Accepting request 1895 from home:maw:branches:GNOME:Factory

Copy from IBS home:lrupp:branches:SUSE:Factory:Head/newt based on submit request 1895 from user lrupp OBS-URL: https://build.opensuse.org/request/show/1895 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/newt?expand=0&rev=14
2009-09-26 22:11:58 +00:00
parent 74b358711d
commit ade6f519dc
3 changed files with 24 additions and 173 deletions
--- a/newt-CVE-2009-2905.patch
+++ b/newt-CVE-2009-2905.patch
@@ -0,0 +1,13 @@
+Index: textbox.c
+===================================================================
+--- textbox.c.orig
+++ textbox.c
+@@ -179,7 +179,7 @@ static void doReflow(const char * text,
+ 
+     if (resultPtr) {
+ 	/* XXX I think this will work */
+-	result = malloc(strlen(text) + (strlen(text) / width) + 2);
+	result = malloc(strlen(text) + (strlen(text) / ( width - 1 )) + 2);
+ 	*result = '\0';
+     }
+ 	
--- a/newt.changes
+++ b/newt.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Sep 23 10:17:40 CEST 2009 - lrupp@suse.de
+
+- fix heap-based buffer overflow in function doReflow in textbox.c
+  (fix bnc#540930 and CVE-2009-2905 : newt-CVE-2009-2905.patch)
+
 -------------------------------------------------------------------
 Mon Sep  1 12:48:05 CEST 2008 - lrupp@suse.de

--- a/newt.spec
+++ b/newt.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package newt (Version 0.52.10)
 #
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,12 +22,13 @@ Name:           newt
 Url:            https://fedorahosted.org/newt/
 Summary:        Nifty Erik's Windowing Toolkit
 Version:        0.52.10
-Release:        1
+Release:        8
 %define         soname 0_52
 License:        LGPL v2.1 or later
 Group:          System/Libraries
 Source:         %name-%version.tar.bz2
 Source10:       %name-rpmlintrc
+Patch1:         newt-CVE-2009-2905.patch
 Requires:       libnewt%soname = %version
 BuildRequires:  popt-devel python-devel slang-devel
 %if 0%{?suse_version} < 1020
@@ -148,7 +149,7 @@ Authors:
    Erik Troan <ewt@redhat.com>

 %package -n python-newt
-License:        GPL v2 only; GPL v2 or later; LGPL v2.1 or later
+License:        GPL v2 only ; GPL v2 or later ; LGPL v2.1 or later
 Summary:        Python bindings for newt
 Group:          System/Libraries
 Requires:       newt = %{version}
@@ -168,6 +169,7 @@ Authors:

 %prep
 %setup -q
+%patch1 -p0

 %build
 # gpm support seems to smash the stack
@@ -240,173 +242,3 @@ rm -rf %buildroot
 %{py_sitedir}/*

