[pkgsrc/trunk]: pkgsrc/graphics/libwmf Security fix for CVE-2006-3376:

[salo <salo%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/912d204cf14a
branches:  trunk
changeset: 517718:912d204cf14a
user:      salo <salo%pkgsrc.org@localhost>
date:      Sun Aug 20 21:38:45 2006 +0000

description:
Security fix for CVE-2006-3376:

"A vulnerability in libwmf can be potentially exploited by malicious
 people to compromise an application using the vulnerable library.

 The vulnerability is caused due to an integer overflow error when
 allocating memory based on a value taken directly from a WMF file
 without performing any checks. This can be exploited to cause a
 heap-based buffer overflow when a specially crafted WMF file is
 processed.

 Successful exploitation may allow execution of arbitrary code."

http://secunia.com/advisories/20921/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3376

Patch from Red Hat.  Bump PKGREVISION.

diffstat:

 graphics/libwmf/Makefile         |   4 ++--
 graphics/libwmf/distinfo         |   3 ++-
 graphics/libwmf/patches/patch-ae |  31 +++++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+), 3 deletions(-)

diffs (60 lines):

diff -r a34c84e7de65 -r 912d204cf14a graphics/libwmf/Makefile
--- a/graphics/libwmf/Makefile  Sun Aug 20 20:06:26 2006 +0000
+++ b/graphics/libwmf/Makefile  Sun Aug 20 21:38:45 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.59 2006/04/17 13:46:00 wiz Exp $
+# $NetBSD: Makefile,v 1.60 2006/08/20 21:38:45 salo Exp $
 
 DISTNAME=      libwmf-0.2.8.4
-PKGREVISION=   3
+PKGREVISION=   4
 CATEGORIES=    graphics devel
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=wvware/}
 
diff -r a34c84e7de65 -r 912d204cf14a graphics/libwmf/distinfo
--- a/graphics/libwmf/distinfo  Sun Aug 20 20:06:26 2006 +0000
+++ b/graphics/libwmf/distinfo  Sun Aug 20 21:38:45 2006 +0000
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.13 2006/01/18 22:04:58 adam Exp $
+$NetBSD: distinfo,v 1.14 2006/08/20 21:38:45 salo Exp $
 
 SHA1 (libwmf-0.2.8.4.tar.gz) = 822ab3bd0f5e8f39ad732f2774a8e9f18fc91e89
 RMD160 (libwmf-0.2.8.4.tar.gz) = 98cd631adb5bb332d9224d04bc8a265c105435f2
 Size (libwmf-0.2.8.4.tar.gz) = 2169375 bytes
 SHA1 (patch-ad) = b74be16c5da490394b86403009f5f35d80ba4bfa
+SHA1 (patch-ae) = 644684733090c26250a1ce0e2c5a6c978bd54b74
diff -r a34c84e7de65 -r 912d204cf14a graphics/libwmf/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/libwmf/patches/patch-ae  Sun Aug 20 21:38:45 2006 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-ae,v 1.1 2006/08/20 21:38:45 salo Exp $
+
+Security fix for CVE-2006-3376, from Red Hat.
+
+--- src/player.c.orig  2002-12-10 20:30:26.000000000 +0100
++++ src/player.c       2006-08-20 23:29:44.000000000 +0200
+@@ -42,6 +42,7 @@
+ #include "player/defaults.h" /* Provides: default settings               */
+ #include "player/record.h"   /* Provides: parameter mechanism            */
+ #include "player/meta.h"     /* Provides: record interpreters            */
++#include <stdint.h>
+ 
+ /**
+  * @internal
+@@ -132,8 +133,14 @@
+               }
+       }
+ 
+-/*    P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)-3) * 2 * sizeof (unsigned char));
+- */   P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
++      if (MAX_REC_SIZE(API) > UINT32_MAX/ 2)
++      {
++              API->err = wmf_E_InsMem;
++              WMF_DEBUG (API,"bailing...");
++              return (API->err);
++      }
++      
++      P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API)  ) * 2 * sizeof (unsigned char));
+ 
+       if (ERR (API))
+       {       WMF_DEBUG (API,"bailing...");