[71968] trunk/dports/tex/pTeX

takanori at macports.org takanori at macports.org
Tue Sep 28 15:38:52 PDT 2010 

Revision: 71968
          http://trac.macports.org/changeset/71968
Author:   takanori at macports.org
Date:     2010-09-28 15:38:50 -0700 (Tue, 28 Sep 2010)
Log Message:
-----------
pTeX: fixes CVE-2010-0829 (array index error in dvipng/set.c), CVE-2010-1440 (integer overflow in dvipsk/dospecial.c)

Modified Paths:
--------------
    trunk/dports/tex/pTeX/Portfile
    trunk/dports/tex/pTeX/files/patch-2extract-src.sh.diff
    trunk/dports/tex/pTeX/files/patch-md5sum_texsrc.traditional.diff

Added Paths:
-----------
    trunk/dports/tex/pTeX/files/security/dvipng-CVE-2010-0829.diff
    trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-1440.diff

Removed Paths:
-------------
    trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-0739.diff

Modified: trunk/dports/tex/pTeX/Portfile
===================================================================
--- trunk/dports/tex/pTeX/Portfile	2010-09-28 19:31:36 UTC (rev 71967)
+++ trunk/dports/tex/pTeX/Portfile	2010-09-28 22:38:50 UTC (rev 71968)
@@ -3,7 +3,7 @@
 PortSystem      1.0
 
 name            pTeX
-version         20100522
+version         20100929
 epoch           ${version}
 set ver_ptetex3     20080616
 set ver_dvipdfmx    20100328

Modified: trunk/dports/tex/pTeX/files/patch-2extract-src.sh.diff
===================================================================
--- trunk/dports/tex/pTeX/files/patch-2extract-src.sh.diff	2010-09-28 19:31:36 UTC (rev 71967)
+++ trunk/dports/tex/pTeX/files/patch-2extract-src.sh.diff	2010-09-28 22:38:50 UTC (rev 71968)
@@ -59,14 +59,16 @@
  ## disable installing 'config.ps'
  $CP $SRC/texk/${P}dvipsk/Makefile.in       $SRC/texk/${P}dvipsk/Makefile.in.jp
  $CP $SRC/texk/${P}dvipsk/Makefile.in.tetex $SRC/texk/${P}dvipsk/Makefile.in
-@@ -255,6 +248,11 @@
+@@ -255,6 +248,13 @@
  # Fix xpdf integer overflow CVE-2007-3387 (impoted from tetex-3.0-35.fc6)
  cpatch security/tetex-3.0-CVE-2007-3387.patch      1 $SRC
  
 +cpatch security/bibtex-CVE-2009-1284.diff          1 $SRC
 +cpatch security/jbibtex-CVE-2009-1284.diff         1 $SRC
-+cpatch security/dvipsk-CVE-2010-0739.diff          1 $SRC
++#cpatch security/dvipsk-CVE-2010-0739.diff         1 $SRC
 +cpatch security/dvipsk-CVE-2010-0827.diff          1 $SRC
++cpatch security/dvipsk-CVE-2010-1440.diff          1 $SRC
++cpatch security/dvipng-CVE-2010-0829.diff          1 $SRC
 +
  #exit # uncomment if 'mktemp' command doesn't exist
  # Don't use PID for temporary file names in scripts. (impoted from FC4)

Modified: trunk/dports/tex/pTeX/files/patch-md5sum_texsrc.traditional.diff
===================================================================
--- trunk/dports/tex/pTeX/files/patch-md5sum_texsrc.traditional.diff	2010-09-28 19:31:36 UTC (rev 71967)
+++ trunk/dports/tex/pTeX/files/patch-md5sum_texsrc.traditional.diff	2010-09-28 22:38:50 UTC (rev 71968)
@@ -21,7 +21,7 @@
 +185c9d7f7053cf318cd9c30b2b8b92b2  ./texk/dvipsk/config.ps
  724c33d501d97c61a405429341757a2d  ./texk/dvipsk/dopage.c
 -28ea2b6d495b6fc506a8739a6a9b4671  ./texk/dvipsk/dospecial.c
-+93bd892425fa393963530bc6d2d92739  ./texk/dvipsk/dospecial.c
++8bd47e07032e65e8f2249be485a515a4  ./texk/dvipsk/dospecial.c
  76cce1c3de62281469971a3e0304329b  ./texk/dvipsk/download.c
  727a5cb6d89cc7f3fb06e4b6377c011b  ./texk/dvipsk/drawPS.c
 -3c796d1ddaa2592d8a7a6ce10aa374fc  ./texk/dvipsk/dvips.c

