Pullup ticket 3027 - requested by taca
security patch
Revisions pulled up:
- pkgsrc/x11/wxGTK24/Makefile 1.11
- pkgsrc/x11/wxGTK24/distinfo 1.10
Files added:
pkgsrc/x11/wxGTK24/patches/patch-am
pkgsrc/x11/wxGTK24/patches/patch-an
pkgsrc/x11/wxGTK24/patches/patch-ao
pkgsrc/x11/wxGTK24/patches/patch-ap
--------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Tue Feb 16 17:33:39 UTC 2010
Modified Files:
pkgsrc/x11/wxGTK24: Makefile distinfo
Added Files:
pkgsrc/x11/wxGTK24/patches: patch-am patch-an patch-ao patch-ap
Log Message:
Add patches for CVE-2009-2625 and CVE-2009-2369.
Bump PKGREVISION.
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 pkgsrc/x11/wxGTK24/Makefile
cvs rdiff -u -r1.9 -r1.10 pkgsrc/x11/wxGTK24/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK24/patches/patch-am \
pkgsrc/x11/wxGTK24/patches/patch-an pkgsrc/x11/wxGTK24/patches/patch-ao \
pkgsrc/x11/wxGTK24/patches/patch-ap
(spz)
diff -r1.9 -r1.9.2.1 pkgsrc/x11/wxGTK24/Makefile| @@ -1,18 +1,18 @@ | @@ -1,18 +1,18 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.9 2009/11/29 20:16:20 joerg Exp $ | 1 | # $NetBSD: Makefile,v 1.9.2.1 2010/02/28 13:15:01 spz Exp $ | |
| 2 | # | 2 | # | |
| 3 | 3 | |||
| 4 | PKG_DESTDIR_SUPPORT= user-destdir | 4 | PKG_DESTDIR_SUPPORT= user-destdir | |
| 5 | 5 | |||
| 6 | .include "Makefile.common" | 6 | .include "Makefile.common" | |
| 7 | 7 | |||
| 8 | PKGREVISION= 14 | 8 | PKGREVISION= 16 | |
| 9 | COMMENT= GTK-based implementation of the wxWidgets GUI library | 9 | COMMENT= GTK-based implementation of the wxWidgets GUI library | |
| 10 | CONFLICTS+= wxGTK<=2.4.2nb5 | 10 | CONFLICTS+= wxGTK<=2.4.2nb5 | |
| 11 | 11 | |||
| 12 | INSTALLATION_DIRS= ${DOCDIR} | 12 | INSTALLATION_DIRS= ${DOCDIR} | |
| 13 | 13 | |||
| 14 | post-install: | 14 | post-install: | |
| 15 | ${INSTALL_DATA} ${WRKSRC}/LICENCE.txt ${DESTDIR}${DOCDIR}/LICENSE | 15 | ${INSTALL_DATA} ${WRKSRC}/LICENCE.txt ${DESTDIR}${DOCDIR}/LICENSE | |
| 16 | 16 | |||
| 17 | .include "../../graphics/glu/buildlink3.mk" | 17 | .include "../../graphics/glu/buildlink3.mk" | |
| 18 | .include "../../mk/bsd.pkg.mk" | 18 | .include "../../mk/bsd.pkg.mk" |
| @@ -1,17 +1,21 @@ | @@ -1,17 +1,21 @@ | |||
| 1 | $NetBSD: distinfo,v 1.9 2009/11/29 20:16:20 joerg Exp $ | 1 | $NetBSD: distinfo,v 1.9.2.1 2010/02/28 13:15:02 spz Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (wxGTK-2.4.2.tar.bz2) = 3f1ebacaaf8eb5510c14ee10bafbc5f225be842c | 3 | SHA1 (wxGTK-2.4.2.tar.bz2) = 3f1ebacaaf8eb5510c14ee10bafbc5f225be842c | |
| 4 | RMD160 (wxGTK-2.4.2.tar.bz2) = 8076d1ba31c9b23becb241cbad5a83763fee776e | 4 | RMD160 (wxGTK-2.4.2.tar.bz2) = 8076d1ba31c9b23becb241cbad5a83763fee776e | |
| 5 | Size (wxGTK-2.4.2.tar.bz2) = 5381935 bytes | 5 | Size (wxGTK-2.4.2.tar.bz2) = 5381935 bytes | |
| 6 | SHA1 (patch-aa) = 1d6b86da5e7a1fd3a13805465e9059d21dbbfc7a | 6 | SHA1 (patch-aa) = 1d6b86da5e7a1fd3a13805465e9059d21dbbfc7a | |
| 7 | SHA1 (patch-ab) = bab52051778a93439cfd3144f052bdbcc7024e30 | 7 | SHA1 (patch-ab) = bab52051778a93439cfd3144f052bdbcc7024e30 | |
| 8 | SHA1 (patch-ac) = 06a047a28260d30516b87d85a4dd4d5a6c18cfc4 | 8 | SHA1 (patch-ac) = 06a047a28260d30516b87d85a4dd4d5a6c18cfc4 | |
| 9 | SHA1 (patch-ad) = 809a12f89b018373910b31442dfd315276cafbdf | 9 | SHA1 (patch-ad) = 809a12f89b018373910b31442dfd315276cafbdf | |
| 10 | SHA1 (patch-ae) = 81c2e33fbdd4a715da5a14ef3ae0a377d0d9aec2 | 10 | SHA1 (patch-ae) = 81c2e33fbdd4a715da5a14ef3ae0a377d0d9aec2 | |
| 11 | SHA1 (patch-af) = 81cddc6dcdf986317f7d62f027515cae6ef2c855 | 11 | SHA1 (patch-af) = 81cddc6dcdf986317f7d62f027515cae6ef2c855 | |
