diff options
author | Michael Nottebrock <lofi@FreeBSD.org> | 2006-02-03 11:08:43 +0000 |
---|---|---|
committer | Michael Nottebrock <lofi@FreeBSD.org> | 2006-02-03 11:08:43 +0000 |
commit | 7f594cd565a8927979bd425df97513a90ad91813 (patch) | |
tree | ddbb236f48a61796a45114bdc9a62b4f7ad663bd | |
parent | Fix support for keymaps with local variants (en_US, de_CH etc.) in kxkb. (diff) |
No KDE release without an xpdf-inherited security issue.
Security: CVE-2006-0301,
http://www.kde.org/info/security/advisory-20060202-1.txt
kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains
a heap based buffer overflow in the splash rasterizer engine that
can crash kpdf or even execute arbitrary code.
Notes
Notes:
svn path=/head/; revision=155126
4 files changed, 102 insertions, 0 deletions
diff --git a/graphics/kdegraphics3/Makefile b/graphics/kdegraphics3/Makefile index 4b49bf3ae684..40fd6748e580 100644 --- a/graphics/kdegraphics3/Makefile +++ b/graphics/kdegraphics3/Makefile @@ -8,6 +8,7 @@ PORTNAME= kdegraphics PORTVERSION= ${KDE_VERSION} +PORTREVISION= 1 CATEGORIES= graphics kde MASTER_SITES= ${MASTER_SITE_KDE} MASTER_SITE_SUBDIR= stable/${PORTVERSION:S/.0//}/src diff --git a/graphics/kdegraphics3/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff b/graphics/kdegraphics3/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff new file mode 100644 index 000000000000..e2e19b511dd7 --- /dev/null +++ b/graphics/kdegraphics3/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff @@ -0,0 +1,50 @@ +--- kpdf/xpdf/splash/SplashXPathScanner.cc (Revision 505052) ++++ kpdf/xpdf/splash/SplashXPathScanner.cc (Arbeitskopie) +@@ -186,7 +186,7 @@ GBool SplashXPathScanner::getNextSpan(in + } + + void SplashXPathScanner::computeIntersections(int y) { +- SplashCoord ySegMin, ySegMax, xx0, xx1; ++ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +@@ -236,19 +236,27 @@ void SplashXPathScanner::computeIntersec + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +- if (ySegMin <= y) { +- // intersection with top edge +- xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ if (seg->x0 < seg->x1) { ++ xSegMin = seg->x0; ++ xSegMax = seg->x1; + } else { +- // x coord of segment endpoint with min y coord +- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; ++ xSegMin = seg->x1; ++ xSegMax = seg->x0; + } +- if (ySegMax >= y + 1) { +- // intersection with bottom edge +- xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; +- } else { +- // x coord of segment endpoint with max y coord +- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; ++ // intersection with top edge ++ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ // intersection with bottom edge ++ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; ++ // the segment may not actually extend to the top and/or bottom edges ++ if (xx0 < xSegMin) { ++ xx0 = xSegMin; ++ } else if (xx0 > xSegMax) { ++ xx0 = xSegMax; ++ } ++ if (xx1 < xSegMin) { ++ xx1 = xSegMin; ++ } else if (xx1 > xSegMax) { ++ xx1 = xSegMax; + } + } + if (xx0 < xx1) { diff --git a/graphics/kdegraphics4/Makefile b/graphics/kdegraphics4/Makefile index 4b49bf3ae684..40fd6748e580 100644 --- a/graphics/kdegraphics4/Makefile +++ b/graphics/kdegraphics4/Makefile @@ -8,6 +8,7 @@ PORTNAME= kdegraphics PORTVERSION= ${KDE_VERSION} +PORTREVISION= 1 CATEGORIES= graphics kde MASTER_SITES= ${MASTER_SITE_KDE} MASTER_SITE_SUBDIR= stable/${PORTVERSION:S/.0//}/src diff --git a/graphics/kdegraphics4/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff b/graphics/kdegraphics4/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff new file mode 100644 index 000000000000..e2e19b511dd7 --- /dev/null +++ b/graphics/kdegraphics4/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff @@ -0,0 +1,50 @@ +--- kpdf/xpdf/splash/SplashXPathScanner.cc (Revision 505052) ++++ kpdf/xpdf/splash/SplashXPathScanner.cc (Arbeitskopie) +@@ -186,7 +186,7 @@ GBool SplashXPathScanner::getNextSpan(in + } + + void SplashXPathScanner::computeIntersections(int y) { +- SplashCoord ySegMin, ySegMax, xx0, xx1; ++ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +@@ -236,19 +236,27 @@ void SplashXPathScanner::computeIntersec + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +- if (ySegMin <= y) { +- // intersection with top edge +- xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ if (seg->x0 < seg->x1) { ++ xSegMin = seg->x0; ++ xSegMax = seg->x1; + } else { +- // x coord of segment endpoint with min y coord +- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; ++ xSegMin = seg->x1; ++ xSegMax = seg->x0; + } +- if (ySegMax >= y + 1) { +- // intersection with bottom edge +- xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; +- } else { +- // x coord of segment endpoint with max y coord +- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; ++ // intersection with top edge ++ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ // intersection with bottom edge ++ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; ++ // the segment may not actually extend to the top and/or bottom edges ++ if (xx0 < xSegMin) { ++ xx0 = xSegMin; ++ } else if (xx0 > xSegMax) { ++ xx0 = xSegMax; ++ } ++ if (xx1 < xSegMin) { ++ xx1 = xSegMin; ++ } else if (xx1 > xSegMax) { ++ xx1 = xSegMax; + } + } + if (xx0 < xx1) { |