From 578f2b33c38c028f9bcaa9d67e48045885886c86e7c001a83219401fb9c5c9b9 Mon Sep 17 00:00:00 2001
From: "Dr. Werner Fink" <werner@suse.com>
Date: Wed, 26 Sep 2018 11:58:51 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/Publishing:TeXLive/texlive?expand=0&rev=306

---
 source-bsc1109673.dif | 86 +++++++++++++++++++++++++++++++++++++++++++
 texlive.changes       |  7 ++++
 texlive.spec          |  5 ++-
 3 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 source-bsc1109673.dif

diff --git a/source-bsc1109673.dif b/source-bsc1109673.dif
new file mode 100644
index 0000000..30a3a92
--- /dev/null
+++ b/source-bsc1109673.dif
@@ -0,0 +1,86 @@
+Extracted from svn source tree of TeXLive for CVE-2018-17407 (bsc#1109673)
+------------------------------------------------------------------------
+r48697 | preining | 2018-09-19 06:02:06 +0200 (Wed, 19 Sep 2018) | 1 line
+
+writet1 protection against buffer overflow
+------------------------------------------------------------------------
+| Index: Build/source/texk/dvipsk/ChangeLog
+| ===================================================================
+| --- Build/source/texk/dvipsk/ChangeLog	(revision 48696)
+| +++ Build/source/texk/dvipsk/ChangeLog	(revision 48697)
+| @@ -1,3 +1,8 @@
+| +2018-09-18  Nick Roessler  <nicholas.e.roessler@gmail.com>
+| +
+| +	* writet1.c (t1_check_unusual_charstring): protect against buffer
+| +	overflow.
+| +
+|  2018-04-14  Karl Berry  <karl@tug.org>
+|  
+|  	* Version 5.998 for TeX Live 2018 release.
+Index: Build/source/texk/dvipsk/writet1.c
+===================================================================
+--- Build/source/texk/dvipsk/writet1.c	(revision 48696)
++++ Build/source/texk/dvipsk/writet1.c	(revision 48697)
+@@ -1449,7 +1449,9 @@
+         *(strend(t1_buf_array) - 1) = ' ';
+ 
+         t1_getline();
++        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcat(t1_buf_array, t1_line_array);
++        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcpy(t1_line_array, t1_buf_array);
+         t1_line_ptr = eol(t1_line_array);
+     }
+| Index: Build/source/texk/web2c/luatexdir/ChangeLog
+| ===================================================================
+| --- Build/source/texk/web2c/luatexdir/ChangeLog	(revision 48696)
+| +++ Build/source/texk/web2c/luatexdir/ChangeLog	(revision 48697)
+| @@ -1,3 +1,7 @@
+| +2018-09-18 Nick Roessler <nicholas.e.roessler@gmail.com>
+| +	* fonts/writet1.w (t1_check_unusual_charstring): protect against
+| +	buffer overflow.
+| +
+|  2018-08-27 Luigi Scarso <luigi.scarso@gmail.com>
+|  	* dropped dependency from gmp and mpfr
+|  
+Index: Build/source/texk/web2c/luatexdir/font/writet1.c
+===================================================================
+--- Build/source/texk/web2c/luatexdir/font/writet1.w	(revision 48696)
++++ Build/source/texk/web2c/luatexdir/font/writet1.w	(revision 48697)
+@@ -1581,7 +1581,9 @@
+     if (sscanf(p, "%i", &i) != 1) {
+         strcpy(t1_buf_array, t1_line_array);
+         t1_getline();
++        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcat(t1_buf_array, t1_line_array);
++        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcpy(t1_line_array, t1_buf_array);
+         t1_line_ptr = eol(t1_line_array);
+     }
+| Index: Build/source/texk/web2c/pdftexdir/ChangeLog
+| ===================================================================
+| --- Build/source/texk/web2c/pdftexdir/ChangeLog	(revision 48696)
+| +++ Build/source/texk/web2c/pdftexdir/ChangeLog	(revision 48697)
+| @@ -1,3 +1,8 @@
+| +2018-09-18  Nick Roessler  <nicholas.e.roessler@gmail.com>
+| +
+| +	* writet1.c (t1_check_unusual_charstring): protect against buffer
+| +	overflow.
+| +
+|  2018-09-09  Karl Berry  <karl@tug.org>
+|  
+|  	* expanded.test,
+Index: Build/source/texk/web2c/pdftexdir/writet1.c
+===================================================================
+--- Build/source/texk/web2c/pdftexdir/writet1.c	(revision 48696)
++++ Build/source/texk/web2c/pdftexdir/writet1.c	(revision 48697)
+@@ -1598,7 +1598,9 @@
+         *(strend(t1_buf_array) - 1) = ' ';
+ 
+         t1_getline();
++        alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcat(t1_buf_array, t1_line_array);
++        alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE);
+         strcpy(t1_line_array, t1_buf_array);
+         t1_line_ptr = eol(t1_line_array);
+     }
diff --git a/texlive.changes b/texlive.changes
index abda53e..e4bd55b 100644
--- a/texlive.changes
+++ b/texlive.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Sep 26 11:54:24 UTC 2018 - Dr. Werner Fink <werner@suse.de>
+
+- Add patch source-bsc1109673.dif to fix bsc#1109673 for CVE-2018-17407
+  which is about buffer overflow in the handling of Type 1 fonts
+  allowing arbitrary code execution
+
 -------------------------------------------------------------------
 Thu Jul 19 12:19:08 UTC 2018 - alarrosa@suse.com
 
diff --git a/texlive.spec b/texlive.spec
index 34ae787..b114aa9 100644
--- a/texlive.spec
+++ b/texlive.spec
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -275,6 +275,8 @@ Patch51:        freetype-use-pkg-config.patch
 Patch52:        source-tounicode.dif
 # PATCH-FIX-TEXLIVE
 Patch53:        source-fix-const-poppler0.66.0.patch
+# PATCH-FIX-TEXLIVE
+Patch54:        source-bsc1109673.dif
 Prefix:         %{_bindir}
 Provides:       pdfjam = %{version}
 Obsoletes:      pdfjam < %{version}
@@ -3580,6 +3582,7 @@ popd
 %if %{?pkg_vcmp:%{pkg_vcmp libpoppler-devel >= 0.66.0}}%{!?pkg_vcmp:0}
 %patch53 -p0 -b .poppler
 %endif
+%patch54 -p2 -b .type1
 
     # Correct FHS paths
     paths=$(find -name cnf-to-paths.awk)