| 12 | SHA1 (patch-ag) = ccdaca4030c08aefa922367019e0c9249b810456 | 12 | SHA1 (patch-ag) = ccdaca4030c08aefa922367019e0c9249b810456 | |
| 13 | SHA1 (patch-ah) = 24cc32f7eda53f4704422363902f72239eda2253 | 13 | SHA1 (patch-ah) = 24cc32f7eda53f4704422363902f72239eda2253 | |
| 14 | SHA1 (patch-ai) = c5d301c2cb45397329d9a817d9278707a2d3b97f | 14 | SHA1 (patch-ai) = c5d301c2cb45397329d9a817d9278707a2d3b97f | |
| 15 | SHA1 (patch-aj) = 9f74442617e6a869c5ff253591bba3f9da3a9e0c | 15 | SHA1 (patch-aj) = 9f74442617e6a869c5ff253591bba3f9da3a9e0c | |
| 16 | SHA1 (patch-ak) = 3f26086c8f16ac972db89c21f665c187570937cc | 16 | SHA1 (patch-ak) = 3f26086c8f16ac972db89c21f665c187570937cc | |
| 17 | SHA1 (patch-al) = bceed88db708c83afca0fe3adb5c923f9bc661b0 | 17 | SHA1 (patch-al) = bceed88db708c83afca0fe3adb5c923f9bc661b0 | |
| 18 | SHA1 (patch-am) = 445ae223a6fd88b86efafa7c13dbcf3f359f364f | |||
| 19 | SHA1 (patch-an) = a9d276244cac87fa00a3c3338179e68084b72b1d | |||
| 20 | SHA1 (patch-ao) = 7fb559c8662b20a61d39b308d3b6723b0dde6673 | |||
| 21 | SHA1 (patch-ap) = b1217506bfffe9ed7a282c960a99921c61d76dbd |
$NetBSD: patch-am,v 1.1.2.2 2010/02/28 13:15:02 spz Exp $
deal with CVE-2009-2625.
--- contrib/src/xrc/expat/xmltok/xmltok_impl.c.orig 2003-09-21 11:32:55.000000000 +0000
+++ contrib/src/xrc/expat/xmltok/xmltok_impl.c
@@ -1753,7 +1753,7 @@ void PREFIX(updatePosition)(const ENCODI
const char *end,
POSITION *pos)
{
- while (ptr != end) {
+ while (ptr < end) {
switch (BYTE_TYPE(enc, ptr)) {
#define LEAD_CASE(n) \
case BT_LEAD ## n: \
$NetBSD: patch-an,v 1.1.2.2 2010/02/28 13:15:02 spz Exp $
deal with CVE-2009-2369.
--- src/common/image.cpp.orig 2003-09-21 11:31:39.000000000 +0000
+++ src/common/image.cpp
@@ -147,6 +147,10 @@ void wxImage::Create( int width, int hei
m_refData = new wxImageRefData();
+ if (width <= 0 || height <= 0 || width > INT_MAX / 3 / height) {
+ UnRef();
+ return;
+ }
M_IMGDATA->m_data = (unsigned char *) malloc( width*height*3 );
if (M_IMGDATA->m_data)
{
$NetBSD: patch-ao,v 1.1.2.2 2010/02/28 13:15:02 spz Exp $
deal with CVE-2009-2369.
--- src/common/imagpng.cpp.orig 2003-09-21 11:31:39.000000000 +0000
+++ src/common/imagpng.cpp
@@ -213,18 +213,16 @@ bool wxPNGHandler::LoadFile( wxImage *im
if (!image->Ok())
goto error_nolines;
- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
+ // initialize all line pointers to NULL to ensure that they can be safely
+ // free()d if an error occurs before all of them could be allocated
+ lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
if (lines == NULL)
goto error_nolines;
for (i = 0; i < height; i++)
{
if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
- {
- for ( unsigned int n = 0; n < i; n++ )
- free( lines[n] );
goto error;
- }
}
// loaded successfully!
$NetBSD: patch-ap,v 1.1.2.2 2010/02/28 13:15:02 spz Exp $
deal with CVE-2009-2369.
--- src/common/imagtiff.cpp.orig 2003-09-21 11:31:39.000000000 +0000
+++ src/common/imagtiff.cpp
@@ -188,15 +188,25 @@ bool wxTIFFHandler::LoadFile( wxImage *i
}
uint32 w, h;
- uint32 npixels;
uint32 *raster;
TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h );
- npixels = w * h;
+ // guard against integer overflow during multiplication which could result
+ // in allocating a too small buffer and then overflowing it
+ const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+ {
+ if ( verbose )
+ wxLogError( _("TIFF: Image size is abnormally big.") );
+
+ TIFFClose(tif);
+
+ return false;
+ }
- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+ raster = (uint32*) _TIFFmalloc( bytesNeeded );
if (!raster)
{