Security fix for CAN-2005-2097.

"A vulnerability has been reported in Xpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) on a vulnerable system." http://secunia.com/advisories/16374/ Patches from Ubuntu and RedHat.
2005-08-12 12:27:30 +00:00 · 2005-08-12 12:27:30 +00:00 · ec0630dd50
commit ec0630dd50
parent 512941eabf
4 changed files with 69 additions and 2 deletions
--- a/print/xpdf/Makefile
+++ b/print/xpdf/Makefile
@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.37 2005/06/01 18:03:20 jlam Exp $
+# $NetBSD: Makefile,v 1.38 2005/08/12 12:27:30 salo Exp $

 DISTNAME=	xpdf-3.00
 PKGNAME=	${DISTNAME}pl3
+PKGREVISION=	1
 CATEGORIES=	print
 MASTER_SITES=	ftp://ftp.foolabs.com/pub/xpdf/ \
 		${MASTER_SITE_SUNSITE:=apps/graphics/viewers/X/} \
--- a/print/xpdf/distinfo
+++ b/print/xpdf/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.19 2005/02/24 12:51:45 agc Exp $
+$NetBSD: distinfo,v 1.20 2005/08/12 12:27:30 salo Exp $

 SHA1 (xpdf-3.00.tar.gz) = 080317afce0851274fec2865131f59590b54eb99
 RMD160 (xpdf-3.00.tar.gz) = d98668ac8cd059461107c4dfbd9b3fd3beff6176
@ -28,3 +28,5 @@ SHA1 (patch-am) = 794ff952c749c8dab6f575d55602cdc7e7157fef
 SHA1 (patch-an) = bf579a07e9b9868ed8d6a6450484c47ce9acaef0
 SHA1 (patch-ao) = fd25cab0255d24c4b55907b031f5f4ec68411576
 SHA1 (patch-ap) = 51d05bb8978003308e14274fc1ada4f1ace6d766
+SHA1 (patch-ar) = bd66ea42d4ba11bdcefcfef2988d37559f21e629
+SHA1 (patch-as) = e76bc488bc533ef3784ed863c2c5d4b0967afc29
--- a/print/xpdf/patches/patch-ar
+++ b/print/xpdf/patches/patch-ar
@ -0,0 +1,34 @@
+$NetBSD: patch-ar,v 1.1 2005/08/12 12:27:30 salo Exp $
+
+Fix for CAN-2005-2097, from Ubuntu and RedHat.
+
+--- fofi/FoFiTrueType.cc.orig	2004-01-22 02:26:44.000000000 +0100
+++ fofi/FoFiTrueType.cc	2005-08-12 13:49:51.000000000 +0200
+@@ -1343,6 +1343,27 @@
+     return;
+   }
+ 
+  // make sure the loca table is sane (correct length and entries are
+  // in bounds)
+  i = seekTable("loca");
+  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+    parsedOk = gFalse;
+    return;
+  }
+  for (j = 0; j <= nGlyphs; ++j) {
+    if (locaFmt) {
+      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+    } else {
+      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+    }
+    if (pos < 0 || pos > len) {
+      parsedOk = gFalse;
+    }
+  }
+  if (!parsedOk) {
+    return;
+  }
+
+   // read the post table
+   readPostTable();
+   if (!parsedOk) {
--- a/print/xpdf/patches/patch-as
+++ b/print/xpdf/patches/patch-as
@ -0,0 +1,30 @@
+$NetBSD: patch-as,v 1.1 2005/08/12 12:27:30 salo Exp $
+
+Fix for CAN-2005-2097, from Ubuntu and RedHat.
+
+--- xpdf/SplashOutputDev.cc.orig	2004-01-22 02:26:45.000000000 +0100
+++ xpdf/SplashOutputDev.cc	2005-08-12 13:54:26.000000000 +0200
+@@ -621,16 +621,19 @@
+       }
+       break;
+     case fontTrueType:
+-      if (!(ff = FoFiTrueType::load(fileName->getCString()))) {
+-	goto err2;
+-      }
+      if ((ff = FoFiTrueType::load(fileName->getCString()))) {
+       codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+	n = 256;
+       delete ff;
+      } else {
+	codeToGID = NULL;
+	n = 0;
+      }
+       if (!(fontFile = fontEngine->loadTrueTypeFont(
+ 			   id,
+ 			   fileName->getCString(),
+ 			   fileName == tmpFileName,
+-			   codeToGID, 256))) {
+			   codeToGID, n))) {
+ 	error(-1, "Couldn't create a font for '%s'",
+ 	      gfxFont->getName() ? gfxFont->getName()->getCString()
+ 	                         : "(unnamed)");