02/05: gnu: plib: Fix CVE-2011-4620, CVE-2012-4552.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/05: gnu: plib: Fix CVE-2011-4620, CVE-2012-4552.

From:	guix-commits
Subject:	02/05: gnu: plib: Fix CVE-2011-4620, CVE-2012-4552.
Date:	Wed, 10 Jul 2019 05:48:12 -0400 (EDT)

efraim pushed a commit to branch master
in repository guix.

commit 05f386f103bbd0145ac2fcf8b920bb27f1b518a4
Author: Efraim Flashner <address@hidden>
Date:   Wed Jul 10 11:58:47 2019 +0300

    gnu: plib: Fix CVE-2011-4620, CVE-2012-4552.
    
    * gnu/packages/game-development.scm (plib)[patches]: Add patches.
    * gnu/packages/patches/plib-CVE-2011-4620.patch,
    gnu/packages/patches/plib-CVE-2012-4552.patch: New files.
    * gnu/local.mk (dist_patch_DATA): Register them.
---
 gnu/local.mk                                  |  2 +
 gnu/packages/game-development.scm             |  4 +-
 gnu/packages/patches/plib-CVE-2011-4620.patch | 13 ++++++
 gnu/packages/patches/plib-CVE-2012-4552.patch | 57 +++++++++++++++++++++++++++
 4 files changed, 75 insertions(+), 1 deletion(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 7dcac4f..01c3ce0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1182,6 +1182,8 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/pixman-CVE-2016-5296.patch              \
   %D%/packages/patches/plink-1.07-unclobber-i.patch            \
   %D%/packages/patches/plink-endian-detection.patch            \
+  %D%/packages/patches/plib-CVE-2011-4620.patch                \
+  %D%/packages/patches/plib-CVE-2012-4552.patch                \
   %D%/packages/patches/plotutils-libpng-jmpbuf.patch           \
   %D%/packages/patches/podofo-cmake-3.12.patch                 \
   %D%/packages/patches/portaudio-audacity-compat.patch         \
diff --git a/gnu/packages/game-development.scm 
b/gnu/packages/game-development.scm
index 05a68b7..7eac935 100644
--- a/gnu/packages/game-development.scm
+++ b/gnu/packages/game-development.scm
@@ -1434,7 +1434,9 @@ joystick support.")))
                                   "plib-" version ".tar.gz"))
               (sha256
                (base32
-                "0cha71mflpa10vh2l7ipyqk67dq2y0k5xbafwdks03fwdyzj4ns8"))))
+                "0cha71mflpa10vh2l7ipyqk67dq2y0k5xbafwdks03fwdyzj4ns8"))
+              (patches (search-patches "plib-CVE-2011-4620.patch"
+                                       "plib-CVE-2012-4552.patch"))))
     (build-system gnu-build-system)
     (inputs
      `(("mesa" ,mesa)
diff --git a/gnu/packages/patches/plib-CVE-2011-4620.patch 
b/gnu/packages/patches/plib-CVE-2011-4620.patch
new file mode 100644
index 0000000..c5a03bd
--- /dev/null
+++ b/gnu/packages/patches/plib-CVE-2011-4620.patch
@@ -0,0 +1,13 @@
+https://sources.debian.org/data/main/p/plib/1.8.5-8/debian/patches/04_CVE-2011-4620.diff
+
+--- a/src/util/ulError.cxx
++++ b/src/util/ulError.cxx
+@@ -39,7 +39,7 @@
+ {
+   va_list argp;
+   va_start ( argp, fmt ) ;
+-  vsprintf ( _ulErrorBuffer, fmt, argp ) ;
++  vsnprintf ( _ulErrorBuffer, sizeof(_ulErrorBuffer), fmt, argp ) ;
+   va_end ( argp ) ;
+  
+   if ( _ulErrorCB )
diff --git a/gnu/packages/patches/plib-CVE-2012-4552.patch 
b/gnu/packages/patches/plib-CVE-2012-4552.patch
new file mode 100644
index 0000000..7b69785
--- /dev/null
+++ b/gnu/packages/patches/plib-CVE-2012-4552.patch
@@ -0,0 +1,57 @@
+https://sources.debian.org/data/main/p/plib/1.8.5-8/debian/patches/05_CVE-2012-4552.diff
+
+diff -up plib-1.8.5/src/ssg/ssgParser.cxx~ plib-1.8.5/src/ssg/ssgParser.cxx
+--- plib-1.8.5/src/ssg/ssgParser.cxx~  2008-03-11 03:06:23.000000000 +0100
++++ plib-1.8.5/src/ssg/ssgParser.cxx   2012-11-01 15:33:12.424483374 +0100
+@@ -57,18 +57,16 @@ void _ssgParser::error( const char *form
+   char msgbuff[ 255 ];
+   va_list argp;
+ 
+-  char* msgptr = msgbuff;
+-  if (linenum)
+-  {
+-    msgptr += sprintf ( msgptr,"%s, line %d: ",
+-      path, linenum );
+-  }
+-
+   va_start( argp, format );
+-  vsprintf( msgptr, format, argp );
++  vsnprintf( msgbuff, sizeof(msgbuff), format, argp );
+   va_end( argp );
+ 
+-  ulSetError ( UL_WARNING, "%s", msgbuff ) ;
++  if (linenum)
++  {
++    ulSetError ( UL_WARNING, "%s, line %d: %s", path, linenum, msgbuff ) ;
++  } else {
++    ulSetError ( UL_WARNING, "%s", msgbuff ) ;
++  }
+ }
+ 
+ 
+@@ -78,18 +76,16 @@ void _ssgParser::message( const char *fo
+   char msgbuff[ 255 ];
+   va_list argp;
+ 
+-  char* msgptr = msgbuff;
+-  if (linenum)
+-  {
+-    msgptr += sprintf ( msgptr,"%s, line %d: ",
+-      path, linenum );
+-  }
+-
+   va_start( argp, format );
+-  vsprintf( msgptr, format, argp );
++  vsnprintf( msgbuff, sizeof(msgbuff), format, argp );
+   va_end( argp );
+ 
+-  ulSetError ( UL_DEBUG, "%s", msgbuff ) ;
++  if (linenum)
++  {
++    ulSetError ( UL_DEBUG, "%s, line %d: %s", path, linenum, msgbuff ) ;
++  } else {
++    ulSetError ( UL_DEBUG, "%s", msgbuff ) ;
++  }
+ }
+ 
+ // Opens the file and does a few internal calculations based on the spec.

