Wed Dec 23 14:21:48 2009 UTC ()

add a patch from
https://bugzilla.redhat.com/show_bug.cgi?id=543905
to fix CVE-2009-4227
(Stack-based buffer overflow by loading malformed .FIG files)


(drochner)

diff -r1.59 -r1.60 pkgsrc/graphics/xfig/Makefile
diff -r1.21 -r1.22 pkgsrc/graphics/xfig/distinfo
diff -r0 -r1.1 pkgsrc/graphics/xfig/patches/patch-an

--- pkgsrc/graphics/xfig/Makefile 2009/11/30 13:50:38 1.59
+++ pkgsrc/graphics/xfig/Makefile 2009/12/23 14:21:48 1.60

 @@ -1,18 +1,18 @@
-# $NetBSD: Makefile,v 1.59 2009/11/30 13:50:38 itohy Exp $
+# $NetBSD: Makefile,v 1.60 2009/12/23 14:21:48 drochner Exp $
 DISTNAME=	xfig.3.2.5b.full
 PKGNAME=	xfig-3.2.5b
-PKGREVISION=	4
+PKGREVISION=	5
 CATEGORIES=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=mcj/}
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.xfig.org/
 COMMENT=	CAD-like 2D drawing tool, good for colorful scale drawings & ISOs
 PKG_DESTDIR_SUPPORT=	user-destdir
 DEPENDS+=	transfig>=3.2.4:../../print/transfig
 # if we're using Xaw3d, then we need 1.5E or newer since using that
 # version means we need a patch, which is currently used unconditionally
 BUILDLINK_API_DEPENDS.Xaw3d+=	Xaw3d>=1.5E

--- pkgsrc/graphics/xfig/distinfo 2009/11/04 15:34:08 1.21
+++ pkgsrc/graphics/xfig/distinfo 2009/12/23 14:21:48 1.22

 @@ -1,15 +1,16 @@
-$NetBSD: distinfo,v 1.21 2009/11/04 15:34:08 gdt Exp $
+$NetBSD: distinfo,v 1.22 2009/12/23 14:21:48 drochner Exp $
 SHA1 (xfig.3.2.5b.full.tar.gz) = 0730d7e6bc217c0de02682efb0078821512bb542
 RMD160 (xfig.3.2.5b.full.tar.gz) = aad4cfd808c116d34218e9890a898652e4f52ab6
 Size (xfig.3.2.5b.full.tar.gz) = 5821049 bytes
 SHA1 (patch-aa) = c931f4735f7502cc9d7c116378dcd3b420a40c6f
 SHA1 (patch-ab) = c68a3ce1c1efbeab6e0f2dac9f91bf87c1515ce4
 SHA1 (patch-ac) = b43b811dce9aa3cdb5d18dc7c403a4a2e503fd44
 SHA1 (patch-ad) = b75238284164fe1e8365c21fab1a5e9102c467d0
 SHA1 (patch-ae) = 8bb5d1c01faae34a6ad2cd1eaddf794cbf39a02e
 SHA1 (patch-ag) = 021f15be1fd36adc80c638bbb485e2f3753ac11b
 SHA1 (patch-ai) = bd3f0c40e542aae1cfd739dbe0c0f096ddfdefcf
 SHA1 (patch-ak) = fcc358a595590ea3136d71bd9f61449d54914c46
 SHA1 (patch-al) = ca20d3ec7bcf2ac24fd0a415495f805add23142d
 SHA1 (patch-am) = 72adbda34425fda49f2072a3d40a3d942e07e1ba
 SHA1 (patch-an) = 4bfce8dbd420bc4b4d8efa5b01a39e3a9ce03ca6

$NetBSD: patch-an,v 1.1 2009/12/23 14:21:48 drochner Exp $

--- f_readold.c.orig	2007-03-29 00:23:14.000000000 +0000
+++ f_readold.c
@@ -471,7 +471,7 @@ read_1_3_textobject(FILE *fp)
     F_text	   *t;
     int		    n;
     int		    dum;
-    char	    buf[128];
+    char	    buf[512];
     PR_SIZE	    tx_dim;
 
     if ((t = create_text()) == NULL)
@@ -485,22 +485,34 @@ read_1_3_textobject(FILE *fp)
     t->pen_style = -1;
     t->angle = 0.0;
     t->next = NULL;
+    if (!fgets(buf, sizeof(buf), fp)) {
+	file_msg("Incomplete text data");
+	free((char *) t);
+	return (NULL);
+    }
+
+    /* Note using strlen(buf) here will waste a few bytes, as the
+       various text attributes are counted into this length too. */
+    if ((t->cstring = new_string(strlen(buf))) == NULL)
+        return (NULL);
+
     /* ascent and length will be recalculated later */
-    n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
+    n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
 		&t->font, &dum, &dum, &t->ascent, &t->length,
-		&t->base_x, &t->base_y, buf);
+		&t->base_x, &t->base_y, t->cstring);
     if (n != 8) {
 	file_msg("Incomplete text data");
+	free(t->cstring);
 	free((char *) t);
 	return (NULL);
     }
-    if ((t->cstring = new_string(strlen(buf))) == NULL) {
+
+    if (!strlen(t->cstring)) {
+	free(t->cstring);
 	free((char *) t);
 	file_msg("Empty text string at line %d.", line_no);
 	return (NULL);
     }
-    /* put string in structure */
-    strcpy(t->cstring, buf);
 
     /* get the font struct */
     t->zoom = zoomscale;