diff --git a/fontforge/.md5sum b/fontforge/.md5sum index c42d211a7..e84e599c6 100644 --- a/fontforge/.md5sum +++ b/fontforge/.md5sum @@ -1 +1,2 @@ +17912437f45886a394aefa30e7310bd9 CVE-2010-4259.patch 5f3d20d645ec1aa2b7b4876386df8717 fontforge_full-20100501.tar.bz2 diff --git a/fontforge/CVE-2010-4259.patch b/fontforge/CVE-2010-4259.patch new file mode 100644 index 000000000..d965dcc57 --- /dev/null +++ b/fontforge/CVE-2010-4259.patch @@ -0,0 +1,51 @@ +--- fontforge/fontforge/fvimportbdf.c 15 Apr 2010 10:47:36 -0000 1.58 ++++ fontforge/fontforge/fvimportbdf.c 3 Dec 2010 21:03:38 -0000 +@@ -560,7 +560,7 @@ + } + + if ( strcmp(tok,"FONT")==0 ) { +- if ( sscanf(buf,"-%*[^-]-%[^-]-%[^-]-%[^-]-%*[^-]-", family, weight, italic )!=0 ) { ++ if ( sscanf(buf,"-%*[^-]-%99[^-]-%99[^-]-%99[^-]-%*[^-]-", family, weight, italic )!=0 ) { + char *pt=buf; + int dcnt=0; + while ( *pt=='-' && dcnt<7 ) { ++pt; ++dcnt; } +@@ -616,26 +616,30 @@ + sscanf(buf, "%d", &defs->metricsset ); + else if ( strcmp(tok,"VVECTOR")==0 ) + sscanf(buf, "%*d %d", &defs->vertical_origin ); ++ /* For foundry, fontname and encname, only copy up to the buffer size */ + else if ( strcmp(tok,"FOUNDRY")==0 ) +- sscanf(buf, "%[^\"]", foundry ); ++ sscanf(buf, "%99[^\"]", foundry ); + else if ( strcmp(tok,"FONT_NAME")==0 ) +- sscanf(buf, "%[^\"]", fontname ); ++ sscanf(buf, "%99[^\"]", fontname ); + else if ( strcmp(tok,"CHARSET_REGISTRY")==0 ) +- sscanf(buf, "%[^\"]", encname ); ++ sscanf(buf, "%99[^\"]", encname ); + else if ( strcmp(tok,"CHARSET_ENCODING")==0 ) { + enc = 0; + if ( sscanf(buf, " %d", &enc )!=1 ) + sscanf(buf, "%d", &enc ); ++ /* These properties should be copied up to the buffer length too */ + } else if ( strcmp(tok,"FAMILY_NAME")==0 ) { +- strcpy(family,buf); ++ strncpy(family,buf,99); + } else if ( strcmp(tok,"FULL_NAME")==0 || strcmp(tok,"FACE_NAME")==0 ) { +- strcpy(full,buf); ++ strncpy(full,buf,99); + } else if ( strcmp(tok,"WEIGHT_NAME")==0 ) +- strcpy(weight,buf); ++ strncpy(weight,buf,99); + else if ( strcmp(tok,"SLANT")==0 ) +- strcpy(italic,buf); ++ strncpy(italic,buf,99); + else if ( strcmp(tok,"COPYRIGHT")==0 ) { +- strcpy(comments,buf); ++ /* LS: Assume the size of the passed-in buffer is 1000, see below in ++ * COMMENT */ ++ strncpy(comments,buf,999); + found_copyright = true; + } else if ( strcmp(tok,"COMMENT")==0 && !found_copyright ) { + char *pt = comments+strlen(comments); + diff --git a/fontforge/Pkgfile b/fontforge/Pkgfile index a1b6c13f0..73cac5539 100644 --- a/fontforge/Pkgfile +++ b/fontforge/Pkgfile @@ -6,10 +6,12 @@ name=fontforge version=20100501 release=1 -source=(http://download.sourceforge.net/$name/${name}_full-$version.tar.bz2) +source=(http://download.sourceforge.net/$name/${name}_full-$version.tar.bz2 \ + CVE-2010-4259.patch) build() { cd $name-$version + patch -p1 -i $SRC/CVE-2010-4259.patch sed "s|PyBytes_Decode|PyString_Decode|g" -i fontforge/ffpython.h ./configure --prefix=/usr \ --mandir=/usr/man \ @@ -17,4 +19,4 @@ build() { make make install DESTDIR=$PKG rm -r $PKG/usr/share/locale/ -} \ No newline at end of file +}