[pkgsrc/pkgsrc-2006Q1]: pkgsrc/graphics/dia Pullup ticket 1320 - requested by...

[snj <snj%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/e9364f6f5c5a
branches:  pkgsrc-2006Q1
changeset: 510186:e9364f6f5c5a
user:      snj <snj%pkgsrc.org@localhost>
date:      Thu Apr 06 00:37:03 2006 +0000

description:
Pullup ticket 1320 - requested by salo
security fix for dia

Revisions pulled up:
- pkgsrc/graphics/dia/Makefile          1.42
- pkgsrc/graphics/dia/distinfo          1.15
- pkgsrc/graphics/dia/patches/patch-ac  1.1
- pkgsrc/graphics/dia/patches/patch-ad  1.1

   Module Name:    pkgsrc
   Committed By:   salo
   Date:           Tue Apr  4 14:52:15 UTC 2006

   Modified Files:
           pkgsrc/graphics/dia: Makefile distinfo
   Added Files:
           pkgsrc/graphics/dia/patches: patch-ac patch-ad

   Log Message:
   Security fix for CVE-2006-1550:

   "Multiple buffer overflows in the xfig import code (xfig-import.c) in Dia
    0.87 and later before 0.95-pre6 allow user-complicit attackers to have an
    unknown impact via a crafted xfig file, possibly involving an invalid (1)
    color index, (2) number of points, or (3) depth."

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1550
   http://mail.gnome.org/archives/dia-list/2006-March/msg00149.html

   Fix from Dia CVS.

diffstat:

 graphics/dia/Makefile         |    4 +-
 graphics/dia/distinfo         |    4 +-
 graphics/dia/patches/patch-ac |   14 +++
 graphics/dia/patches/patch-ad |  196 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 215 insertions(+), 3 deletions(-)

diffs (248 lines):

diff -r d900203b4244 -r e9364f6f5c5a graphics/dia/Makefile
--- a/graphics/dia/Makefile     Wed Apr 05 14:10:46 2006 +0000
+++ b/graphics/dia/Makefile     Thu Apr 06 00:37:03 2006 +0000
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.41 2006/03/21 06:00:45 jlam Exp $
+# $NetBSD: Makefile,v 1.41.2.1 2006/04/06 00:37:03 snj Exp $
 #
 
 .include "Makefile.common"
 
-PKGREVISION=   5
+PKGREVISION=   6
 
 USE_DIRS+=     xdg-1.1
 
diff -r d900203b4244 -r e9364f6f5c5a graphics/dia/distinfo
--- a/graphics/dia/distinfo     Wed Apr 05 14:10:46 2006 +0000
+++ b/graphics/dia/distinfo     Thu Apr 06 00:37:03 2006 +0000
@@ -1,8 +1,10 @@
-$NetBSD: distinfo,v 1.14 2006/02/24 02:52:22 minskim Exp $
+$NetBSD: distinfo,v 1.14.2.1 2006/04/06 00:37:03 snj Exp $
 
