Index: trunk/server/common/patches/dvipng-CVE-2010-0829.patch =================================================================== --- trunk/server/common/patches/dvipng-CVE-2010-0829.patch (revision 1559) +++ trunk/server/common/patches/dvipng-CVE-2010-0829.patch (revision 1559) @@ -0,0 +1,107 @@ +--- ../dvipng-1.12/dvipng.h 2010-03-17 14:26:02.568367634 +0100 ++++ /home/jalar/cvs/dvipng/dvipng.h 2010-03-18 08:43:26.383609220 +0100 +@@ -387,9 +374,9 @@ + void WriteImage(char*, int); + void LoadPK(int32_t, register struct char_entry *); + int32_t SetChar(int32_t); +-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv); ++dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv); + void Gamma(double gamma); +-int32_t SetVF(int32_t); ++int32_t SetVF(struct char_entry *ptr); + int32_t SetRule(int32_t, int32_t, int32_t, int32_t); + void SetSpecial(char *, int32_t, int32_t); + void BeginVFMacro(struct font_entry*); +--- ../dvipng-1.12/draw.c 2010-03-17 14:26:02.373968076 +0100 ++++ /home/jalar/cvs/dvipng/draw.c 2010-03-17 13:52:14.625364911 +0100 +@@ -79,9 +79,15 @@ + + if (currentfont==NULL) + Fatal("faulty DVI, trying to set character from null font"); +- +- if (c>=0 && c<=LASTFNTCHAR) +- ptr = currentfont->chr[c]; ++ if (c<0 || c>LASTFNTCHAR) { ++ Warning("glyph index out of range (%d), skipping",c); ++ return(0); ++ } ++ ptr=currentfont->chr[c]; ++ if (ptr==NULL) { ++ Warning("unable to draw glyph %d, skipping",c); ++ return(0); ++ } + #ifdef DEBUG + switch (currentfont->type) { + case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n VF CHAR:\t")); break; +@@ -90,15 +96,15 @@ + case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n FT CHAR:\t")); break; + default: DEBUG_PRINT(DEBUG_DVI,("\n NO CHAR:\t")) + } +- if (isprint(c)) ++ if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c)) + DEBUG_PRINT(DEBUG_DVI,("'%c' ",c)); + DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c, + dvi_stack->hh,dvi_stack->vv,ptr?ptr->tfmw:0)); + #endif + if (currentfont->type==FONT_TYPE_VF) { +- return(SetVF(c)); ++ return(SetVF(ptr)); + } else { +- if (ptr!=NULL && ptr->data == NULL) ++ if (ptr->data == NULL) + switch(currentfont->type) { + case FONT_TYPE_PK: LoadPK(c, ptr); break; + #ifdef HAVE_LIBT1 +@@ -111,8 +117,8 @@ + Fatal("undefined fonttype %d",currentfont->type); + } + if (page_imagep != NULL) +- return(SetGlyph(c, dvi_stack->hh, dvi_stack->vv)); +- else if (ptr!=NULL) { ++ return(SetGlyph(ptr, dvi_stack->hh, dvi_stack->vv)); ++ else { + /* Expand bounding box if necessary */ + min(x_min,dvi_stack->hh - ptr->xOffset/shrinkfactor); + min(y_min,dvi_stack->vv - ptr->yOffset/shrinkfactor); +--- ../dvipng-1.12/vf.c 2010-03-17 14:26:02.438184849 +0100 ++++ /home/jalar/cvs/dvipng/vf.c 2010-03-17 13:52:43.098991873 +0100 +@@ -27,11 +27,10 @@ + #define VF_ID 202 + #define LONG_CHAR 242 + +-int32_t SetVF(int32_t c) ++int32_t SetVF(struct char_entry* ptr) + { + struct font_entry* currentvf; + unsigned char *command,*end; +- struct char_entry* ptr=currentfont->chr[c]; + + currentvf=currentfont; + BeginVFMacro(currentvf); +--- ../dvipng-1.12/set.c 2010-03-17 14:26:02.541089281 +0100 ++++ /home/jalar/cvs/dvipng/set.c 2010-03-17 13:52:26.795955795 +0100 +@@ -203,23 +202,13 @@ + } + } + +-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv) ++dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv) + /* gdImageChar can only do monochrome glyphs */ + { +- register struct char_entry *ptr; + int dst_alpha,dst_weight,tot_weight,alpha; + int x,y,pos=0; + int bgColor,pixelgrey,pixelcolor; + +- if (c<0 || c>LASTFNTCHAR) { +- Warning("glyph index too large (%d), skipping",c); +- return(0); +- } +- ptr=currentfont->chr[c]; +- if (ptr==NULL) { +- Warning("unable to draw glyph %d, skipping",c); +- return(0); +- } + hh -= ptr->xOffset/shrinkfactor; + vv -= ptr->yOffset/shrinkfactor; + /* Initialize persistent color cache. Perhaps this should be in Index: trunk/server/fedora/Makefile =================================================================== --- trunk/server/fedora/Makefile (revision 1558) +++ trunk/server/fedora/Makefile (revision 1559) @@ -19,5 +19,5 @@ # See /COPYRIGHT in this repository for more information. -upstream_yum = krb5 krb5.i586 httpd openssh shadow-utils texlive +upstream_yum = krb5 krb5.i586 httpd openssh shadow-utils texlive dvipng upstream = openafs $(upstream_yum) moira cluster-glue heartbeat pacemaker oursrc = execsys tokensys accountadm httpdmods logview sql-signup nss_nonlocal nss_nonlocal.i586 whoisd mit-zephyr athrun php_scripts scripts-wizard scripts-base Index: trunk/server/fedora/specs/dvipng.spec.patch =================================================================== --- trunk/server/fedora/specs/dvipng.spec.patch (revision 1559) +++ trunk/server/fedora/specs/dvipng.spec.patch (revision 1559) @@ -0,0 +1,28 @@ +--- dvipng.spec.orig 2010-05-07 02:36:45.000000000 -0400 ++++ dvipng.spec 2010-05-07 02:47:57.000000000 -0400 +@@ -1,6 +1,6 @@ + Name: dvipng + Version: 1.11 +-Release: 2%{?dist} ++Release: 2.scripts.%{scriptsversion}%{?dist} + Summary: Converts DVI files to PNG/GIF format + + Group: Applications/Publishing +@@ -8,6 +8,8 @@ + URL: http://savannah.nongnu.org/projects/dvipng/ + Source0: http://download.savannah.gnu.org/releases/dvipng/%{name}-%{version}.tar.gz + ++Patch1000: dvipng-CVE-2010-0829.patch ++ + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + BuildRequires: kpathsea-devel gd-devel zlib-devel libpng-devel texinfo-tex + BuildRequires: t1lib-devel freetype-devel +@@ -26,6 +28,8 @@ + %prep + %setup -q + ++%patch1000 -p2 -b .cve-2010-0829 ++ + %build + %configure + make %{?_smp_mflags}