5f0fabec54
* gnu/packages/patches/unrtf-CVE-2016-10091.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/unrtf.scm (unrtf)[source]: Use it.
190 lines
6.0 KiB
Diff
190 lines
6.0 KiB
Diff
Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions):
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
|
|
http://seclists.org/oss-sec/2016/q4/787
|
|
|
|
Patch adapted from Debian:
|
|
|
|
https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8
|
|
|
|
The Debian patch adapts this upstream commit so that it can be applied
|
|
to the 0.21.9 release tarball:
|
|
|
|
http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406
|
|
|
|
From 7dd568ed8a6a5acb6c04f2b40f457d63a00435f3 Mon Sep 17 00:00:00 2001
|
|
From: Willi Mann <willi@debian.org>
|
|
Date: Sat, 31 Dec 2016 20:31:38 +0100
|
|
Subject: [PATCH] Add patch from upstream to fix CVE-2016-10091 (buffer
|
|
overflow in various cmd_ functions)
|
|
|
|
diff --git a/src/attr.c b/src/attr.c
|
|
index 02b5c81..e2951ea 100644
|
|
--- a/src/attr.c
|
|
+++ b/src/attr.c
|
|
@@ -746,7 +746,7 @@ char *
|
|
assemble_string(char *string, int nr)
|
|
{
|
|
|
|
- char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */
|
|
+ char *s, tmp[20];
|
|
int i = 0, j = 0;
|
|
|
|
if (string == NULL)
|
|
@@ -762,7 +762,7 @@ assemble_string(char *string, int nr)
|
|
}
|
|
|
|
if (string[i] != '\0') {
|
|
- sprintf(tmp, "%d", nr);
|
|
+ snprintf(tmp, 20, "%d", nr);
|
|
strcpy(&s[j], tmp);
|
|
j = j + strlen(tmp);
|
|
}
|
|
diff --git a/src/convert.c b/src/convert.c
|
|
index c76d7d6..8eacdcb 100644
|
|
--- a/src/convert.c
|
|
+++ b/src/convert.c
|
|
@@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm)
|
|
}
|
|
|
|
// Translate code page to encoding name hopefully suitable as iconv input
|
|
-static char *cptoencoding(parm)
|
|
+static char *cptoencoding(int parm)
|
|
{
|
|
// Note that CP0 is supposed to mean current system default, which does
|
|
// not make any sense as a stored value, we don't handle it.
|
|
@@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num)
|
|
}
|
|
else
|
|
{
|
|
- sprintf(str,"#%02x%02x%02x",
|
|
+ snprintf(str, 40, "#%02x%02x%02x",
|
|
color_table[num].r,
|
|
color_table[num].g,
|
|
color_table[num].b);
|
|
@@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num)
|
|
}
|
|
else
|
|
{
|
|
- sprintf(str,"#%02x%02x%02x",
|
|
+ snprintf(str, 40, "#%02x%02x%02x",
|
|
color_table[num].r,
|
|
color_table[num].g,
|
|
color_table[num].b);
|
|
@@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int points) {
|
|
/* Note, fs20 means 10pt */
|
|
points /= 2;
|
|
|
|
- sprintf(str,"%d",points);
|
|
+ snprintf(str, 20, "%d", points);
|
|
attr_push(ATTR_FONTSIZE,str);
|
|
|
|
return FALSE;
|
|
@@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num)
|
|
{
|
|
// TOBEDONE: WHAT'S THIS ???
|
|
name = my_malloc(12);
|
|
- sprintf(name, "%d", num);
|
|
+ snprintf(name, 12, "%d", num);
|
|
}
|
|
|
|
/* we are going to output entities, so should not output font */
|
|
@@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
|
|
}
|
|
else
|
|
{
|
|
- sprintf(str,"#%02x%02x%02x",
|
|
+ snprintf(str, 40, "#%02x%02x%02x",
|
|
color_table[num].r,
|
|
color_table[num].g,
|
|
color_table[num].b);
|
|
@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
|
|
|
|
static int
|
|
cmd_expand (Word *w, int align, char has_param, int param) {
|
|
- char str[10];
|
|
+ char str[20];
|
|
if (has_param) {
|
|
- sprintf(str, "%d", param/4);
|
|
+ snprintf(str, 20, "%d", param / 4);
|
|
if (!param)
|
|
attr_pop(ATTR_EXPAND);
|
|
else
|
|
@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
|
|
|
|
static int
|
|
cmd_emboss (Word *w, int align, char has_param, int param) {
|
|
- char str[10];
|
|
+ char str[20];
|
|
if (has_param && !param)
|
|
#ifdef SUPPORT_UNNESTED
|
|
attr_find_pop(ATTR_EMBOSS);
|
|
@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
|
|
#endif
|
|
else
|
|
{
|
|
- sprintf(str, "%d", param);
|
|
+ snprintf(str, 20, "%d", param);
|
|
attr_push(ATTR_EMBOSS, str);
|
|
}
|
|
return FALSE;
|
|
@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
|
|
|
|
static int
|
|
cmd_engrave (Word *w, int align, char has_param, int param) {
|
|
- char str[10];
|
|
+ char str[20];
|
|
if (has_param && !param)
|
|
attr_pop(ATTR_ENGRAVE);
|
|
else
|
|
{
|
|
- sprintf(str, "%d", param);
|
|
+ snprintf(str, 20, "%d", param);
|
|
attr_push(ATTR_ENGRAVE, str);
|
|
}
|
|
return FALSE;
|
|
@@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
|
|
|
|
short done=0;
|
|
long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */
|
|
- char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
|
|
+ char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
|
|
const char *alias;
|
|
#define DEBUG 0
|
|
#if DEBUG
|
|
@@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
|
|
/* RTF spec: Unicode values beyond 32767 are represented by negative numbers */
|
|
unicode_number += 65536;
|
|
}
|
|
- sprintf(tmp, "%ld", unicode_number);
|
|
+ snprintf(tmp, 20, "%ld", unicode_number);
|
|
|
|
if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print");
|
|
done++;
|
|
diff --git a/src/output.c b/src/output.c
|
|
index 86d8b5c..4cdbfa6 100644
|
|
--- a/src/output.c
|
|
+++ b/src/output.c
|
|
@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size)
|
|
if (!found_std_expr) {
|
|
if (op->fontsize_begin) {
|
|
char expr[16];
|
|
- sprintf (expr, "%d", size);
|
|
+ snprintf(expr, 16, "%d", size);
|
|
if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin");
|
|
} else {
|
|
/* If we cannot write out a change for the exact
|
|
@@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size)
|
|
if (!found_std_expr) {
|
|
if (op->fontsize_end) {
|
|
char expr[16];
|
|
- sprintf (expr, "%d", size);
|
|
+ snprintf(expr, 16, "%d", size);
|
|
if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end");
|
|
} else {
|
|
/* If we cannot write out a change for the exact
|
|
-
|
|
.11.0
|
|
|