diff options
Diffstat (limited to 'app-text/tetex/files')
| -rw-r--r-- | app-text/tetex/files/digest-tetex-3.0_p1-r4 | 9 | ||||
| -rw-r--r-- | app-text/tetex/files/tetex-3.0_p1-CVE-2007-0650.patch | 80 | ||||
| -rw-r--r-- | app-text/tetex/files/tetex-3.0_p1-xpdf-CVE-2007-3387.patch | 16 |
3 files changed, 105 insertions, 0 deletions
diff --git a/app-text/tetex/files/digest-tetex-3.0_p1-r4 b/app-text/tetex/files/digest-tetex-3.0_p1-r4 new file mode 100644 index 000000000000..393f59b561f4 --- /dev/null +++ b/app-text/tetex/files/digest-tetex-3.0_p1-r4 @@ -0,0 +1,9 @@ +MD5 24568263880f911452936573211fa4e8 tetex-3.0_p1-gentoo.tar.gz 604 +RMD160 5da9d211792ab81d072f0fed65ac737aa3074a6b tetex-3.0_p1-gentoo.tar.gz 604 +SHA256 4e9236349a6d849db06fefcbbf5af7c333199312b461a06840cb8fd2eddd1ac6 tetex-3.0_p1-gentoo.tar.gz 604 +MD5 0f82ade673335256226d0321e6c5e2cf tetex-src-3.0_p1.tar.gz 13357541 +RMD160 24d5029619675ce597782562bc1b87052235d461 tetex-src-3.0_p1.tar.gz 13357541 +SHA256 e67fff941ba95222ac8f0e17395446723fd78045fc2ff548ca40cc72086a4cc1 tetex-src-3.0_p1.tar.gz 13357541 +MD5 ed9d30d9162d16ac8d5065cde6e0f6fa tetex-texmf-3.0.tar.gz 91402377 +RMD160 a1e87733fa3cbef04e39a690ed8549aeaaddb241 tetex-texmf-3.0.tar.gz 91402377 +SHA256 6c3b8fa619749cbb28ca0f8847e56773d13e0bb92f1ea34287420950373640c2 tetex-texmf-3.0.tar.gz 91402377 diff --git a/app-text/tetex/files/tetex-3.0_p1-CVE-2007-0650.patch b/app-text/tetex/files/tetex-3.0_p1-CVE-2007-0650.patch new file mode 100644 index 000000000000..4df77e5dd8f1 --- /dev/null +++ b/app-text/tetex/files/tetex-3.0_p1-CVE-2007-0650.patch @@ -0,0 +1,80 @@ +--- tetex-src-3.0/texk/makeindexk/mkind.c.CVE-2007-0650 2002-10-02 14:26:37.000000000 +0200 ++++ tetex-src-3.0/texk/makeindexk/mkind.c 2007-02-02 12:29:31.000000000 +0100 +@@ -179,7 +179,9 @@ + argc--; + if (argc <= 0) + FATAL("Expected -p <num>\n",""); +- strcpy(pageno, *++argv); ++ if (strlen(*++argv) >= sizeof(pageno)) ++ FATAL("Page number too high\n",""); ++ strcpy(pageno, *argv); + init_page = TRUE; + if (STREQ(pageno, EVEN)) { + log_given = TRUE; +@@ -230,7 +232,7 @@ + char tmp[STRING_MAX + 5]; + + /* base set by last call to check_idx */ +- sprintf (tmp, "%s%s", base, INDEX_STY); ++ snprintf (tmp, sizeof(tmp), "%s%s", base, INDEX_STY); + if (0 == access(tmp, R_OK)) { + open_sty (tmp); + sty_given = TRUE; +@@ -405,9 +407,9 @@ + STRING_MAX,totmem); + #endif /* DEBUG */ + +- if ((idx_fn = (char *) malloc(STRING_MAX)) == NULL) ++ if ((idx_fn = (char *) malloc(STRING_MAX+5)) == NULL) + FATAL("Not enough core...abort.\n", ""); +- sprintf(idx_fn, "%s%s", base, INDEX_IDX); ++ snprintf(idx_fn, STRING_MAX+5, "%s%s", base, INDEX_IDX); + if ((open_fn && + ((idx_fp = OPEN_IN(idx_fn)) == NULL) + ) || +@@ -434,7 +436,7 @@ + + /* index output file */ + if (!ind_given) { +- sprintf(ind, "%s%s", base, INDEX_IND); ++ snprintf(ind, sizeof(ind), "%s%s", base, INDEX_IND); + ind_fn = ind; + } + if ((ind_fp = OPEN_OUT(ind_fn)) == NULL) +@@ -442,14 +444,14 @@ + + /* index transcript file */ + if (!ilg_given) { +- sprintf(ilg, "%s%s", base, INDEX_ILG); ++ snprintf(ilg, sizeof(ilg), "%s%s", base, INDEX_ILG); + ilg_fn = ilg; + } + if ((ilg_fp = OPEN_OUT(ilg_fn)) == NULL) + FATAL("Can't create transcript file %s.\n", ilg_fn); + + if (log_given) { +- sprintf(log_fn, "%s%s", base, INDEX_LOG); ++ snprintf(log_fn, sizeof(log_fn), "%s%s", base, INDEX_LOG); + if ((log_fp = OPEN_IN(log_fn)) == NULL) { + FATAL("Source log file %s not found.\n", log_fn); + } else { +@@ -505,6 +507,9 @@ + if ((found = kpse_find_file (fn, kpse_ist_format, 1)) == NULL) { + FATAL("Index style file %s not found.\n", fn); + } else { ++ if (strlen(found) >= sizeof(sty_fn)) { ++ FATAL("Style file %s too long.\n", found); ++ } + strcpy(sty_fn,found); + if ((sty_fp = OPEN_IN(sty_fn)) == NULL) { + FATAL("Could not open style file %s.\n", sty_fn); +@@ -512,6 +517,9 @@ + } + #else + if ((path = getenv(STYLE_PATH)) == NULL) { ++ if (strlen(fn) >= sizeof(sty_fn)) { ++ FATAL("Style file %s too long.\n", fn); ++ } + /* style input path not defined */ + strcpy(sty_fn, fn); + sty_fp = OPEN_IN(sty_fn); diff --git a/app-text/tetex/files/tetex-3.0_p1-xpdf-CVE-2007-3387.patch b/app-text/tetex/files/tetex-3.0_p1-xpdf-CVE-2007-3387.patch new file mode 100644 index 000000000000..da3c7a6d19f7 --- /dev/null +++ b/app-text/tetex/files/tetex-3.0_p1-xpdf-CVE-2007-3387.patch @@ -0,0 +1,16 @@ +--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc Tue Feb 27 14:05:52 2007 ++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc Thu Jul 12 15:55:49 2007 +@@ -421,7 +421,12 @@ + } + pixBytes = (nComps * nBits + 7) >> 3; + rowBytes = ((totalBits + 7) >> 3) + pixBytes; +- if (rowBytes < 0) { ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps > gfxColorMaxComps || ++ nBits > 16 || ++ nVals <= 0 || ++ nVals * nBits + 7 <= 0 || ++ rowBytes <= 0) { + return; + } + predLine = (Guchar *)gmalloc(rowBytes); |