diff --git a/antiword-bGetPPS-Prevent-buffer-overflow-of-atPPSlist-_szName.diff b/antiword-bGetPPS-Prevent-buffer-overflow-of-atPPSlist-_szName.diff new file mode 100644 index 0000000..48a752b --- /dev/null +++ b/antiword-bGetPPS-Prevent-buffer-overflow-of-atPPSlist-_szName.diff @@ -0,0 +1,28 @@ +From a17e48746d7203f91a2c3bb1cdcbe9023c8d37a0 Mon Sep 17 00:00:00 2001 +From: Fabian Keil +Date: Tue, 25 Nov 2014 18:58:52 +0100 +Subject: [PATCH] bGetPPS(): Prevent overflow of atPPSlist[].szName[] + +--- + wordole.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/wordole.c b/wordole.c +index 8a95fb9..7797d1f 100644 +--- a/wordole.c ++++ b/wordole.c +@@ -259,6 +259,11 @@ bGetPPS(FILE *pFile, + } + tNameSize = (size_t)usGetWord(0x40, aucBytes); + tNameSize = (tNameSize + 1) / 2; ++ if (tNameSize >= sizeof(atPPSlist[0].szName)) { ++ werr(0, "PPS %d appears to be invalid.", iIndex); ++ atPPSlist = xfree(atPPSlist); ++ return FALSE; ++ } + vName2String(atPPSlist[iIndex].szName, aucBytes, tNameSize); + atPPSlist[iIndex].ucType = ucGetByte(0x42, aucBytes); + if (atPPSlist[iIndex].ucType == 5) { +-- +2.1.2 + diff --git a/antiword.spec b/antiword.spec index 13f6c13..3efd4c5 100644 --- a/antiword.spec +++ b/antiword.spec @@ -1,11 +1,12 @@ Summary: MS Word to ASCII/Postscript converter Name: antiword Version: 0.37 -Release: 16%{?dist} +Release: 17%{?dist} Source0: http://www.winfield.demon.nl/linux/%{name}-%{version}.tar.gz Source1: antiword.sh URL: http://www.winfield.demon.nl/ Patch0: antiword-0.32-fix-flags.patch +Patch1: http://seclists.org/oss-sec/2014/q4/att-870/antiword-bGetPPS-Prevent-buffer-overflow-of-atPPSlist-_szName.diff License: GPLv2+ Group: Applications/Text BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -13,12 +14,13 @@ BuildRequires: /usr/bin/iconv %description Antiword is a free MS-Word reader for Linux, BeOS and RISC OS. It converts -the documets from Word 6, 7, 97 and 2000 to ASCII and Postscript. Antiword +the documents from Word 6, 7, 97 and 2000 to ASCII and Postscript. Antiword tries to keep the layout of the document intact. %prep %setup -q %patch0 -p0 +%patch1 -p1 %{__chmod} a+r * Resources/* Docs/* %build @@ -52,6 +54,10 @@ iconv -f iso-8859-1 -t utf-8 Docs/Netscape > Docs/Netscape.utf8 %{_datadir}/%{name} %changelog +* Tue Dec 02 2014 Adrian Reber - 0.37-17 +- added patch for "CVE-2014-8123 antiword: buffer overflow of atPPSlist[].szName[]" (#1169665) +- fixed dates in changelog + * Fri Aug 15 2014 Fedora Release Engineering - 0.37-16 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild @@ -83,7 +89,7 @@ iconv -f iso-8859-1 -t utf-8 Docs/Netscape > Docs/Netscape.utf8 - added wrapper script from Michal Jaegermann to better handle UTF input files (#191060) -* Thu Feb 12 2008 Adrian Reber - 0.37-6 +* Tue Feb 12 2008 Adrian Reber - 0.37-6 - rebuilt for gcc43 * Wed Dec 12 2007 Adrian Reber - 0.37-5 @@ -106,7 +112,7 @@ iconv -f iso-8859-1 -t utf-8 Docs/Netscape > Docs/Netscape.utf8 * Tue May 10 2005 Adrian Reber - 0.36.1-2 - updated to 0.36.1 -* Fri Apr 7 2005 Michael Schwendt +* Thu Apr 7 2005 Michael Schwendt - rebuilt * Thu Feb 03 2005 Adrian Reber - 0:0.36-1