diff options
author | Florian Franzmann | 2009-09-09 14:05:33 +0200 |
---|---|---|
committer | Eric Sandall | 2009-10-09 13:13:43 -0700 |
commit | 76b9380c02addf7a5cdd002c60079b89181ab849 (patch) | |
tree | 1d9b74f2bc106d182029e10a29865cc5cccef452 | |
parent | 21b52dd6123a7b25deb1469350d244dbc5fe5140 (diff) |
x11-toolkits/wxgtk: fixed security issue (CVE-2009-2369)
(Cherry-picked from 9a102e4e30da7c6ba8031f5bf26db3f9b043b1bf)
-rwxr-xr-x | x11-toolkits/wxgtk/DETAILS | 1 | ||||
-rw-r--r-- | x11-toolkits/wxgtk/HISTORY | 6 | ||||
-rwxr-xr-x | x11-toolkits/wxgtk/PRE_BUILD | 3 | ||||
-rw-r--r-- | x11-toolkits/wxgtk/wxGTK-2.8.10.1-CVE-2009-2369.patch | 59 |
4 files changed, 69 insertions, 0 deletions
diff --git a/x11-toolkits/wxgtk/DETAILS b/x11-toolkits/wxgtk/DETAILS index 5479a48829..ddd6cf8706 100755 --- a/x11-toolkits/wxgtk/DETAILS +++ b/x11-toolkits/wxgtk/DETAILS @@ -3,6 +3,7 @@ if [[ "$WX_DEV" == "y" ]];then VERSION=2.8.10 SOURCE_HASH=sha512:3a007846beff1ccc736d267d66793967350d1eaccc1d4707d7a9133cd5215d53158247a5f1882479a30e156ebcd86affe74633da392b295ad890f3819ca6bea5 + SECURITY_PATCH=1 else VERSION=2.6.4 SOURCE_HASH=sha512:53b3a1a111288910b18e3743d8e389398bf7e60cddbf0ad609cd72fa4fbd5da2bb9b3b94427ba7ec9d695fb1cbca5fa79a1836a15c652aebf2ae605b1f93f4c5 diff --git a/x11-toolkits/wxgtk/HISTORY b/x11-toolkits/wxgtk/HISTORY index acb10014d0..6d46db42b1 100644 --- a/x11-toolkits/wxgtk/HISTORY +++ b/x11-toolkits/wxgtk/HISTORY @@ -1,3 +1,9 @@ +2009-09-09 Florian Franzmann <siflfran@hawo.stw.uni-erlangen.de> + * PRE_BUILD, wxgtk-2.8.10-gsocket.patch: added patch to make + the spell compile with our version of glib + * PRE_BUILD, wxGTK-2.8.10.1-CVE-2009-2369.patch, DETAILS: + added patch that fixes CVE-2009-2369, set SECURITY_PATCH=1 + 2009-06-08 Treeve Jelbert <treeve@sourcemage.org> * PROVIDES: added * CONFLICTS: add wxgtk-new diff --git a/x11-toolkits/wxgtk/PRE_BUILD b/x11-toolkits/wxgtk/PRE_BUILD index 3b1d034755..91b0154c3b 100755 --- a/x11-toolkits/wxgtk/PRE_BUILD +++ b/x11-toolkits/wxgtk/PRE_BUILD @@ -3,4 +3,7 @@ cd $SOURCE_DIRECTORY && if [[ $WX_DEV != y ]]; then patch -p1 < $SPELL_DIRECTORY/debdiff.patch +else + patch -p1 < ${SPELL_DIRECTORY}/wxGTK-2.8.10.1-CVE-2009-2369.patch && + patch -p1 < ${SPELL_DIRECTORY}/wxgtk-2.8.10-gsocket.patch fi diff --git a/x11-toolkits/wxgtk/wxGTK-2.8.10.1-CVE-2009-2369.patch b/x11-toolkits/wxgtk/wxGTK-2.8.10.1-CVE-2009-2369.patch new file mode 100644 index 0000000000..42392c8bb3 --- /dev/null +++ b/x11-toolkits/wxgtk/wxGTK-2.8.10.1-CVE-2009-2369.patch @@ -0,0 +1,59 @@ +diff -Naurp wxPython-src-2.8.10.1-orig/src/common/imagpng.cpp wxPython-src-2.8.10.1/src/common/imagpng.cpp +--- wxPython-src-2.8.10.1-orig/src/common/imagpng.cpp 2008-05-11 22:26:45.000000000 -0600 ++++ wxPython-src-2.8.10.1/src/common/imagpng.cpp 2009-07-18 19:54:13.128547627 -0600 +@@ -568,18 +568,16 @@ wxPNGHandler::LoadFile(wxImage *image, + if (!image->Ok()) + goto error; + +- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) ); ++ // initialize all line pointers to NULL to ensure that they can be safely ++ // free()d if an error occurs before all of them could be allocated ++ lines = (unsigned char **)calloc(height, sizeof(unsigned char *)); + if ( !lines ) + goto error; + + for (i = 0; i < height; i++) + { + if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL) +- { +- for ( unsigned int n = 0; n < i; n++ ) +- free( lines[n] ); + goto error; +- } + } + + png_read_image( png_ptr, lines ); +diff -Naurp wxPython-src-2.8.10.1-orig/src/common/imagtiff.cpp wxPython-src-2.8.10.1/src/common/imagtiff.cpp +--- wxPython-src-2.8.10.1-orig/src/common/imagtiff.cpp 2007-09-21 14:27:05.000000000 -0600 ++++ wxPython-src-2.8.10.1/src/common/imagtiff.cpp 2009-07-18 19:54:35.801832862 -0600 +@@ -261,7 +261,6 @@ bool wxTIFFHandler::LoadFile( wxImage *i + } + + uint32 w, h; +- uint32 npixels; + uint32 *raster; + + TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); +@@ -275,9 +274,20 @@ bool wxTIFFHandler::LoadFile( wxImage *i + (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA || + samplesInfo[0] == EXTRASAMPLE_UNASSALPHA)); + +- npixels = w * h; ++ // guard against integer overflow during multiplication which could result ++ // in allocating a too small buffer and then overflowing it ++ const double bytesNeeded = (double)w * (double)h * sizeof(uint32); ++ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) ++ { ++ if ( verbose ) ++ wxLogError( _("TIFF: Image size is abnormally big.") ); ++ ++ TIFFClose(tif); ++ ++ return false; ++ } + +- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); ++ raster = (uint32*) _TIFFmalloc( bytesNeeded ); + + if (!raster) + { |