[71968] trunk/dports/tex/pTeX
takanori at macports.org
takanori at macports.org
Tue Sep 28 15:38:52 PDT 2010
Revision: 71968
http://trac.macports.org/changeset/71968
Author: takanori at macports.org
Date: 2010-09-28 15:38:50 -0700 (Tue, 28 Sep 2010)
Log Message:
-----------
pTeX: fixes CVE-2010-0829 (array index error in dvipng/set.c), CVE-2010-1440 (integer overflow in dvipsk/dospecial.c)
Modified Paths:
--------------
trunk/dports/tex/pTeX/Portfile
trunk/dports/tex/pTeX/files/patch-2extract-src.sh.diff
trunk/dports/tex/pTeX/files/patch-md5sum_texsrc.traditional.diff
Added Paths:
-----------
trunk/dports/tex/pTeX/files/security/dvipng-CVE-2010-0829.diff
trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-1440.diff
Removed Paths:
-------------
trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-0739.diff
Modified: trunk/dports/tex/pTeX/Portfile
===================================================================
--- trunk/dports/tex/pTeX/Portfile 2010-09-28 19:31:36 UTC (rev 71967)
+++ trunk/dports/tex/pTeX/Portfile 2010-09-28 22:38:50 UTC (rev 71968)
@@ -3,7 +3,7 @@
PortSystem 1.0
name pTeX
-version 20100522
+version 20100929
epoch ${version}
set ver_ptetex3 20080616
set ver_dvipdfmx 20100328
Modified: trunk/dports/tex/pTeX/files/patch-2extract-src.sh.diff
===================================================================
--- trunk/dports/tex/pTeX/files/patch-2extract-src.sh.diff 2010-09-28 19:31:36 UTC (rev 71967)
+++ trunk/dports/tex/pTeX/files/patch-2extract-src.sh.diff 2010-09-28 22:38:50 UTC (rev 71968)
@@ -59,14 +59,16 @@
## disable installing 'config.ps'
$CP $SRC/texk/${P}dvipsk/Makefile.in $SRC/texk/${P}dvipsk/Makefile.in.jp
$CP $SRC/texk/${P}dvipsk/Makefile.in.tetex $SRC/texk/${P}dvipsk/Makefile.in
-@@ -255,6 +248,11 @@
+@@ -255,6 +248,13 @@
# Fix xpdf integer overflow CVE-2007-3387 (impoted from tetex-3.0-35.fc6)
cpatch security/tetex-3.0-CVE-2007-3387.patch 1 $SRC
+cpatch security/bibtex-CVE-2009-1284.diff 1 $SRC
+cpatch security/jbibtex-CVE-2009-1284.diff 1 $SRC
-+cpatch security/dvipsk-CVE-2010-0739.diff 1 $SRC
++#cpatch security/dvipsk-CVE-2010-0739.diff 1 $SRC
+cpatch security/dvipsk-CVE-2010-0827.diff 1 $SRC
++cpatch security/dvipsk-CVE-2010-1440.diff 1 $SRC
++cpatch security/dvipng-CVE-2010-0829.diff 1 $SRC
+
#exit # uncomment if 'mktemp' command doesn't exist
# Don't use PID for temporary file names in scripts. (impoted from FC4)
Modified: trunk/dports/tex/pTeX/files/patch-md5sum_texsrc.traditional.diff
===================================================================
--- trunk/dports/tex/pTeX/files/patch-md5sum_texsrc.traditional.diff 2010-09-28 19:31:36 UTC (rev 71967)
+++ trunk/dports/tex/pTeX/files/patch-md5sum_texsrc.traditional.diff 2010-09-28 22:38:50 UTC (rev 71968)
@@ -21,7 +21,7 @@
+185c9d7f7053cf318cd9c30b2b8b92b2 ./texk/dvipsk/config.ps
724c33d501d97c61a405429341757a2d ./texk/dvipsk/dopage.c
-28ea2b6d495b6fc506a8739a6a9b4671 ./texk/dvipsk/dospecial.c
-+93bd892425fa393963530bc6d2d92739 ./texk/dvipsk/dospecial.c
++8bd47e07032e65e8f2249be485a515a4 ./texk/dvipsk/dospecial.c
76cce1c3de62281469971a3e0304329b ./texk/dvipsk/download.c
