aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-01-01 15:12:48 -0500
committerLeo Famulari <leo@famulari.name>2017-01-04 14:42:58 -0500
commit5f0fabec54812e9ebd9a54b7c24b29899c765548 (patch)
treeb558aaecc1801752a79286ed36a4b278e4074986
parent7a203059d3d0dcbf1f1a8792636b0b41f85b61cf (diff)
downloadpatches-5f0fabec54812e9ebd9a54b7c24b29899c765548.tar
patches-5f0fabec54812e9ebd9a54b7c24b29899c765548.tar.gz
gnu: unrtf: Fix CVE-2016-10091.
* gnu/packages/patches/unrtf-CVE-2016-10091.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/unrtf.scm (unrtf)[source]: Use it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/unrtf-CVE-2016-10091.patch189
-rw-r--r--gnu/packages/unrtf.scm2
3 files changed, 192 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 4d321d1a59..2e714ac28c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -881,6 +881,7 @@ dist_patch_DATA = \
%D%/packages/patches/tophat-build-with-later-seqan.patch \
%D%/packages/patches/totem-debug-format-fix.patch \
%D%/packages/patches/tuxpaint-stamps-path.patch \
+ %D%/packages/patches/unrtf-CVE-2016-10091.patch \
%D%/packages/patches/unzip-CVE-2014-8139.patch \
%D%/packages/patches/unzip-CVE-2014-8140.patch \
%D%/packages/patches/unzip-CVE-2014-8141.patch \
diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
new file mode 100644
index 0000000000..badd1b8ed6
--- /dev/null
+++ b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
@@ -0,0 +1,189 @@
+Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions):
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
+http://seclists.org/oss-sec/2016/q4/787
+
+Patch adapted from Debian:
+
+https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8
+
+The Debian patch adapts this upstream commit so that it can be applied
+to the 0.21.9 release tarball:
+
+http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406
+
+From 7dd568ed8a6a5acb6c04f2b40f457d63a00435f3 Mon Sep 17 00:00:00 2001
+From: Willi Mann <willi@debian.org>
+Date: Sat, 31 Dec 2016 20:31:38 +0100
+Subject: [PATCH] Add patch from upstream to fix CVE-2016-10091 (buffer
+ overflow in various cmd_ functions)
+
+diff --git a/src/attr.c b/src/attr.c
+index 02b5c81..e2951ea 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -746,7 +746,7 @@ char *
+ assemble_string(char *string, int nr)
+ {
+
+- char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */
++ char *s, tmp[20];
+ int i = 0, j = 0;
+
+ if (string == NULL)
+@@ -762,7 +762,7 @@ assemble_string(char *string, int nr)
+ }
+
+ if (string[i] != '\0') {
+- sprintf(tmp, "%d", nr);
++ snprintf(tmp, 20, "%d", nr);
+ strcpy(&s[j], tmp);
+ j = j + strlen(tmp);
+ }
+diff --git a/src/convert.c b/src/convert.c
+index c76d7d6..8eacdcb 100644
+--- a/src/convert.c
++++ b/src/convert.c
+@@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm)
+ }
+
+ // Translate code page to encoding name hopefully suitable as iconv input
+-static char *cptoencoding(parm)
++static char *cptoencoding(int parm)
+ {
+ // Note that CP0 is supposed to mean current system default, which does
+ // not make any sense as a stored value, we don't handle it.
+@@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num)
+ }
+ else
+ {
+- sprintf(str,"#%02x%02x%02x",
++ snprintf(str, 40, "#%02x%02x%02x",
+ color_table[num].r,
+ color_table[num].g,
+ color_table[num].b);
+@@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num)
+ }
+ else
+ {
+- sprintf(str,"#%02x%02x%02x",
++ snprintf(str, 40, "#%02x%02x%02x",
+ color_table[num].r,
+ color_table[num].g,
+ color_table[num].b);
+@@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int points) {
+ /* Note, fs20 means 10pt */
+ points /= 2;
+
+- sprintf(str,"%d",points);
++ snprintf(str, 20, "%d", points);
+ attr_push(ATTR_FONTSIZE,str);
+
+ return FALSE;
+@@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num)
+ {
+ // TOBEDONE: WHAT'S THIS ???
