Accepting request 628364 from devel:libraries:c_c++

- CVE-2018-14524: double free (boo#1102702) - CVE-2018-14471: NULL pointer dereference DoS (boo#1102696) (forwarded request 628363 from AndreasStieger) OBS-URL: https://build.opensuse.org/request/show/628364 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libredwg?expand=0&rev=3
2018-08-10 07:51:50 +00:00 · 2018-08-10 07:51:50 +00:00 · 6126df1498
commit 6126df1498
parent b3eb7bf25b 4a90581b26
4 changed files with 96 additions and 0 deletions
--- a/CVE-2018-14471.patch
+++ b/CVE-2018-14471.patch
@ -0,0 +1,29 @@
+From 7bb6307da56c753b962de127a43ebde3e621ecbb Mon Sep 17 00:00:00 2001
+From: Reini Urban <rurban@cpan.org>
+Date: Fri, 20 Jul 2018 22:29:51 +0200
+Subject: [PATCH] protect dwg_obj_block_control_get_block_headers
+
+from empty ctrl->block_headers. Fixes [GH #32]
+---
+ src/dwg_api.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/dwg_api.c b/src/dwg_api.c
+index f44f6207..82776188 100644
+--- a/src/dwg_api.c
+++ b/src/dwg_api.c
+@@ -17888,7 +17888,13 @@ dwg_obj_block_control_get_block_headers(const dwg_obj_block_control *restrict ct
+ {
+   dwg_object_ref **ptx = (dwg_object_ref**)
+     malloc(ctrl->num_entries * sizeof(Dwg_Object_Ref *));
+-  if (ptx)
+  if (ctrl->num_entries && !ctrl->block_headers)
+    {
+      *error = 1;
+      LOG_ERROR("%s: null block_headers", __FUNCTION__);
+      return NULL;
+    }
+  else if (ptx)
+     {
+       BITCODE_BS i;
+       *error = 0;
--- a/CVE-2018-14524.patch
+++ b/CVE-2018-14524.patch
@ -0,0 +1,55 @@
+From 9a8b9fb49108bab5d12f3353292f8fd8ea12898f Mon Sep 17 00:00:00 2001
+From: Reini Urban <rurban@cpan.org>
+Date: Mon, 23 Jul 2018 15:22:08 +0200
+Subject: [PATCH] free: improve eed double-free
+
+Fixes [GH #33], detected by jinyu00
+---
+ src/decode.c | 2 ++
+ src/free.c   | 6 ++----
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/decode.c b/src/decode.c
+index 74668403..fb09f11a 100644
+--- a/src/decode.c
+++ b/src/decode.c
+@@ -2309,6 +2309,7 @@ dwg_decode_eed(Bit_Chain * dat, Dwg_Object_Object * obj)
+         LOG_ERROR("No EED[%d].handle", idx);
+         obj->num_eed = 0;
+         free(obj->eed);
+        obj->eed = NULL;
+         return error;
+       } else {
+         end = dat->byte + size;
+@@ -2372,6 +2373,7 @@ dwg_decode_eed(Bit_Chain * dat, Dwg_Object_Object * obj)
+                       free(obj->eed[idx].raw);
+                     free(obj->eed[idx].data);
+                     free(obj->eed);
+                    obj->eed = NULL;
+                     dat->byte = end;
+                     return DWG_ERR_VALUEOUTOFBOUNDS; /* may not continue */
+ #endif
+diff --git a/src/free.c b/src/free.c
+index ce6940e7..65fb3f9e 100644
+--- a/src/free.c
+++ b/src/free.c
+@@ -267,8 +267,7 @@ dwg_free_eed(Dwg_Object* obj)
+     for (i=0; i < _obj->num_eed; i++) {
+       if (_obj->eed[i].size)
+         FREE_IF(_obj->eed[i].raw);
+-      if (_obj->eed[i].data)
+-        FREE_IF(_obj->eed[i].data);
+      FREE_IF(_obj->eed[i].data);
+     }
+     FREE_IF(_obj->eed);
+   }
+@@ -277,8 +276,7 @@ dwg_free_eed(Dwg_Object* obj)
+     for (i=0; i < _obj->num_eed; i++) {
+       if (_obj->eed[i].size)
+         FREE_IF(_obj->eed[i].raw);
+-      if (_obj->eed[i].data)
+-        FREE_IF(_obj->eed[i].data);
+      FREE_IF(_obj->eed[i].data);
+     }
+     FREE_IF(_obj->eed);
+   }
--- a/libredwg.changes
+++ b/libredwg.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug  9 09:34:20 UTC 2018 - astieger@suse.com
+
+- CVE-2018-14524: double free (boo#1102702)
+  add CVE-2018-14524.patch
+- CVE-2018-14471: NULL pointer dereference DoS (boo#1102696)
+  add CVE-2018-14471.patch
+
 -------------------------------------------------------------------
 Sat Jul 14 10:00:58 UTC 2018 - jengelh@inai.de

--- a/libredwg.spec
+++ b/libredwg.spec
@ -27,6 +27,8 @@ Source:         https://ftp.gnu.org/pub/gnu/%{name}/%{name}-%{version}.tar.xz
 Source2:        https://ftp.gnu.org/pub/gnu/%{name}/%{name}-%{version}.tar.xz.sig
 Source3:        http://savannah.gnu.org/people/viewgpg.php?user_id=101103#/%{name}.keyring
 Source4:        %{name}-rpmlintrc
+Patch0:         CVE-2018-14471.patch
+Patch1:         CVE-2018-14524.patch

 %description
 GNU LibreDWG is a C library to handle DWG files. It can replace the
@ -67,6 +69,8 @@ OpenDWG libraries. DWG is the native file format of AutoCAD.

 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1

 %build
 %configure \