[arch-commits] Commit in unrtf/trunk (CVE-2016-10091.patch PKGBUILD unrtf.changelog)
Jaroslav Lichtblau
jlichtblau at archlinux.org
Thu Jan 5 20:38:21 UTC 2017
Date: Thursday, January 5, 2017 @ 20:38:21
Author: jlichtblau
Revision: 204937
upgpkg: unrtf 0.21.9-2 - FS#52362 fix
Added:
unrtf/trunk/CVE-2016-10091.patch
Modified:
unrtf/trunk/PKGBUILD
unrtf/trunk/unrtf.changelog
----------------------+
CVE-2016-10091.patch | 179 +++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 13 ++-
unrtf.changelog | 3
3 files changed, 192 insertions(+), 3 deletions(-)
Added: CVE-2016-10091.patch
===================================================================
--- CVE-2016-10091.patch (rev 0)
+++ CVE-2016-10091.patch 2017-01-05 20:38:21 UTC (rev 204937)
@@ -0,0 +1,179 @@
+From: Jean-Francois Dockes <jf at dockes.org>
+Date: Sat, 31 Dec 2016 20:25:19 +0100
+Subject: Replace all instances of sprintf with snprintf and adjust size of
+ integer field in some cases
+
+This fixes CVE-2016-10091
+
+Bug-Debian: https://bugs.debian.org/849705
+---
+ src/attr.c | 4 ++--
+ src/convert.c | 28 ++++++++++++++--------------
+ src/output.c | 4 ++--
+ 3 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 02b5c81..e2951ea 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -746,7 +746,7 @@ char *
+ assemble_string(char *string, int nr)
+ {
+
+- char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */
++ char *s, tmp[20];
+ int i = 0, j = 0;
+
+ if (string == NULL)
+@@ -762,7 +762,7 @@ assemble_string(char *string, int nr)
+ }
+
+ if (string[i] != '\0') {
+- sprintf(tmp, "%d", nr);
++ snprintf(tmp, 20, "%d", nr);
+ strcpy(&s[j], tmp);
+ j = j + strlen(tmp);
+ }
+diff --git a/src/convert.c b/src/convert.c
+index c76d7d6..8eacdcb 100644
+--- a/src/convert.c
++++ b/src/convert.c
+@@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm)
+ }
+
+ // Translate code page to encoding name hopefully suitable as iconv input
+-static char *cptoencoding(parm)
++static char *cptoencoding(int parm)
+ {
+ // Note that CP0 is supposed to mean current system default, which does
+ // not make any sense as a stored value, we don't handle it.
+@@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num)
+ }
+ else
+ {
+- sprintf(str,"#%02x%02x%02x",
++ snprintf(str, 40, "#%02x%02x%02x",
+ color_table[num].r,
+ color_table[num].g,
+ color_table[num].b);
+@@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num)
+ }
+ else
+ {
+- sprintf(str,"#%02x%02x%02x",
++ snprintf(str, 40, "#%02x%02x%02x",
+ color_table[num].r,
+ color_table[num].g,
+ color_table[num].b);
+@@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int points) {
+ /* Note, fs20 means 10pt */
+ points /= 2;
+
+- sprintf(str,"%d",points);
++ snprintf(str, 20, "%d", points);
+ attr_push(ATTR_FONTSIZE,str);
+
+ return FALSE;
+@@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num)
+ {
+ // TOBEDONE: WHAT'S THIS ???
