Accepting request 667603 from multimedia:libs

OBS-URL: https://build.opensuse.org/request/show/667603 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libcaca?expand=0&rev=41
2019-02-04 20:23:02 +00:00 · 2019-02-04 20:23:02 +00:00 · 1f5def3be1
commit 1f5def3be1
parent 64d520891f 5553c4c7ce
4 changed files with 92 additions and 1 deletions
--- a/Bug1120502-add_cast_to_prevent_overflow.patch
+++ b/Bug1120502-add_cast_to_prevent_overflow.patch
@ -0,0 +1,35 @@
+Author: Josef Möllers <jmoellers@suse.de>
+Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c
+===================================================================
+--- libcaca-da28e9684ef445ac8d42745644336b8a75c01855.orig/caca/dither.c
+++ libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c
+@@ -991,10 +991,10 @@ int caca_dither_bitmap(caca_canvas_t *cv
+         /* First get RGB */
+         if(d->antialias)
+         {
+-            fromx = (x - x1) * w / deltax;
+-            fromy = (y - y1) * h / deltay;
+-            tox = (x - x1 + 1) * w / deltax;
+-            toy = (y - y1 + 1) * h / deltay;
+            fromx = (uint64_t)(x - x1) * w / deltax;
+            fromy = (uint64_t)(y - y1) * h / deltay;
+            tox = (uint64_t)(x - x1 + 1) * w / deltax;
+            toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+             /* We want at least one pixel */
+             if(tox == fromx) tox++;
+@@ -1017,10 +1017,10 @@ int caca_dither_bitmap(caca_canvas_t *cv
+         }
+         else
+         {
+-            fromx = (x - x1) * w / deltax;
+-            fromy = (y - y1) * h / deltay;
+-            tox = (x - x1 + 1) * w / deltax;
+-            toy = (y - y1 + 1) * h / deltay;
+            fromx = (uint64_t)(x - x1) * w / deltax;
+            fromy = (uint64_t)(y - y1) * h / deltay;
+            tox = (uint64_t)(x - x1 + 1) * w / deltax;
+            toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+             /* tox and toy can overflow the canvas, but they cannot overflow
+              * when averaged with fromx and fromy because these are guaranteed
--- a/libcaca-variable-type.patch
+++ b/libcaca-variable-type.patch
@ -0,0 +1,27 @@
+Author: Josef Möllers <jmoellers@suse.de>
+Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/src/common-image.h
+===================================================================
+--- libcaca-da28e9684ef445ac8d42745644336b8a75c01855.orig/src/common-image.h
+++ libcaca-da28e9684ef445ac8d42745644336b8a75c01855/src/common-image.h
+@@ -13,7 +13,7 @@
+ struct image
+ {
+     char *pixels;
+-    unsigned int w, h;
+    size_t w, h;
+     struct caca_dither *dither;
+     void *priv;
+ };
+Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c
+===================================================================
+--- libcaca-da28e9684ef445ac8d42745644336b8a75c01855.orig/caca/dither.c
+++ libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c
+@@ -116,7 +116,7 @@ enum color_mode
+ struct caca_dither
+ {
+     int bpp, has_palette, has_alpha;
+-    int w, h, pitch;
+    size_t w, h, pitch;
+     int rmask, gmask, bmask, amask;
+     int rright, gright, bright, aright;
+     int rleft, gleft, bleft, aleft;
--- a/libcaca.changes
+++ b/libcaca.changes
@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Mon Jan 21 13:01:52 UTC 2019 - josef.moellers@suse.com
+
+- Cast intermediate results to 64 bits to prevent overflow of
+  calculations with 32-bit quentities.
+  [CVE-2018-20544, bsc#1120502,
+   Bug1120502-add_cast_to_prevent_overflow.patch]
+
+-------------------------------------------------------------------
+Mon Jan 21 12:39:30 UTC 2019 - josef.moellers@suse.com
+
+- Fix the size of width and height to be of size_t rather than
+  int in struct caca_dither. Re-using existing patch.
+  [CVE-2018-20546, bsc#1120503, CVE-2018-20547,
+   bsc#1120504, libcaca-variable-type.patch]
+
+-------------------------------------------------------------------
+Tue Jan 15 15:03:38 UTC 2019 - josef.moellers@suse.com
+
+- Fix the size of width and height to be of size_t rather than
+  unsigned int which may be too small on 64 bit architectures.
+  This fixes three CVS and associated bugs.
+  [CVE-2018-20545, bsc#1120584, CVE-2018-20548, bsc#1120589,
+   CVE-2018-20549, bsc#1120470, libcaca-variable-type.patch]
+
 -------------------------------------------------------------------
 Tue Jan 30 11:03:56 UTC 2018 - davejplater@gmail.com

--- a/libcaca.spec
+++ b/libcaca.spec
@ -1,7 +1,7 @@
 #
 # spec file for package libcaca
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -35,6 +35,8 @@ Patch5:         libcaca-ruby_vendor_install.patch
 Patch7:         libcaca-0.99.beta16-missing-GLU.patch
 Patch9:         caca-no-build-date.patch
 Patch10:        libcaca-ncurses6.patch
+Patch11:        libcaca-variable-type.patch
+Patch12:        Bug1120502-add_cast_to_prevent_overflow.patch
 BuildRequires:  doxygen
 BuildRequires:  fdupes
 BuildRequires:  freeglut-devel
@ -136,6 +138,8 @@ drawing, triangle filling and sprite blitting.
 %patch9
 %patch1
 %patch10 -p1
+%patch11 -p1
+%patch12 -p1
 RUBY="ruby-`echo %{rb_ver} | sed 's|\.[^\.]*$||'`"
 find . -type f -exec sed -i "s|ruby-1.9|$RUBY|" \{\} \;
 pushd python