packages/texlive-base
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!67 [sync] PR-61: Fix CVE-2023-46048

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @wk333 
Signed-off-by: @wk333
This commit is contained in:
openeuler-ci-bot 2024-08-08 01:07:43 +00:00 committed by Gitee
commit dcf9c9bf2f
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 61 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
CVE-2023-46048.patch Normal file
View File

@ -0,0 +1,54 @@
Origin:
https://github.com/TeX-Live/texlive-source/commit/33b330bc48ed2df69daf80a81be3cde8bf794816
https://tug.org/pipermail/tex-live/2023-August/049402.html
From 33b330bc48ed2df69daf80a81be3cde8bf794816 Mon Sep 17 00:00:00 2001
From: Karl Berry <karl@freefriends.org>
Date: Sat, 26 Aug 2023 17:50:10 +0000
Subject: [PATCH] guard against corrupt pfb in dup tests, pdftex r910
git-svn-id: svn://tug.org/texlive/trunk/Build/source@68069 c570f23f-e606-0410-a88d-b1316a301751
---
texlive-20180414-source/texk/web2c/pdftexdir/writet1.c | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/texlive-20180414-source/texk/web2c/pdftexdir/writet1.c b/texlive-20180414-source/texk/web2c/pdftexdir/writet1.c
index 0444d46be0..f2a8386cab 100644
--- a/texlive-20180414-source/texk/web2c/pdftexdir/writet1.c
+++ b/texlive-20180414-source/texk/web2c/pdftexdir/writet1.c
@@ -841,7 +841,10 @@ static char **t1_builtin_enc(void)
*t1_buf_array == '/' && valid_code(i)) {
if (strcmp(t1_buf_array + 1, notdef) != 0)
glyph_names[i] = xstrdup(t1_buf_array + 1);
- p = strstr(p, " put") + strlen(" put");
+ p = strstr(p, " put");
+ if (!p)
+ pdftex_fail("invalid pfb, no put found in dup");
+ p += strlen(" put");
skip(p, ' ');
}
/*
@@ -850,7 +853,10 @@ static char **t1_builtin_enc(void)
else if (sscanf(p, "dup dup %i exch %i get put", &b, &a) == 2
&& valid_code(a) && valid_code(b)) {
copy_glyph_names(glyph_names, a, b);
- p = strstr(p, " get put") + strlen(" get put");
+ p = strstr(p, " get put");
+ if (!p)
+ pdftex_fail("invalid pfb, no get put found in dup dup");
+ p += strlen(" get put");
skip(p, ' ');
}
/*
@@ -861,7 +867,10 @@ static char **t1_builtin_enc(void)
&& valid_code(a) && valid_code(b) && valid_code(c)) {
for (i = 0; i < c; i++)
copy_glyph_names(glyph_names, a + i, b + i);
- p = strstr(p, " putinterval") + strlen(" putinterval");
+ p = strstr(p, " putinterval");
+ if (!p)
+ pdftex_fail("invalid pfb, no putinterval found in dup dup");
+ p += strlen(" putinterval");
skip(p, ' ');
}
/*

10
texlive-base.spec
View File

@ -4,7 +4,7 @@
Name: texlive-base Name: texlive-base
Version: 20180414 Version: 20180414
Release: 37 Release: 38
Epoch: 7 Epoch: 7
Summary: TeX formatting system Summary: TeX formatting system
License: ASL 2.0 and LGPL-2.1-only and Zlib and OFL-1.1 and Public Domain and LGPL-2.0-only and GPLv2+ and MPL-1.1 and Libpng and LGPL-3.0-only and BSL-1.0 and GPLv2 and GPLv3 and CPL-1.0 and IJG and MIT and LPPL-1.3c and ICU and psutils License: ASL 2.0 and LGPL-2.1-only and Zlib and OFL-1.1 and Public Domain and LGPL-2.0-only and GPLv2+ and MPL-1.1 and Libpng and LGPL-3.0-only and BSL-1.0 and GPLv2 and GPLv3 and CPL-1.0 and IJG and MIT and LPPL-1.3c and ICU and psutils
@ -381,6 +381,7 @@ Patch0006: texlive-base-CVE-2018-17407.patch
Patch0007: fix-build-error-when-srctopdf-is-ok.patch Patch0007: fix-build-error-when-srctopdf-is-ok.patch
Patch0008: remove-support-of-poppler.patch Patch0008: remove-support-of-poppler.patch
Patch0009: CVE-2023-32700.patch Patch0009: CVE-2023-32700.patch
Patch0010: CVE-2023-46048.patch
Patch1000: 1000-add-sw_64-support-not-upstream-modified-files.patch Patch1000: 1000-add-sw_64-support-not-upstream-modified-files.patch
BuildRequires: xz libXaw-devel libXi-devel ncurses-devel bison flex file perl(Digest::MD5) texinfo gcc-c++ BuildRequires: xz libXaw-devel libXi-devel ncurses-devel bison flex file perl(Digest::MD5) texinfo gcc-c++
@ -8123,7 +8124,10 @@ done <<< "$list"
%doc %{_datadir}/texlive/texmf-dist/doc/latex/yplan/ %doc %{_datadir}/texlive/texmf-dist/doc/latex/yplan/
%changelog %changelog
* Sat Mar 18 2024 hefq343 <fengqing.he@shingroup.cn@> - 7:20180414-37 * Mon Aug 05 2024 wangkai <13474090681@163.com> - 7:20180414-38
- Fix CVE-2023-46048
* Mon Mar 18 2024 hefq343 <fengqing.he@shingroup.cn> - 7:20180414-37
- add ppc64le support - add ppc64le support
* Fri Aug 11 2023 yeqinglong <yeqinglong@kylinsec.com.cn> - 7:20180414-36 * Fri Aug 11 2023 yeqinglong <yeqinglong@kylinsec.com.cn> - 7:20180414-36
@ -8132,7 +8136,7 @@ done <<< "$list"
* Mon Jul 03 2023 yaoxin <yao_xin001@hoperun.com> - 7:20180414-35 * Mon Jul 03 2023 yaoxin <yao_xin001@hoperun.com> - 7:20180414-35
- Fix CVE-2023-32700 - Fix CVE-2023-32700
* Tue Jan 06 2023 misaka00251 <liuxin@iscas.ac.cn> - 20180414-34 * Fri Jan 06 2023 misaka00251 <liuxin@iscas.ac.cn> - 20180414-34
- Fix build on riscv64 - Fix build on riscv64
* Wed Jan 19 2022 xu_ping <xuping33@huawei.com> - 20180414-33 * Wed Jan 19 2022 xu_ping <xuping33@huawei.com> - 20180414-33