diff --git a/CVE-2018-14471.patch b/CVE-2018-14471.patch new file mode 100644 index 0000000..922fe4e --- /dev/null +++ b/CVE-2018-14471.patch @@ -0,0 +1,29 @@ +From 7bb6307da56c753b962de127a43ebde3e621ecbb Mon Sep 17 00:00:00 2001 +From: Reini Urban +Date: Fri, 20 Jul 2018 22:29:51 +0200 +Subject: [PATCH] protect dwg_obj_block_control_get_block_headers + +from empty ctrl->block_headers. Fixes [GH #32] +--- + src/dwg_api.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/dwg_api.c b/src/dwg_api.c +index f44f6207..82776188 100644 +--- a/src/dwg_api.c ++++ b/src/dwg_api.c +@@ -17888,7 +17888,13 @@ dwg_obj_block_control_get_block_headers(const dwg_obj_block_control *restrict ct + { + dwg_object_ref **ptx = (dwg_object_ref**) + malloc(ctrl->num_entries * sizeof(Dwg_Object_Ref *)); +- if (ptx) ++ if (ctrl->num_entries && !ctrl->block_headers) ++ { ++ *error = 1; ++ LOG_ERROR("%s: null block_headers", __FUNCTION__); ++ return NULL; ++ } ++ else if (ptx) + { + BITCODE_BS i; + *error = 0; diff --git a/CVE-2018-14524.patch b/CVE-2018-14524.patch new file mode 100644 index 0000000..cd543ae --- /dev/null +++ b/CVE-2018-14524.patch @@ -0,0 +1,55 @@ +From 9a8b9fb49108bab5d12f3353292f8fd8ea12898f Mon Sep 17 00:00:00 2001 +From: Reini Urban +Date: Mon, 23 Jul 2018 15:22:08 +0200 +Subject: [PATCH] free: improve eed double-free + +Fixes [GH #33], detected by jinyu00 +--- + src/decode.c | 2 ++ + src/free.c | 6 ++---- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/decode.c b/src/decode.c +index 74668403..fb09f11a 100644 +--- a/src/decode.c ++++ b/src/decode.c +@@ -2309,6 +2309,7 @@ dwg_decode_eed(Bit_Chain * dat, Dwg_Object_Object * obj) + LOG_ERROR("No EED[%d].handle", idx); + obj->num_eed = 0; + free(obj->eed); ++ obj->eed = NULL; + return error; + } else { + end = dat->byte + size; +@@ -2372,6 +2373,7 @@ dwg_decode_eed(Bit_Chain * dat, Dwg_Object_Object * obj) + free(obj->eed[idx].raw); + free(obj->eed[idx].data); + free(obj->eed); ++ obj->eed = NULL; + dat->byte = end; + return DWG_ERR_VALUEOUTOFBOUNDS; /* may not continue */ + #endif +diff --git a/src/free.c b/src/free.c +index ce6940e7..65fb3f9e 100644 +--- a/src/free.c ++++ b/src/free.c +@@ -267,8 +267,7 @@ dwg_free_eed(Dwg_Object* obj) + for (i=0; i < _obj->num_eed; i++) { + if (_obj->eed[i].size) + FREE_IF(_obj->eed[i].raw); +- if (_obj->eed[i].data) +- FREE_IF(_obj->eed[i].data); ++ FREE_IF(_obj->eed[i].data); + } + FREE_IF(_obj->eed); + } +@@ -277,8 +276,7 @@ dwg_free_eed(Dwg_Object* obj) + for (i=0; i < _obj->num_eed; i++) { + if (_obj->eed[i].size) + FREE_IF(_obj->eed[i].raw); +- if (_obj->eed[i].data) +- FREE_IF(_obj->eed[i].data); ++ FREE_IF(_obj->eed[i].data); + } + FREE_IF(_obj->eed); + } diff --git a/libredwg.changes b/libredwg.changes index 9dee7ad..5c0a35e 100644 --- a/libredwg.changes +++ b/libredwg.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 9 09:34:20 UTC 2018 - astieger@suse.com + +- CVE-2018-14524: double free (boo#1102702) + add CVE-2018-14524.patch +- CVE-2018-14471: NULL pointer dereference DoS (boo#1102696) + add CVE-2018-14471.patch + ------------------------------------------------------------------- Sat Jul 14 10:00:58 UTC 2018 - jengelh@inai.de diff --git a/libredwg.spec b/libredwg.spec index 357fded..e0d7671 100644 --- a/libredwg.spec +++ b/libredwg.spec @@ -27,6 +27,8 @@ Source: https://ftp.gnu.org/pub/gnu/%{name}/%{name}-%{version}.tar.xz Source2: https://ftp.gnu.org/pub/gnu/%{name}/%{name}-%{version}.tar.xz.sig Source3: http://savannah.gnu.org/people/viewgpg.php?user_id=101103#/%{name}.keyring Source4: %{name}-rpmlintrc +Patch0: CVE-2018-14471.patch +Patch1: CVE-2018-14524.patch %description GNU LibreDWG is a C library to handle DWG files. It can replace the @@ -67,6 +69,8 @@ OpenDWG libraries. DWG is the native file format of AutoCAD. %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build %configure \