 SHA1 (dia-0.94.tar.gz) = a55128bd56e76295c9bc8217f25b6ec079727e25
 RMD160 (dia-0.94.tar.gz) = f7e20b294b7b739d5f408c34e0fbc533def5e3b9
 Size (dia-0.94.tar.gz) = 5241128 bytes
 SHA1 (patch-aa) = f556878638291a696894181c5a6907e688589530
 SHA1 (patch-ab) = f419cc82faa524ac1f02e88ae3264fcb9b453e09
+SHA1 (patch-ac) = ecc4ed32089980cf5fa1697c278386fe5856f8bb
+SHA1 (patch-ad) = 7e3874ebcaa1781e5d2ad406258a3e7ab1285503
 SHA1 (patch-be) = dab7626daefcd702b31f54d198311d9be921e1ff
diff -r d900203b4244 -r e9364f6f5c5a graphics/dia/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/dia/patches/patch-ac     Thu Apr 06 00:37:03 2006 +0000
@@ -0,0 +1,14 @@
+$NetBSD: patch-ac,v 1.1.2.2 2006/04/06 00:37:04 snj Exp $
+
+Security fix for CVE-2006-1550, from Dia CVS.
+
+--- plug-ins/xfig/xfig.h.orig  2004-08-16 09:56:21.000000000 +0200
++++ plug-ins/xfig/xfig.h       2006-04-04 15:25:30.000000000 +0200
+@@ -6,6 +6,7 @@
+ 
+ #define FIG_MAX_DEFAULT_COLORS 32
+ #define FIG_MAX_USER_COLORS 512
++#define FIG_MAX_DEPTHS 1000
+ /* 1200 PPI */
+ #define FIG_UNIT 472.440944881889763779527559055118
+ /* 1/80 inch */
diff -r d900203b4244 -r e9364f6f5c5a graphics/dia/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/dia/patches/patch-ad     Thu Apr 06 00:37:03 2006 +0000
@@ -0,0 +1,196 @@
+$NetBSD: patch-ad,v 1.1.2.2 2006/04/06 00:37:04 snj Exp $
+
+Security fix for CVE-2006-1550, from Dia CVS.
+
+--- plug-ins/xfig/xfig-import.c.orig   2004-08-16 09:56:21.000000000 +0200
++++ plug-ins/xfig/xfig-import.c        2006-04-04 15:25:30.000000000 +0200
+@@ -441,11 +441,17 @@
+ static Color
+ fig_color(int color_index) 
+ {
+-    if (color_index == -1) 
++    if (color_index <= -1) 
+         return color_black; /* Default color */
+-    if (color_index < FIG_MAX_DEFAULT_COLORS) 
++    else if (color_index < FIG_MAX_DEFAULT_COLORS) 
+         return fig_default_colors[color_index];
+-    else return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
++    else if (color_index < FIG_MAX_USER_COLORS) 
++      return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
++    else {
++      message_error(_("Color index %d too high, only 512 colors allowed. Using black instead."),
++                    color_index);
++      return color_black;
++    }
+ }
+ 
+ static Color
+@@ -563,23 +569,25 @@
+ static int
+ fig_read_n_points(FILE *file, int n, Point **points) {
+     int i;
+-    Point *new_points;
+-
+-    new_points = (Point*)g_malloc(sizeof(Point)*n);
++    GArray *points_list = g_array_sized_new(FALSE, FALSE, sizeof(Point), n);
+ 
+     for (i = 0; i < n; i++) {
+       int x,y;
++      Point p;
+       if (fscanf(file, " %d %d ", &x, &y) != 2) {
+           message_error(_("Error while reading %dth of %d points: %s\n"),
+                         i, n, strerror(errno));
+-          free(new_points);
++          g_array_free(points_list, TRUE);
+           return FALSE;
+       }
+-      new_points[i].x = x/FIG_UNIT;
+-      new_points[i].y = y/FIG_UNIT;
++      p.x = x/FIG_UNIT;
++      p.y = y/FIG_UNIT;
++      g_array_append_val(points_list, p);
+     }
+     fscanf(file, "\n");
+-    *points = new_points;
++    
++    *points = (Point *)points_list->data;
++    g_array_free(points_list, FALSE);
+     return TRUE;
+ }
+ 
+@@ -683,7 +691,7 @@
+     return text_buf;
+ }
+ 
+-static GList *depths[1000];
++static GList *depths[FIG_MAX_DEPTHS];
+ 
+ /* If there's something in the compound stack, we ignore the depth field,
+    as it will be determined by the group anyway */
+@@ -693,6 +701,26 @@
+    level.  Best we can do now. */
+ static int compound_depth;
+ 
++/** Add an object at a given depth.  This function checks for depth limits
