c %patch32 -p1 -b .getline %patch33 -p1 -b .poolfix %patch34 -p1 -b .dvipsconfig +%patch35 -p1 -b .CVE-2010-0829 +%patch36 -p1 -b .CVE-2010-0739,1440 # fix non utf man pages %patch42 -p1 -b .notutf8-2 @@ -454,7 +458,7 @@ cd - # Prepare Japanese dvips mkdir pdvipsk -tar xfj %{SOURCE1001} -C pdvipsk +tar xfz %{SOURCE1001} -C pdvipsk cp -lR texk/dvipsk texk/pdvipsk cd pdvipsk %patch1005 -p0 @@ -678,24 +682,24 @@ rm -rf %{buildroot}%{_texmf_main}/texconfig/tcfmgr* rm -rf %{buildroot} %post -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null [ -x /sbin/install-info ] && /sbin/install-info %{_infodir}/web2c.info.gz %{_infodir}/dir -%{_bindir}/fmtutil-sys --all &> /dev/null -%{_bindir}/updmap-sys --syncwithtrees &> /dev/null +[ -x %{_bindir}/fmtutil-sys ] && %{_bindir}/fmtutil-sys --all &> /dev/null +[ -x %{_bindir}/updmap-sys ] && %{_bindir}/updmap-sys --syncwithtrees &> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %post afm -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %post context -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi @@ -703,21 +707,21 @@ fi %post dvips [ -x /sbin/install-info ] && /sbin/install-info %{_infodir}/dvips.info.gz %{_infodir}/dir -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %post dviutils -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %post east-asian -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi @@ -725,23 +729,23 @@ fi %post latex [ -x /sbin/install-info ] && /sbin/install-info %{_infodir}/latex.info.gz %{_infodir}/dir -%{_bindir}/texconfig-sys init &> /dev/null -%{_bindir}/texconfig-sys rehash 2> /dev/null -%{_bindir}/fmtutil-sys --all &> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys init &> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/fmtutil-sys ] && %{_bindir}/fmtutil-sys --all &> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %post xetex -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %post -n kpathsea -/sbin/ldconfig +[ -x /sbin/ldconfig ] && /sbin/ldconfig [ -x /sbin/install-info ] && /sbin/install-info %{_infodir}/kpathsea.info.gz %{_infodir}/dir if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ @@ -774,7 +778,7 @@ fi : %preun -n kpathsea -/sbin/ldconfig +[ -x /sbin/ldconfig ] && /sbin/ldconfig if [ "$1" = 0 ]; then [ -x /sbin/install-info ] && /sbin/install-info --delete %{_infodir}/kpathsea.info.gz %{_infodir}/dir fi @@ -784,63 +788,63 @@ fi : %postun -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %postun afm -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %postun context -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %postun east-asian -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %postun dviutils -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %postun dvips -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %postun latex -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %postun xetex -%{_bindir}/texconfig-sys rehash 2> /dev/null +[ -x %{_bindir}/texconfig-sys ] && %{_bindir}/texconfig-sys rehash 2> /dev/null if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi : %postun -n kpathsea -/sbin/ldconfig +[ -x /sbin/ldconfig ] && /sbin/ldconfig if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then [ -x /sbin/restorecon ] && /sbin/restorecon -R %{_texmf_var}/ fi @@ -851,7 +855,6 @@ fi # config files %dir %{_texmf_conf} %dir %{_texmf_conf}/web2c/ -%dir %{_texmf_var}/web2c/ %dir %{_texmf_main}/web2c/ %dir %{_texmf_main}/doc/ %doc %{_texmf_main}/doc/bibtex8/ @@ -1169,6 +1172,7 @@ fi %{_mandir}/ja/man1/mendex.1* %files east-asian +%defattr(-,root,root,-) %doc %{_texmf_main}/doc/pdvipsk/ %doc %{_texmf_main}/doc/ptex/ %{_texmf_main}/fonts/map/pdvips/ @@ -1208,6 +1212,7 @@ fi %{_mandir}/man1/opdvips.1* %files context +%defattr(-,root,root,-) %{_bindir}/ctxtools %{_bindir}/exatools %{_bindir}/luatools @@ -1238,6 +1243,14 @@ fi %{_mandir}/man1/texutil.1* %changelog +* Mon May 10 2010 Jindrich Novy 2007-47 +- fix CVE-2010-0739 and CVE-2010-1440 (#584795) +- fix CVE-2010-0829 (#589607) +- add missing defattr to filelists +- fix directory ownership of /var/lib/texmf/web2c (#512459) +- use official tarball for jpatch +- fix post/postun scriptlets (#532466) + * Fri Oct 23 2009 Jindrich Novy 2007-46 - add missing dependency on kpathsea