Fix another security issue with gv.

Zen Parse found a local buffer overflow in gv version 3.5.8 and earlier. Under this vulnerability, an attacker can create a carefully crafted, malformed PDF or PostScript file that, when viewed using gv, executes arbitrary commands on the system. http://marc.theaimsgroup.com/?l=bugtraq&m=103428425111983&w=2
2002-10-26 21:48:07 +00:00 · 2002-10-26 21:48:07 +00:00 · 78171009d1
commit 78171009d1
parent 47e89c180c
2 changed files with 129 additions and 4 deletions
--- a/print/gv/Makefile
+++ b/print/gv/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.18 2002/10/04 18:29:14 brad Exp $
+# $OpenBSD: Makefile,v 1.19 2002/10/26 21:48:07 brad Exp $

 COMMENT= 	"PostScript and PDF previewer"

 DISTNAME=	gv-3.5.8
-PKGNAME=	${DISTNAME}p1
+PKGNAME=	${DISTNAME}p2
 CATEGORIES=	print
 MASTER_SITES=	ftp://ftpthep.physik.uni-mainz.de/pub/gv/unix/

--- a/print/gv/patches/patch-source_ps_c
+++ b/print/gv/patches/patch-source_ps_c
@ -1,6 +1,6 @@
-$OpenBSD: patch-source_ps_c,v 1.1 2002/10/04 18:29:14 brad Exp $
+$OpenBSD: patch-source_ps_c,v 1.2 2002/10/26 21:48:07 brad Exp $
 --- source/ps.c.orig	Fri Jun  6 18:00:00 1997
-+++ source/ps.c	Fri Oct  4 14:20:31 2002
+++ source/ps.c	Wed Oct 23 19:17:59 2002
@@ -420,6 +420,16 @@ psscan(fileP,filename,filename_raw,filen
       char cmd[512];
       char s[512];
@ -18,6 +18,15 @@ $OpenBSD: patch-source_ps_c,v 1.1 2002/10/04 18:29:14 brad Exp $
       sprintf(cmd,cmd_uncompress,filename,filename_unc);
       INFMESSAGE(is compressed)
       INFSMESSAGE(uncompress command,cmd)
+@@ -478,7 +488,7 @@ unc_ok:
+       doc = (struct document *) PS_malloc(sizeof(struct document));
+       CHECK_MALLOCED(doc);
+       memset(doc, 0, sizeof(struct document));
+-      sscanf(line, "%*s %s", text);
+      sscanf(line, "%*s %256s", text);
+       /*###jp###*/
+       /*doc->epsf = iscomment(text, "EPSF-");*/
+       doc->epsf = iscomment(text, "EPSF");
@@ -491,6 +501,16 @@ unc_ok:
       char cmd[512];
       char s[512];
@ -35,3 +44,119 @@ $OpenBSD: patch-source_ps_c,v 1.1 2002/10/04 18:29:14 brad Exp $
       sprintf(cmd,cmd_scan_pdf,filename,filename_dsc);
       INFMESSAGE(is PDF)
       INFSMESSAGE(scan command,cmd)
+@@ -546,7 +566,7 @@ scan_ok:
+ 	} else if (doc->date == NULL && iscomment(line+2, "CreationDate:")) {
+ 	    doc->date = gettextline(line+length("%%CreationDate:"));
+ 	} else if (bb_set == NONE && iscomment(line+2, "BoundingBox:")) {
+-	    sscanf(line+length("%%BoundingBox:"), "%s", text);
+	    sscanf(line+length("%%BoundingBox:"), "%256s", text);
+ 	    if (strcmp(text, "(atend)") == 0) {
+ 		bb_set = ATEND;
+ 	    } else {
+@@ -578,7 +598,7 @@ scan_ok:
+ 	    }
+ 	} else if (orientation_set == NONE &&
+ 		   iscomment(line+2, "Orientation:")) {
+-	    sscanf(line+length("%%Orientation:"), "%s", text);
+	    sscanf(line+length("%%Orientation:"), "%256s", text);
+ 	    if (strcmp(text, "(atend)") == 0) {
+ 		orientation_set = ATEND;
+ 	    } else if (strcmp(text, "Portrait") == 0) {
+@@ -589,7 +609,7 @@ scan_ok:
+ 		orientation_set = 1;
+ 	    }
+ 	} else if (page_order_set == NONE && iscomment(line+2, "PageOrder:")) {
+-	    sscanf(line+length("%%PageOrder:"), "%s", text);
+	    sscanf(line+length("%%PageOrder:"), "%256s", text);
+ 	    if (strcmp(text, "(atend)") == 0) {
+ 		page_order_set = ATEND;
+ 	    } else if (strcmp(text, "Ascend") == 0) {
+@@ -603,7 +623,7 @@ scan_ok:
+ 		page_order_set = 1;
+ 	    }
+ 	} else if (pages_set == NONE && iscomment(line+2, "Pages:")) {
+-	    sscanf(line+length("%%Pages:"), "%s", text);
+	    sscanf(line+length("%%Pages:"), "%256s", text);
+ 	    if (strcmp(text, "(atend)") == 0) {
+ 		pages_set = ATEND;
+ 	    } else {