+ name = my_malloc(12);
+- sprintf(name, "%d", num);
++ snprintf(name, 12, "%d", num);
+ }
+
+ /* we are going to output entities, so should not output font */
+@@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
+ }
+ else
+ {
+- sprintf(str,"#%02x%02x%02x",
++ snprintf(str, 40, "#%02x%02x%02x",
+ color_table[num].r,
+ color_table[num].g,
+ color_table[num].b);
+@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
+
+ static int
+ cmd_expand (Word *w, int align, char has_param, int param) {
+- char str[10];
++ char str[20];
+ if (has_param) {
+- sprintf(str, "%d", param/4);
++ snprintf(str, 20, "%d", param / 4);
+ if (!param)
+ attr_pop(ATTR_EXPAND);
+ else
+@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
+
+ static int
+ cmd_emboss (Word *w, int align, char has_param, int param) {
+- char str[10];
++ char str[20];
+ if (has_param && !param)
+ #ifdef SUPPORT_UNNESTED
+ attr_find_pop(ATTR_EMBOSS);
+@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+ #endif
+ else
+ {
+- sprintf(str, "%d", param);
++ snprintf(str, 20, "%d", param);
+ attr_push(ATTR_EMBOSS, str);
+ }
+ return FALSE;
+@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+
+ static int
+ cmd_engrave (Word *w, int align, char has_param, int param) {
+- char str[10];
++ char str[20];
+ if (has_param && !param)
+ attr_pop(ATTR_ENGRAVE);
+ else
+ {
+- sprintf(str, "%d", param);
++ snprintf(str, 20, "%d", param);
+ attr_push(ATTR_ENGRAVE, str);
+ }
+ return FALSE;
+@@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+
+ short done=0;
+ long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */
+- char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
++ char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
+ const char *alias;
+ #define DEBUG 0
+ #if DEBUG
+@@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+ /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */
+ unicode_number += 65536;
+ }
+- sprintf(tmp, "%ld", unicode_number);
++ snprintf(tmp, 20, "%ld", unicode_number);
+
+ if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print");
+ done++;
+diff --git a/src/output.c b/src/output.c
+index 86d8b5c..4cdbfa6 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size)
+ if (!found_std_expr) {
+ if (op->fontsize_begin) {
+ char expr[16];
+- sprintf (expr, "%d", size);
++ snprintf(expr, 16, "%d", size);
+ if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin");
+ } else {
+ /* If we cannot write out a change for the exact
+@@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size)
+ if (!found_std_expr) {
+ if (op->fontsize_end) {
+ char expr[16];
+- sprintf (expr, "%d", size);
++ snprintf(expr, 16, "%d", size);
+ if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end");
+ } else {
+ /* If we cannot write out a change for the exact
+-
+.11.0
+
diff --git a/gnu/packages/unrtf.scm b/gnu/packages/unrtf.scm
index 162dec7525..e11c9445ca 100644
--- a/gnu/packages/unrtf.scm
+++ b/gnu/packages/unrtf.scm
@@ -23,6 +23,7 @@
#:use-module (guix download)
#:use-module (guix build-system gnu)
#:use-module (guix gexp)
+ #:use-module (gnu packages)
#:use-module (gnu packages autotools)
#:use-module (gnu packages m4)
#:use-module (gnu packages base))
@@ -35,6 +36,7 @@
(method url-fetch)
(uri (string-append "mirror://gnu/unrtf/unrtf-"
version ".tar.gz"))
+ (patches (search-patches "unrtf-CVE-2016-10091.patch"))
(sha256
(base32
"1pcdzf2h1prn393dkvg93v80vh38q0v817xnbwrlwxbdz4k7i8r2"))