 %changelog
-* Mon Sep 01 2008 lrupp@suse.de
- update to 0.52.10:
-  + added support for help
-  + added cusor on/off stuff
- rename newt-python to python-newt to follow the naming policy
-* Thu Apr 10 2008 ro@suse.de
- added baselibs.conf file to build xxbit packages
-  for multilib support
-* Mon Apr 07 2008 lrupp@suse.de
- update to 0.52.9:
-  + handle component destruction (patch by Richard W.M. Jones)
-  + fix newtWinEntry definition
-  + don't use uninitialized values in newtWinMenu
-  + remove workarounds for old bug in SLsmg_write_nstring
-  + improve SIGWINCH handling in form
-  + don't abort from whiptail gauge on SIGWINCH
-  + redisplay also last line
-  + update Polish translation
-  + enable slang utf8 mode (rh#425992)
-  + support --disable-nls option (patch by Natanael Copa)
-  + redraw screen when using entry in euc encodings
- removed upstreamed patches
- devel package should require poptd-, python- and slang-devel and
-  recommend the main package (not really needed)
- updated rpmlintrc
-* Mon Dec 17 2007 lrupp@suse.de
- split libnewt0_52 to follow the shared library packaging policy
- build on older distributions
- build parallel
-* Thu Oct 11 2007 lrupp@suse.de
- split python module to -python subpackage
- add back support for list of Entries in EntryWindow prompts in
-  snack (RH#248878) (newt-0.52.7-snack.patch)
- fix segfault in whiptail when no entry is selected in radiolist
-  (newt-0.52.7-whiptail.patch)
- fix handling of UTF-8 characters (#289291)
-  (newt-0.52.7-utf8.patch)
-* Tue Sep 11 2007 cthiel@suse.de
- removed bogus Provides: snack (to avoid name clash with package snack)
-* Tue Jun 26 2007 lrupp@suse.de
- update to 0.52.7:
-  + add support to snack for multiple selection and border in listbox
-  and cursorAtEnd in entry (patch by Shawn Starr)
-  + fix scrollbar positioning in listbox
-  + cope with backward system time jumps (RH#240691)
-  + free helplines and windows in newtFinished, check for overflow (RH#239992)
- remove included patches
- created doc package for tutorial (N#287087)
-* Wed Jun 13 2007 lrupp@suse.de
- included patches from Miroslav Lichvar:
-  + fix cursor positioning when setting entry or checkbox flags
-  (newt-0.52.6-cursor.patch)
-  + fix counting of items in checkboxtree
-  (newt-0.52.6-countitems.patch)
-  + fix some memory leaks
-  (newt-0.52.6-memleaks.patch)
-  + fix entry scrolling (RH#234829) and
-  + fix multibyte character handling in entry
-  (newt-0.52.6-entry.patch)
- disable gpm-support - seems to smash the stack
- remove libbz2-1 from buildreq
- re-arange buildrequires
-* Tue Jun 05 2007 ro@suse.de
- buildreq: libbz2 -> libbz2-1
-* Sun Apr 01 2007 lrupp@suse.de
- added distribution specfic parts for build service
- added libbz2 to BuildRequires for suse_version > 1020
-* Wed Mar 07 2007 lrupp@suse.de
- update to 0.52.6:
-  + add newtSetColor() to allow changing individual colors
-  + add newtPopWindowNoRefresh() (patch by Forest Bond)
- branched newt-static package containing static library
-* Wed Feb 14 2007 lrupp@suse.de
- update to 0.52.5
-  + provide option to change text of buttons (rh#126768)
-  + don't add escape key to hot keys by default (rh#216157)
-  + fix cursor position in checkboxtree, radio button and checkbox
-  + don't force monochrome terminals to output colors
-  + highlight active compact button on monochrome terminals
-  + update translations from debian
- removed unnecessary ldconfig call in devel package
- removed obsolete newt-0.52.4-if1close.patch
-* Thu Dec 21 2006 lrupp@suse.de
- new upstream version 0.52.4: patches included upstream
-  + fix entry corruption when reading multibyte characters
-  and double width character handling
-  + avoid overflow/crash in scale
- makefile, configure and spec cleanup
- package whiptail.1 and locale files
-* Fri Sep 22 2006 lrupp@suse.de
- fix build with python 2.5 (thanks to aj)
- useful fixes from RH bugzilla included:
-  * #137957 : fix screen corruption
-  * #81352  : fix help dialog
-  * #83203  : make textbox with scrollbar focusable
-  * #86074  : turn off cursor when entry terminated form
-  * #186053 : better handling of listbox and checkboxtree focus
-  * #187545 : be more color friendly to 8-color terminals
-  * #189981 : fix handling windows larger than screen size
-  * fix checkboxtree positioning
-  * unfocus when displaying help
-  * fix double width character handling in checkboxtree and listbox
-* Tue May 09 2006 lrupp@suse.de
- add "Provides: snack" to specfile
- do not build whiptcl to avoid dependency on tcl (RH #177346)
-  (whiptcl is currently not used by anything)
- Apply patch by Bill Nottingham (thanks) to improve scrollbar appearance
-  (RH #174771)
- Fix a crash in checkboxtree.c (RH #165347)
- draw correct dialog sizes on the screen (see RH #185950) - applying
-  patch from Tomas Mraz (thanks)
-* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
-* Mon Dec 12 2005 lrupp@suse.de
- new version 0.52.2
- include whiptcl.so
-* Thu Nov 10 2005 lrupp@suse.de
- only do gpmclose if gpmopen succeeed
-  (see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118530)
- include example files (peanuts.py, popcorn.py) in devel package
- use "-fPIC -Wall -fno-strict-aliasing" in CFLAGS
-* Tue Sep 27 2005 mls@suse.de
- make devel package require base package
-* Mon Jul 25 2005 lrupp@suse.de 0.51.6
- use of %%run_ldconfig
-* Fri Jun 17 2005 lrupp@suse.de 0.51.6
- use more macros: fix build on 64bit
-* Fri Jun 17 2005 lrupp@suse.de 0.51.6
- use $RPM_OPT_FLAGS
- delete /usr/lib/phyton in build to avoid errors from abuild
-  => we've a symlink to /usr/lib/python2.4
-* Thu Jun 16 2005 ro@suse.de
- fix files pagaged twice (real path and over symlink)
-* Tue Feb 15 2005 ro@suse.de
- added python deps
-* Mon Jan 24 2005 ro@suse.de
- fix lib64 build
-* Tue Nov 30 2004 cwh@suse.de
- updated to 0.51.6
-* Wed Jun 02 2004 ro@suse.de
- get rid of some compiler warnings
-* Thu Feb 26 2004 hmacht@suse.de
- building as non-root
-* Tue Feb 24 2004 cwh@suse.de
- added soname link to package
-* Mon Sep 15 2003 cwh@suse.de
- removed wrong "Provides: snack" from spec-file
-* Thu Aug 21 2003 ro@suse.de
- expand filelist
- fix lib64 issues
-* Wed Aug 20 2003 cwh@suse.de
- fixed to compile with tcl8.4
-* Tue Jan 16 2001 schwab@suse.de
- Fix missing -fPIC in Makefile.
- Fix use of varargs.
-* Wed Nov 29 2000 ro@suse.de
- changed neededforbuild <tcld> to <tcl-devel>
-* Wed Nov 29 2000 smid@suse.cz
- subpackage renamed: newtd => newt-devel
-* Fri Nov 24 2000 ro@suse.de
- fixes for 2.0-python
-* Sun Oct 29 2000 kukuk@suse.de
- Add python-devel to need for build
-* Mon May 22 2000 smid@suse.cz
- fixed to compile with tcl8.3
-* Wed May 10 2000 nadvornik@suse.cz
- update to 0.50.8
- added BuildRoot
-* Mon Jan 17 2000 nashif@suse.de
- Initial Release ( Version 0.50)