+@@ -823,7 +843,7 @@ scan_ok:
+ 		/* Do nothing */
+ 	    } else if (doc->default_page_orientation == NONE &&
+ 		iscomment(line+2, "PageOrientation:")) {
+-		sscanf(line+length("%%PageOrientation:"), "%s", text);
+		sscanf(line+length("%%PageOrientation:"), "%256s", text);
+ 		if (strcmp(text, "Portrait") == 0) {
+ 		    doc->default_page_orientation = PORTRAIT;
+ 		} else if (strcmp(text, "Landscape") == 0) {
+@@ -945,7 +965,7 @@ scan_ok:
+ 		/* Do nothing */
+ 	    } else if (doc->default_page_orientation == NONE &&
+ 		iscomment(line+2, "PageOrientation:")) {
+-		sscanf(line+length("%%PageOrientation:"), "%s", text);
+		sscanf(line+length("%%PageOrientation:"), "%256s", text);
+ 		if (strcmp(text, "Portrait") == 0) {
+ 		    doc->default_page_orientation = PORTRAIT;
+ 		} else if (strcmp(text, "Landscape") == 0) {
+@@ -1082,7 +1102,7 @@ continuepage:
+ 		/* Do nothing */
+ 	    } else if (doc->pages[doc->numpages].orientation == NONE &&
+ 		iscomment(line+2, "PageOrientation:")) {
+-		sscanf(line+length("%%PageOrientation:"), "%s", text);
+		sscanf(line+length("%%PageOrientation:"), "%256s", text);
+ 		if (strcmp(text, "Portrait") == 0) {
+ 		    doc->pages[doc->numpages].orientation = PORTRAIT;
+ 		} else if (strcmp(text, "Landscape") == 0) {
+@@ -1114,7 +1134,7 @@ continuepage:
+ 		PS_free(cp);
+ 	    } else if ((page_bb_set == NONE || page_bb_set == ATEND) &&
+ 		       iscomment(line+2, "PageBoundingBox:")) {
+-		sscanf(line+length("%%PageBoundingBox:"), "%s", text);
+		sscanf(line+length("%%PageBoundingBox:"), "%256s", text);
+ 		if (strcmp(text, "(atend)") == 0) {
+ 		    page_bb_set = ATEND;
+ 		} else {
+@@ -1228,14 +1248,14 @@ continuepage:
+ 	    }
+ 	} else if (orientation_set == ATEND &&
+ 		   iscomment(line+2, "Orientation:")) {
+-	    sscanf(line+length("%%Orientation:"), "%s", text);
+	    sscanf(line+length("%%Orientation:"), "%256s", text);
+ 	    if (strcmp(text, "Portrait") == 0) {
+ 		doc->orientation = PORTRAIT;
+ 	    } else if (strcmp(text, "Landscape") == 0) {
+ 		doc->orientation = LANDSCAPE;
+ 	    }
+ 	} else if (page_order_set == ATEND && iscomment(line+2, "PageOrder:")) {
+-	    sscanf(line+length("%%PageOrder:"), "%s", text);
+	    sscanf(line+length("%%PageOrder:"), "%256s", text);
+ 	    if (strcmp(text, "Ascend") == 0) {
+ 		doc->pageorder = ASCEND;
+ 	    } else if (strcmp(text, "Descend") == 0) {
+@@ -1789,7 +1809,7 @@ static char * readline (fd, lineP, posit
+       INFMESSAGE(encountered "BeginData:")
+       if (FD_LINE_LEN > 100) FD_BUF[100] = '\0';
+       text[0] = '\0';
+-      if (sscanf(line+length("%%BeginData:"), "%d %*s %s", &num, text) >= 1) {
+      if (sscanf(line+length("%%BeginData:"), "%d %*s %100s", &num, text) >= 1) {
+          if (strcmp(text, "Lines") == 0) {
+             INFIMESSAGE(number of lines to skip:,num)
+             while (num) {
+@@ -1888,7 +1908,7 @@ pscopyuntil(fd, to, begin, end, comment)
+          INFMESSAGE(encountered "BeginData:")
+          if (FD_LINE_LEN > 100) FD_BUF[100] = '\0';
+          text[0] = '\0';
+-         if (sscanf(line+length("%%BeginData:"), "%d %*s %s", &num, text) >= 1) {
+         if (sscanf(line+length("%%BeginData:"), "%d %*s %100s", &num, text) >= 1) {
+             if (strcmp(text, "Lines") == 0) {
+                INFIMESSAGE(number of lines:,num)
+                while (num) {
+@@ -1985,7 +2005,7 @@ pscopydoc(dest_file,src_filename,d,pagel
+           PS_free(comment);
+           continue;
+        }
+-       sscanf(comment+length("%%Pages:"), "%s", text);
+       sscanf(comment+length("%%Pages:"), "%256s", text);
+        if (strcmp(text, "(atend)") == 0) {
+           fputs(comment, dest_file);
+           pages_atend = True;