+ name = my_malloc(12);
+- sprintf(name, "%d", num);
++ snprintf(name, 12, "%d", num);
+ }
+
+ /* we are going to output entities, so should not output font */
+@@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
+ }
+ else
+ {
+- sprintf(str,"#%02x%02x%02x",
++ snprintf(str, 40, "#%02x%02x%02x",
+ color_table[num].r,
+ color_table[num].g,
+ color_table[num].b);
+@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
+
+ static int
+ cmd_expand (Word *w, int align, char has_param, int param) {
+- char str[10];
++ char str[20];
+ if (has_param) {
+- sprintf(str, "%d", param/4);
++ snprintf(str, 20, "%d", param / 4);
+ if (!param)
+ attr_pop(ATTR_EXPAND);
+ else
+@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
+
+ static int
+ cmd_emboss (Word *w, int align, char has_param, int param) {
+- char str[10];
++ char str[20];
+ if (has_param && !param)
+ #ifdef SUPPORT_UNNESTED
+ attr_find_pop(ATTR_EMBOSS);
+@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+ #endif
+ else
+ {
+- sprintf(str, "%d", param);
++ snprintf(str, 20, "%d", param);
+ attr_push(ATTR_EMBOSS, str);
+ }
+ return FALSE;
+@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+
+ static int
+ cmd_engrave (Word *w, int align, char has_param, int param) {
+- char str[10];
++ char str[20];
+ if (has_param && !param)
+ attr_pop(ATTR_ENGRAVE);
+ else
+ {
+- sprintf(str, "%d", param);
++ snprintf(str, 20, "%d", param);
+ attr_push(ATTR_ENGRAVE, str);
+ }
+ return FALSE;
+@@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+
+ short done=0;
+ long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */
+- char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
++ char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
+ const char *alias;
+ #define DEBUG 0
+ #if DEBUG
+@@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+ /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */
+ unicode_number += 65536;
+ }
+- sprintf(tmp, "%ld", unicode_number);
++ snprintf(tmp, 20, "%ld", unicode_number);
+
+ if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print");
+ done++;
+diff --git a/src/output.c b/src/output.c
+index 86d8b5c..4cdbfa6 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size)
+ if (!found_std_expr) {
+ if (op->fontsize_begin) {
+ char expr[16];
+- sprintf (expr, "%d", size);
++ snprintf(expr, 16, "%d", size);
+ if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin");
+ } else {
+ /* If we cannot write out a change for the exact
+@@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size)
+ if (!found_std_expr) {
+ if (op->fontsize_end) {
+ char expr[16];
+- sprintf (expr, "%d", size);
++ snprintf(expr, 16, "%d", size);
+ if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end");
+ } else {
+ /* If we cannot write out a change for the exact
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-01-05 20:10:53 UTC (rev 204936)
+++ PKGBUILD 2017-01-05 20:38:21 UTC (rev 204937)
@@ -5,7 +5,7 @@
pkgname=unrtf
pkgver=0.21.9
-pkgrel=1
+pkgrel=2
pkgdesc="Command-line program which converts RTF documents to other formats"
arch=('i686' 'x86_64')
url="http://www.gnu.org/software/unrtf/unrtf.html"
@@ -12,9 +12,16 @@
license=('GPL3')
depends=('glibc')
changelog=$pkgname.changelog
-source=(http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz)
-sha256sums=('22a37826f96d754e335fb69f8036c068c00dd01ee9edd9461a36df0085fb8ddd')
+source=(http://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.gz
+ CVE-2016-10091.patch)
+sha256sums=('22a37826f96d754e335fb69f8036c068c00dd01ee9edd9461a36df0085fb8ddd'
+ '7a535e96764c7d5291060b4e0548b155e1f44357bf78463ad2ed3678c14f749d')
+prepare() {
+ cd "${srcdir}"/$pkgname-$pkgver
+ patch -Np1 -i "${srcdir}"/CVE-2016-10091.patch
+}
+
build() {
cd "${srcdir}"/$pkgname-$pkgver
Modified: unrtf.changelog
===================================================================
--- unrtf.changelog 2017-01-05 20:10:53 UTC (rev 204936)
+++ unrtf.changelog 2017-01-05 20:38:21 UTC (rev 204937)
@@ -1,3 +1,6 @@
+2017-01-05 Jaroslav Lichtblau <svetlemodry at archlinux.org>
+ * unrtf 0.21.9-2 FS#52362 fix
+
2015-03-17 Jaroslav Lichtblau <svetlemodry at archlinux.org>
* unrtf 0.21.9-1
More information about the arch-commits
mailing list