++ * and updates the compound depth if needed.
++ *
++ * @param newobj An object to add.  If we're inside a compound, this
++ * doesn't really add the object.
++ * @param depth A depth as in the Fig format, max 999
++ */
++static void
++add_at_depth(DiaObject *newobj, int depth) {
++    if (depth < 0 || depth >= FIG_MAX_DEPTHS) {
++      message_error(_("Depth %d of of range, only 0-%d allowed.\n"),
++                    depth, FIG_MAX_DEPTHS-1);
++      depth = FIG_MAX_DEPTHS - 1;
++    }
++    if (compound_stack == NULL) 
++      depths[depth] = g_list_append(depths[depth], newobj);
++    else 
++      if (compound_depth > depth) compound_depth = depth;
++}
++
+ static DiaObject *
+ fig_read_ellipse(FILE *file, DiagramData *dia) {
+     int sub_type;
+@@ -749,10 +777,7 @@
+     /* Angle -- can't rotate yet */
+ 
+     /* Depth field */
+-    if (compound_stack == NULL)
+-      depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-      if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+ 
+     return newobj;
+ }
+@@ -885,10 +910,7 @@
+     /* Cap style */
+      
+     /* Depth field */
+-    if (compound_stack == NULL)
+-      depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-      if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+  exit:
+     prop_list_free(props);
+     g_free(forward_arrow_info);
+@@ -1111,10 +1133,7 @@
+     /* Cap style */
+      
+     /* Depth field */
+-    if (compound_stack == NULL)
+-      depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-      if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+  exit:
+     prop_list_free(props);
+     g_free(forward_arrow_info);
+@@ -1202,10 +1221,7 @@
+     /* Cap style */
+      
+     /* Depth field */
+-    if (compound_stack == NULL)
+-      depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-      if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+ 
+  exit:
+     g_free(forward_arrow_info);
+@@ -1298,10 +1314,7 @@
+     newobj->ops->set_props(newobj, props);
+     
+     /* Depth field */
+-    if (compound_stack == NULL)
+-      depths[depth] = g_list_append(depths[depth], newobj);
+-    else
+-      if (compound_depth > depth) compound_depth = depth;
++    add_at_depth(newobj, depth);
+ 
+  exit:
+     if (text_buf != NULL) free(text_buf);
+@@ -1347,6 +1360,12 @@
+           return FALSE;
+       }
+ 
++      if (colornumber < 32 || colornumber > FIG_MAX_USER_COLORS) {
++          message_error(_("Color number %d out of range 0..%d.  Discarding color.\n"),
++                        colornumber, FIG_MAX_USER_COLORS);
++          return FALSE;
++      }
++
+       color.red = ((colorvalues & 0x00ff0000)>>16) / 255.0;
+       color.green = ((colorvalues & 0x0000ff00)>>8) / 255.0;
+       color.blue = (colorvalues & 0x000000ff) / 255.0;
+@@ -1393,7 +1412,7 @@
+       }
+       /* Group extends don't really matter */
+       if (compound_stack == NULL)
+-          compound_depth = 999;
++          compound_depth = FIG_MAX_DEPTHS - 1;
+       compound_stack = g_slist_append(compound_stack, NULL);
+       return TRUE;
+       break;
+@@ -1551,7 +1570,7 @@
+     for (i = 0; i < FIG_MAX_USER_COLORS; i++) {
+       fig_colors[i] = color_black;
+     }
+-    for (i = 0; i < 1000; i++) {
++    for (i = 0; i < FIG_MAX_DEPTHS; i++) {
+       depths[i] = NULL;
+     }
+ 
+@@ -1606,7 +1625,7 @@
+     } while (TRUE);
+ 
+     /* Now we can reorder for the depth fields */
+-    for (i = 0; i < 1000; i++) {
++    for (i = 0; i < FIG_MAX_DEPTHS; i++) {
+       if (depths[i] != NULL)
+           layer_add_objects_first(dia->active_layer, depths[i]);
+     }