diff options
Diffstat (limited to 'gnu/packages/patches/unrtf-CVE-2016-10091.patch')
-rw-r--r-- | gnu/packages/patches/unrtf-CVE-2016-10091.patch | 189 |
1 files changed, 0 insertions, 189 deletions
diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch b/gnu/packages/patches/unrtf-CVE-2016-10091.patch deleted file mode 100644 index badd1b8ed6..0000000000 --- a/gnu/packages/patches/unrtf-CVE-2016-10091.patch +++ /dev/null @@ -1,189 +0,0 @@ -Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions): - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091 -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705 -http://seclists.org/oss-sec/2016/q4/787 - -Patch adapted from Debian: - -https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8 - -The Debian patch adapts this upstream commit so that it can be applied -to the 0.21.9 release tarball: - -http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 - -From 7dd568ed8a6a5acb6c04f2b40f457d63a00435f3 Mon Sep 17 00:00:00 2001 -From: Willi Mann <willi@debian.org> -Date: Sat, 31 Dec 2016 20:31:38 +0100 -Subject: [PATCH] Add patch from upstream to fix CVE-2016-10091 (buffer - overflow in various cmd_ functions) - -diff --git a/src/attr.c b/src/attr.c -index 02b5c81..e2951ea 100644 ---- a/src/attr.c -+++ b/src/attr.c -@@ -746,7 +746,7 @@ char * - assemble_string(char *string, int nr) - { - -- char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */ -+ char *s, tmp[20]; - int i = 0, j = 0; - - if (string == NULL) -@@ -762,7 +762,7 @@ assemble_string(char *string, int nr) - } - - if (string[i] != '\0') { -- sprintf(tmp, "%d", nr); -+ snprintf(tmp, 20, "%d", nr); - strcpy(&s[j], tmp); - j = j + strlen(tmp); - } -diff --git a/src/convert.c b/src/convert.c -index c76d7d6..8eacdcb 100644 ---- a/src/convert.c -+++ b/src/convert.c -@@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm) - } - - // Translate code page to encoding name hopefully suitable as iconv input --static char *cptoencoding(parm) -+static char *cptoencoding(int parm) - { - // Note that CP0 is supposed to mean current system default, which does - // not make any sense as a stored value, we don't handle it. -@@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num) - } - else - { -- sprintf(str,"#%02x%02x%02x", -+ snprintf(str, 40, "#%02x%02x%02x", - color_table[num].r, - color_table[num].g, - color_table[num].b); -@@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num) - } - else - { -- sprintf(str,"#%02x%02x%02x", -+ snprintf(str, 40, "#%02x%02x%02x", - color_table[num].r, - color_table[num].g, - color_table[num].b); -@@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int points) { - /* Note, fs20 means 10pt */ - points /= 2; - -- sprintf(str,"%d",points); -+ snprintf(str, 20, "%d", points); - attr_push(ATTR_FONTSIZE,str); - - return FALSE; -@@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num) - { - // TOBEDONE: WHAT'S THIS ??? - name = my_malloc(12); -- sprintf(name, "%d", num); -+ snprintf(name, 12, "%d", num); - } - - /* we are going to output entities, so should not output font */ -@@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, int num) - } - else - { -- sprintf(str,"#%02x%02x%02x", -+ snprintf(str, 40, "#%02x%02x%02x", - color_table[num].r, - color_table[num].g, - color_table[num].b); -@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) { - - static int - cmd_expand (Word *w, int align, char has_param, int param) { -- char str[10]; -+ char str[20]; - if (has_param) { -- sprintf(str, "%d", param/4); -+ snprintf(str, 20, "%d", param / 4); - if (!param) - attr_pop(ATTR_EXPAND); - else -@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) { - - static int - cmd_emboss (Word *w, int align, char has_param, int param) { -- char str[10]; -+ char str[20]; - if (has_param && !param) - #ifdef SUPPORT_UNNESTED - attr_find_pop(ATTR_EMBOSS); -@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) { - #endif - else - { -- sprintf(str, "%d", param); -+ snprintf(str, 20, "%d", param); - attr_push(ATTR_EMBOSS, str); - } - return FALSE; -@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) { - - static int - cmd_engrave (Word *w, int align, char has_param, int param) { -- char str[10]; -+ char str[20]; - if (has_param && !param) - attr_pop(ATTR_ENGRAVE); - else - { -- sprintf(str, "%d", param); -+ snprintf(str, 20, "%d", param); - attr_push(ATTR_ENGRAVE, str); - } - return FALSE; -@@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { - - short done=0; - long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */ -- char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ -+ char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */ - const char *alias; - #define DEBUG 0 - #if DEBUG -@@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) { - /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */ - unicode_number += 65536; - } -- sprintf(tmp, "%ld", unicode_number); -+ snprintf(tmp, 20, "%ld", unicode_number); - - if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print"); - done++; -diff --git a/src/output.c b/src/output.c -index 86d8b5c..4cdbfa6 100644 ---- a/src/output.c -+++ b/src/output.c -@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size) - if (!found_std_expr) { - if (op->fontsize_begin) { - char expr[16]; -- sprintf (expr, "%d", size); -+ snprintf(expr, 16, "%d", size); - if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin"); - } else { - /* If we cannot write out a change for the exact -@@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size) - if (!found_std_expr) { - if (op->fontsize_end) { - char expr[16]; -- sprintf (expr, "%d", size); -+ snprintf(expr, 16, "%d", size); - if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end"); - } else { - /* If we cannot write out a change for the exact -- -.11.0 - |