Added: trunk/dports/tex/pTeX/files/security/dvipng-CVE-2010-0829.diff
===================================================================
--- trunk/dports/tex/pTeX/files/security/dvipng-CVE-2010-0829.diff	                        (rev 0)
+++ trunk/dports/tex/pTeX/files/security/dvipng-CVE-2010-0829.diff	2010-09-28 22:38:50 UTC (rev 71968)
@@ -0,0 +1,91 @@
+diff -Naur tetex-src-3.0/texk/dvipng.orig/draw.c tetex-src-3.0/texk/dvipng/draw.c
+--- tetex-src-3.0/texk/dvipng.orig/draw.c	2005-02-04 18:21:09.000000000 +0900
++++ tetex-src-3.0/texk/dvipng/draw.c	2010-09-29 06:54:20.000000000 +0900
+@@ -99,7 +99,15 @@
+ 
+   if (currentfont==NULL) 
+     Fatal("faulty DVI, trying to set character from null font");
++  if (c<0 || c>LASTFNTCHAR) {
++    Warning("glyph index out of range (%d), skipping",c);
++    return(0);
++  }
+   ptr = currentfont->chr[c];
++  if (ptr==NULL) {
++    Warning("unable to draw glyph %d, skipping",c);
++    return(0);
++  }
+ #ifdef DEBUG
+   switch (currentfont->type) {
+   case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n  VF CHAR:\t")); break;
+@@ -107,13 +115,13 @@
+   case FONT_TYPE_T1: DEBUG_PRINT(DEBUG_DVI,("\n  T1 CHAR:\t")); break;
+   case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n  FT CHAR:\t")); break;
+   }
+-  if (isprint(c))
++  if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c))
+     DEBUG_PRINT(DEBUG_DVI,("'%c' ",c));
+   DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c,hh,vv,ptr->tfmw));
+ #endif
+   if (currentfont->type==FONT_TYPE_VF) {
+-    return(SetVF(c));
+-  } else if (ptr) {
++    return(SetVF(ptr));
++  } else {
+     if (ptr->data == NULL) 
+       switch(currentfont->type) {
+       case FONT_TYPE_PK:	LoadPK(c, ptr); break;
+@@ -127,7 +135,7 @@
+ 	Fatal("undefined fonttype %d",currentfont->type);
+       }
+     if (page_imagep != NULL)
+-      return(SetGlyph(c, hh, vv));
++      return(SetGlyph(ptr, hh, vv));
+     else {
+       /* Expand bounding box if necessary */
+       min(x_min,hh - ptr->xOffset/shrinkfactor);
+diff -Naur tetex-src-3.0/texk/dvipng.orig/dvipng.h tetex-src-3.0/texk/dvipng/dvipng.h
+--- tetex-src-3.0/texk/dvipng.orig/dvipng.h	2005-02-04 18:21:09.000000000 +0900
++++ tetex-src-3.0/texk/dvipng/dvipng.h	2010-09-29 06:44:58.000000000 +0900
+@@ -363,9 +363,9 @@
+ void      WriteImage(char*, int);
+ void      LoadPK(int32_t, register struct char_entry *);
+ int32_t   SetChar(int32_t);
+-dviunits  SetGlyph(int32_t c, int32_t hh,int32_t vv);
++dviunits  SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv);
+ void      Gamma(double gamma);
+-int32_t   SetVF(int32_t);
++int32_t   SetVF(struct char_entry *ptr);
+ int32_t   SetRule(int32_t, int32_t, int32_t, int32_t);
+ void      SetSpecial(char *, int32_t, int32_t, int32_t);
+ void      BeginVFMacro(struct font_entry*);
+diff -Naur tetex-src-3.0/texk/dvipng.orig/set.c tetex-src-3.0/texk/dvipng/set.c
+--- tetex-src-3.0/texk/dvipng.orig/set.c	2005-02-04 18:21:11.000000000 +0900
++++ tetex-src-3.0/texk/dvipng/set.c	2010-09-29 06:58:08.000000000 +0900
+@@ -180,10 +180,8 @@
+ 
+ 
+ #define GREYS 255
+-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv)
++dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv)
+ {
+-  register struct char_entry *ptr = currentfont->chr[c];
+-                                      /* temporary char_entry pointer */
+   int red,green,blue;
+   int *Color=alloca(sizeof(int)*(GREYS+1));
+   int x,y;
+diff -Naur tetex-src-3.0/texk/dvipng.orig/vf.c tetex-src-3.0/texk/dvipng/vf.c
+--- tetex-src-3.0/texk/dvipng.orig/vf.c	2005-02-04 18:21:11.000000000 +0900
++++ tetex-src-3.0/texk/dvipng/vf.c	2010-09-29 06:55:24.000000000 +0900
+@@ -28,11 +28,10 @@
+ #define VF_ID 202
+ #define LONG_CHAR 242
+ 
+-int32_t SetVF(int32_t c) 
++int32_t SetVF(struct char_entry* ptr)
+ {
+   struct font_entry* currentvf;
+   unsigned char *command,*end;
+-  struct char_entry* ptr=currentfont->chr[c];
+ 
+   currentvf=currentfont;
+   BeginVFMacro(currentvf);

