[notify] fontforge: patched CVE-2010-4259

2011-06-04 13:07:21 +02:00 · 2011-06-04 13:07:21 +02:00 · 5cc15be629
commit 5cc15be629
parent 2992a4d3e8
3 changed files with 56 additions and 2 deletions
--- a/fontforge/.md5sum
+++ b/fontforge/.md5sum
@ -1 +1,2 @@
+17912437f45886a394aefa30e7310bd9  CVE-2010-4259.patch
 5f3d20d645ec1aa2b7b4876386df8717  fontforge_full-20100501.tar.bz2
--- a/fontforge/CVE-2010-4259.patch
+++ b/fontforge/CVE-2010-4259.patch
@ -0,0 +1,51 @@
+--- fontforge/fontforge/fvimportbdf.c	15 Apr 2010 10:47:36 -0000	1.58
+++ fontforge/fontforge/fvimportbdf.c	3 Dec 2010 21:03:38 -0000
+@@ -560,7 +560,7 @@ 
+ 	}
+     
+ 	if ( strcmp(tok,"FONT")==0 ) {
+-	    if ( sscanf(buf,"-%*[^-]-%[^-]-%[^-]-%[^-]-%*[^-]-", family, weight, italic )!=0 ) {
+	    if ( sscanf(buf,"-%*[^-]-%99[^-]-%99[^-]-%99[^-]-%*[^-]-", family, weight, italic )!=0 ) {
+ 		char *pt=buf;
+ 		int dcnt=0;
+ 		while ( *pt=='-' && dcnt<7 ) { ++pt; ++dcnt; }
+@@ -616,26 +616,30 @@ 
+ 	    sscanf(buf, "%d", &defs->metricsset );
+ 	else if ( strcmp(tok,"VVECTOR")==0 )
+ 	    sscanf(buf, "%*d %d", &defs->vertical_origin );
+	/* For foundry, fontname and encname, only copy up to the buffer size */
+ 	else if ( strcmp(tok,"FOUNDRY")==0 )
+-	    sscanf(buf, "%[^\"]", foundry );
+	    sscanf(buf, "%99[^\"]", foundry );
+ 	else if ( strcmp(tok,"FONT_NAME")==0 )
+-	    sscanf(buf, "%[^\"]", fontname );
+	    sscanf(buf, "%99[^\"]", fontname );
+ 	else if ( strcmp(tok,"CHARSET_REGISTRY")==0 )
+-	    sscanf(buf, "%[^\"]", encname );
+	    sscanf(buf, "%99[^\"]", encname );
+ 	else if ( strcmp(tok,"CHARSET_ENCODING")==0 ) {
+ 	    enc = 0;
+ 	    if ( sscanf(buf, " %d", &enc )!=1 )
+ 		sscanf(buf, "%d", &enc );
+	/* These properties should be copied up to the buffer length too */
+ 	} else if ( strcmp(tok,"FAMILY_NAME")==0 ) {
+-	    strcpy(family,buf);
+	    strncpy(family,buf,99);
+ 	} else if ( strcmp(tok,"FULL_NAME")==0 || strcmp(tok,"FACE_NAME")==0 ) {
+-	    strcpy(full,buf);
+	    strncpy(full,buf,99);
+ 	} else if ( strcmp(tok,"WEIGHT_NAME")==0 )
+-	    strcpy(weight,buf);
+	    strncpy(weight,buf,99);
+ 	else if ( strcmp(tok,"SLANT")==0 )
+-	    strcpy(italic,buf);
+	    strncpy(italic,buf,99);
+ 	else if ( strcmp(tok,"COPYRIGHT")==0 ) {
+-	    strcpy(comments,buf);
+		/* LS: Assume the size of the passed-in buffer is 1000, see below in
+		 * COMMENT */
+	    strncpy(comments,buf,999);
+ 	    found_copyright = true;
+ 	} else if ( strcmp(tok,"COMMENT")==0 && !found_copyright ) {
+ 	    char *pt = comments+strlen(comments);
+
--- a/fontforge/Pkgfile
+++ b/fontforge/Pkgfile
@ -6,10 +6,12 @@
 name=fontforge
 version=20100501
 release=1
-source=(http://download.sourceforge.net/$name/${name}_full-$version.tar.bz2)
+source=(http://download.sourceforge.net/$name/${name}_full-$version.tar.bz2 \
+       CVE-2010-4259.patch)

 build() {
 	cd $name-$version
+	patch -p1 -i $SRC/CVE-2010-4259.patch
 	sed "s|PyBytes_Decode|PyString_Decode|g" -i fontforge/ffpython.h
 	./configure	--prefix=/usr \
 			--mandir=/usr/man \
@ -17,4 +19,4 @@ build() {
 	make
 	make install DESTDIR=$PKG
 	rm -r $PKG/usr/share/locale/
-}
+}