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (11450f1 -> 841bddb), guix-commits, 2019/07/10
- 01/05: gnu: python-gnupg: Update to 0.4.4 [fixes CVE-2019-6690]., guix-commits, 2019/07/10
- 02/05: gnu: plib: Fix CVE-2011-4620, CVE-2012-4552., guix-commits <=
- 03/05: gnu: mujs: Update to 1.0.6 [fixes CVE-2019-1141{1, 2, 3}, CVE-2019-12798]., guix-commits, 2019/07/10
- 04/05: gnu: mupdf: Update to 1.15.0 [fixes CVE-2018-18662, CVE-2018-19777, CVE-2018-1988{1, 2}, CVE-2019-613{0, 1}, CVE-2019-7321]., guix-commits, 2019/07/10
- 05/05: gnu: a2ps: Fix CVE-2015-8107., guix-commits, 2019/07/10

Prev by Date: 01/05: gnu: python-gnupg: Update to 0.4.4 [fixes CVE-2019-6690].
Next by Date: 03/05: gnu: mujs: Update to 1.0.6 [fixes CVE-2019-1141{1, 2, 3}, CVE-2019-12798].
Previous by thread: 01/05: gnu: python-gnupg: Update to 0.4.4 [fixes CVE-2019-6690].
Next by thread: 03/05: gnu: mujs: Update to 1.0.6 [fixes CVE-2019-1141{1, 2, 3}, CVE-2019-12798].
Index(es):
- Date
- Thread