No KDE release without an xpdf-inherited security issue.

Security: CVE-2006-0301, http://www.kde.org/info/security/advisory-20060202-1.txt kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a heap based buffer overflow in the splash rasterizer engine that can crash kpdf or even execute arbitrary code.
author: Michael Nottebrock <lofi@FreeBSD.org> 2006-02-03 11:08:43 +0000
committer: Michael Nottebrock <lofi@FreeBSD.org> 2006-02-03 11:08:43 +0000
commit: 7f594cd565a8927979bd425df97513a90ad91813 (patch)
tree: ddbb236f48a61796a45114bdc9a62b4f7ad663bd /graphics
parent: Fix support for keymaps with local variants (en_US, de_CH etc.) in kxkb. (diff)
4 files changed, 102 insertions, 0 deletions
diff --git a/graphics/kdegraphics3/Makefile b/graphics/kdegraphics3/Makefile
index 4b49bf3ae684..40fd6748e580 100644
--- a/graphics/kdegraphics3/Makefile
+++ b/graphics/kdegraphics3/Makefile
@@ -8,6 +8,7 @@
 
 PORTNAME=	kdegraphics
 PORTVERSION=	${KDE_VERSION}
+PORTREVISION=	1
 CATEGORIES=	graphics kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/graphics/kdegraphics3/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff b/graphics/kdegraphics3/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff
new file mode 100644
index 000000000000..e2e19b511dd7
--- /dev/null
+++ b/graphics/kdegraphics3/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff
@@ -0,0 +1,50 @@
+--- kpdf/xpdf/splash/SplashXPathScanner.cc	(Revision 505052)
++++ kpdf/xpdf/splash/SplashXPathScanner.cc	(Arbeitskopie)
+@@ -186,7 +186,7 @@ GBool SplashXPathScanner::getNextSpan(in
+ }
+ 
+ void SplashXPathScanner::computeIntersections(int y) {
+-  SplashCoord ySegMin, ySegMax, xx0, xx1;
++  SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
+   SplashXPathSeg *seg;
+   int i, j;
+ 
+@@ -236,19 +236,27 @@ void SplashXPathScanner::computeIntersec
+     } else if (seg->flags & splashXPathVert) {
+       xx0 = xx1 = seg->x0;
+     } else {
+-      if (ySegMin <= y) {
+-	// intersection with top edge
+-	xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
++      if (seg->x0 < seg->x1) {
++	xSegMin = seg->x0;
++	xSegMax = seg->x1;
+       } else {
+-	// x coord of segment endpoint with min y coord
+-	xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
++	xSegMin = seg->x1;
++	xSegMax = seg->x0;
+       }
+-      if (ySegMax >= y + 1) {
+-	// intersection with bottom edge
+-	xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
+-      } else {
+-	// x coord of segment endpoint with max y coord
+-	xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
++      // intersection with top edge
++      xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
++      // intersection with bottom edge
++      xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
++      // the segment may not actually extend to the top and/or bottom edges
++      if (xx0 < xSegMin) {
++	xx0 = xSegMin;
++      } else if (xx0 > xSegMax) {
++	xx0 = xSegMax;
++      }
++      if (xx1 < xSegMin) {
++	xx1 = xSegMin;
++      } else if (xx1 > xSegMax) {
++	xx1 = xSegMax;
+       }
+     }
+     if (xx0 < xx1) {
diff --git a/graphics/kdegraphics4/Makefile b/graphics/kdegraphics4/Makefile
index 4b49bf3ae684..40fd6748e580 100644
--- a/graphics/kdegraphics4/Makefile
+++ b/graphics/kdegraphics4/Makefile
@@ -8,6 +8,7 @@
 
 PORTNAME=	kdegraphics
 PORTVERSION=	${KDE_VERSION}
+PORTREVISION=	1
 CATEGORIES=	graphics kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/graphics/kdegraphics4/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff b/graphics/kdegraphics4/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff
new file mode 100644
index 000000000000..e2e19b511dd7
--- /dev/null
+++ b/graphics/kdegraphics4/files/patch-post-3.5.1-kdegraphics-CVE-2006-0301.diff
@@ -0,0 +1,50 @@
+--- kpdf/xpdf/splash/SplashXPathScanner.cc	(Revision 505052)
++++ kpdf/xpdf/splash/SplashXPathScanner.cc	(Arbeitskopie)
+@@ -186,7 +186,7 @@ GBool SplashXPathScanner::getNextSpan(in
+ }
+ 
+ void SplashXPathScanner::computeIntersections(int y) {
+-  SplashCoord ySegMin, ySegMax, xx0, xx1;
++  SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
+   SplashXPathSeg *seg;
+   int i, j;
+ 
+@@ -236,19 +236,27 @@ void SplashXPathScanner::computeIntersec
+     } else if (seg->flags & splashXPathVert) {
+       xx0 = xx1 = seg->x0;
+     } else {
+-      if (ySegMin <= y) {
+-	// intersection with top edge
+-	xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
++      if (seg->x0 < seg->x1) {
++	xSegMin = seg->x0;
++	xSegMax = seg->x1;
+       } else {
+-	// x coord of segment endpoint with min y coord
+-	xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
++	xSegMin = seg->x1;
++	xSegMax = seg->x0;
+       }
+-      if (ySegMax >= y + 1) {
+-	// intersection with bottom edge
+-	xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
+-      } else {
+-	// x coord of segment endpoint with max y coord
+-	xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
++      // intersection with top edge
++      xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
++      // intersection with bottom edge
++      xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
++      // the segment may not actually extend to the top and/or bottom edges
++      if (xx0 < xSegMin) {
++	xx0 = xSegMin;
++      } else if (xx0 > xSegMax) {
++	xx0 = xSegMax;
++      }
++      if (xx1 < xSegMin) {
++	xx1 = xSegMin;
++      } else if (xx1 > xSegMax) {
++	xx1 = xSegMax;
+       }
+     }
+     if (xx0 < xx1) {
author	Michael Nottebrock <lofi@FreeBSD.org>	2006-02-03 11:08:43 +0000
committer	Michael Nottebrock <lofi@FreeBSD.org>	2006-02-03 11:08:43 +0000
commit	7f594cd565a8927979bd425df97513a90ad91813 (patch)
tree	ddbb236f48a61796a45114bdc9a62b4f7ad663bd /graphics
parent	Fix support for keymaps with local variants (en_US, de_CH etc.) in kxkb. (diff)