727a5cb6d89cc7f3fb06e4b6377c011b ./texk/dvipsk/drawPS.c
-3c796d1ddaa2592d8a7a6ce10aa374fc ./texk/dvipsk/dvips.c
Added: trunk/dports/tex/pTeX/files/security/dvipng-CVE-2010-0829.diff
===================================================================
--- trunk/dports/tex/pTeX/files/security/dvipng-CVE-2010-0829.diff (rev 0)
+++ trunk/dports/tex/pTeX/files/security/dvipng-CVE-2010-0829.diff 2010-09-28 22:38:50 UTC (rev 71968)
@@ -0,0 +1,91 @@
+diff -Naur tetex-src-3.0/texk/dvipng.orig/draw.c tetex-src-3.0/texk/dvipng/draw.c
+--- tetex-src-3.0/texk/dvipng.orig/draw.c 2005-02-04 18:21:09.000000000 +0900
++++ tetex-src-3.0/texk/dvipng/draw.c 2010-09-29 06:54:20.000000000 +0900
+@@ -99,7 +99,15 @@
+
+ if (currentfont==NULL)
+ Fatal("faulty DVI, trying to set character from null font");
++ if (c<0 || c>LASTFNTCHAR) {
++ Warning("glyph index out of range (%d), skipping",c);
++ return(0);
++ }
+ ptr = currentfont->chr[c];
++ if (ptr==NULL) {
++ Warning("unable to draw glyph %d, skipping",c);
++ return(0);
++ }
+ #ifdef DEBUG
+ switch (currentfont->type) {
+ case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n VF CHAR:\t")); break;
+@@ -107,13 +115,13 @@
+ case FONT_TYPE_T1: DEBUG_PRINT(DEBUG_DVI,("\n T1 CHAR:\t")); break;
+ case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n FT CHAR:\t")); break;
+ }
+- if (isprint(c))
++ if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c))
+ DEBUG_PRINT(DEBUG_DVI,("'%c' ",c));
+ DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c,hh,vv,ptr->tfmw));
+ #endif
+ if (currentfont->type==FONT_TYPE_VF) {
+- return(SetVF(c));
+- } else if (ptr) {
++ return(SetVF(ptr));
++ } else {
+ if (ptr->data == NULL)
+ switch(currentfont->type) {
+ case FONT_TYPE_PK: LoadPK(c, ptr); break;
+@@ -127,7 +135,7 @@
+ Fatal("undefined fonttype %d",currentfont->type);
+ }
+ if (page_imagep != NULL)
+- return(SetGlyph(c, hh, vv));
++ return(SetGlyph(ptr, hh, vv));
+ else {
+ /* Expand bounding box if necessary */
+ min(x_min,hh - ptr->xOffset/shrinkfactor);
+diff -Naur tetex-src-3.0/texk/dvipng.orig/dvipng.h tetex-src-3.0/texk/dvipng/dvipng.h
+--- tetex-src-3.0/texk/dvipng.orig/dvipng.h 2005-02-04 18:21:09.000000000 +0900
++++ tetex-src-3.0/texk/dvipng/dvipng.h 2010-09-29 06:44:58.000000000 +0900
+@@ -363,9 +363,9 @@
+ void WriteImage(char*, int);
+ void LoadPK(int32_t, register struct char_entry *);
+ int32_t SetChar(int32_t);
+-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv);
++dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv);
+ void Gamma(double gamma);
+-int32_t SetVF(int32_t);
++int32_t SetVF(struct char_entry *ptr);
+ int32_t SetRule(int32_t, int32_t, int32_t, int32_t);
+ void SetSpecial(char *, int32_t, int32_t, int32_t);
+ void BeginVFMacro(struct font_entry*);
+diff -Naur tetex-src-3.0/texk/dvipng.orig/set.c tetex-src-3.0/texk/dvipng/set.c
+--- tetex-src-3.0/texk/dvipng.orig/set.c 2005-02-04 18:21:11.000000000 +0900
++++ tetex-src-3.0/texk/dvipng/set.c 2010-09-29 06:58:08.000000000 +0900
+@@ -180,10 +180,8 @@
+
+
+ #define GREYS 255
+-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv)
++dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv)
+ {
+- register struct char_entry *ptr = currentfont->chr[c];
+- /* temporary char_entry pointer */
+ int red,green,blue;
+ int *Color=alloca(sizeof(int)*(GREYS+1));
+ int x,y;
+diff -Naur tetex-src-3.0/texk/dvipng.orig/vf.c tetex-src-3.0/texk/dvipng/vf.c
+--- tetex-src-3.0/texk/dvipng.orig/vf.c 2005-02-04 18:21:11.000000000 +0900
++++ tetex-src-3.0/texk/dvipng/vf.c 2010-09-29 06:55:24.000000000 +0900
+@@ -28,11 +28,10 @@
+ #define VF_ID 202
+ #define LONG_CHAR 242
+
+-int32_t SetVF(int32_t c)
++int32_t SetVF(struct char_entry* ptr)
+ {
+ struct font_entry* currentvf;
+ unsigned char *command,*end;
+- struct char_entry* ptr=currentfont->chr[c];
+
+ currentvf=currentfont;
+ BeginVFMacro(currentvf);
Deleted: trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-0739.diff
===================================================================
--- trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-0739.diff 2010-09-28 19:31:36 UTC (rev 71967)
+++ trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-0739.diff 2010-09-28 22:38:50 UTC (rev 71968)
@@ -1,15 +0,0 @@
---- tetex-src-3.0/texk/dvipsk/dospecial.c.orig 2010-03-28 09:07:31.000000000 +0900
-+++ tetex-src-3.0/texk/dvipsk/dospecial.c 2010-03-28 09:27:27.000000000 +0900
-@@ -412,6 +412,12 @@
- static int omega_specials = 0;
-
- if (nextstring + numbytes > maxstring) {
-+ if (numbytes < 0
-+ || (numbytes > 0 && 2 > INT_MAX / numbytes)
-+ || 2 * numbytes > 1000 + 2 * numbytes) {
-+ error("! Integer overflow in predospecial");
-+ exit(1);
-+ }
- p = nextstring = mymalloc(1000 + 2 * numbytes) ;
- maxstring = nextstring + 2 * numbytes + 700 ;
- }
Added: trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-1440.diff
===================================================================
--- trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-1440.diff (rev 0)
+++ trunk/dports/tex/pTeX/files/security/dvipsk-CVE-2010-1440.diff 2010-09-28 22:38:50 UTC (rev 71968)
@@ -0,0 +1,28 @@
+--- tetex-src-3.0/texk/dvipsk/dospecial.c.orig 2010-09-29 06:37:28.000000000 +0900
++++ tetex-src-3.0/texk/dvipsk/dospecial.c 2010-09-29 06:37:52.000000000 +0900
+@@ -411,7 +411,11 @@
+ int j ;
+ static int omega_specials = 0;
+
+- if (nextstring + numbytes > maxstring) {
++ if (numbytes < 0 || numbytes > maxstring - nextstring) {
++ if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
++ error("! Integer overflow in predospecial");
++ exit(1);
++ }
+ p = nextstring = mymalloc(1000 + 2 * numbytes) ;
+ maxstring = nextstring + 2 * numbytes + 700 ;
+ }
+@@ -1061,7 +1065,11 @@
+ char seen[NKEYS] ;
+ float valseen[NKEYS] ;
+
+- if (nextstring + nbytes > maxstring) {
++ if (nbytes < 0 || nbytes > maxstring - nextstring) {
++ if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
++ error("! Integer overflow in bbdospecial");
++ exit(1);
++ }
+ p = nextstring = mymalloc(1000 + 2 * nbytes) ;
+ maxstring = nextstring + 2 * nbytes + 700 ;
+ }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20100928/d950a10c/attachment.html>
More information about the macports-changes
mailing list