Deleted: trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-0739.diff
===================================================================
--- trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-0739.diff	2010-09-28 19:31:36 UTC (rev 71967)
+++ trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-0739.diff	2010-09-28 22:38:50 UTC (rev 71968)
@@ -1,15 +0,0 @@
---- tetex-src-3.0/texk/dvipsk/dospecial.c.orig	2010-03-28 09:07:31.000000000 +0900
-+++ tetex-src-3.0/texk/dvipsk/dospecial.c	2010-03-28 09:27:27.000000000 +0900
-@@ -412,6 +412,12 @@
-    static int omega_specials = 0;
- 
-    if (nextstring + numbytes > maxstring) {
-+      if (numbytes < 0
-+	  || (numbytes > 0 && 2 > INT_MAX / numbytes)
-+	  || 2 * numbytes > 1000 + 2 * numbytes) {
-+         error("! Integer overflow in predospecial");
-+         exit(1);
-+      }
-       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
-       maxstring = nextstring + 2 * numbytes + 700 ;
-    }

Added: trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-1440.diff
===================================================================
--- trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-1440.diff	                        (rev 0)
+++ trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-1440.diff	2010-09-28 22:38:50 UTC (rev 71968)
@@ -0,0 +1,28 @@
+--- tetex-src-3.0/texk/dvipsk/dospecial.c.orig	2010-09-29 06:37:28.000000000 +0900
++++ tetex-src-3.0/texk/dvipsk/dospecial.c	2010-09-29 06:37:52.000000000 +0900
+@@ -411,7 +411,11 @@
+    int j ;
+    static int omega_specials = 0;
+ 
+-   if (nextstring + numbytes > maxstring) {
++   if (numbytes < 0 || numbytes > maxstring - nextstring) {
++      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
++         error("! Integer overflow in predospecial");
++         exit(1);
++      }
+       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
+       maxstring = nextstring + 2 * numbytes + 700 ;
+    }
+@@ -1061,7 +1065,11 @@
+    char seen[NKEYS] ;
+    float valseen[NKEYS] ;
+ 
+-   if (nextstring + nbytes > maxstring) {
++   if (nbytes < 0 || nbytes > maxstring - nextstring) {
++      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
++         error("! Integer overflow in bbdospecial");
++         exit(1);
++      }
+       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
+       maxstring = nextstring + 2 * nbytes + 700 ;
+    }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20100928/d950a10c/attachment.html>

More information about the macports-changes mailing list