packages/liblouis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-26769

Browse Source 
(cherry picked from commit 721e36edaaf2680b0940072423d3c6c97e199309)
This commit is contained in:
starlet-dx 2023-03-22 18:11:31 +08:00 committed by openeuler-sync-bot
parent ca70112503
commit e793b81a87
2 changed files with 70 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
CVE-2023-26769.patch Normal file
View File

@ -0,0 +1,65 @@
diff -Naur a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
--- a/liblouis/compileTranslationTable.c 2023-03-22 17:59:25.331813368 +0800
+++ b/liblouis/compileTranslationTable.c 2023-03-22 18:05:57.089522644 +0800
@@ -3628,18 +3628,21 @@
char *tableFile;
static struct stat info;
+#define MAX_TABLEFILE_SIZE (MAXSTRING * sizeof(char) * 2)
if (table == NULL || table[0] == '\0') return NULL;
- tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2);
+ tableFile = (char *)malloc(MAX_TABLEFILE_SIZE);
//
// First try to resolve against base
//
if (base) {
int k;
+ if (strlen(base) >= MAX_TABLEFILE_SIZE) goto failure;
strcpy(tableFile, base);
k = (int)strlen(tableFile);
while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--;
tableFile[++k] = '\0';
+ if (strlen(tableFile) + strlen(table) >= MAX_TABLEFILE_SIZE) goto failure;
strcat(tableFile, table);
if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
_lou_logMessage(LOG_DEBUG, "found table %s", tableFile);
@@ -3651,6 +3654,7 @@
// It could be an absolute path, or a path relative to the current working
// directory
//
+ if (strlen(table) >= MAX_TABLEFILE_SIZE) goto failure;
strcpy(tableFile, table);
if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
_lou_logMessage(LOG_DEBUG, "found table %s", tableFile);
@@ -3671,6 +3675,10 @@
last = (*cp == '\0');
*cp = '\0';
if (dir == cp) dir = ".";
+ if (strlen(dir) + strlen(table) + 1 >= MAX_TABLEFILE_SIZE) {
+ free(searchPath_copy);
+ goto failure;
+ }
sprintf(tableFile, "%s%c%s", dir, DIR_SEP, table);
if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
_lou_logMessage(LOG_DEBUG, "found table %s", tableFile);
@@ -3678,6 +3686,11 @@
return tableFile;
}
if (last) break;
+ if (strlen(dir) + strlen("liblouis") + strlen("tables") + strlen(table) + 3 >=
+ MAX_TABLEFILE_SIZE) {
+ free(searchPath_copy);
+ goto failure;
+ }
sprintf(tableFile, "%s%c%s%c%s%c%s", dir, DIR_SEP, "liblouis", DIR_SEP,
"tables", DIR_SEP, table);
if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
@@ -3689,6 +3702,7 @@
}
free(searchPath_copy);
}
+failure:
free(tableFile);
return NULL;
}

6
liblouis.spec
View File

@ -2,12 +2,13 @@
Name: liblouis Name: liblouis
Version: 3.7.0 Version: 3.7.0
Release: 4 Release: 5
Summary: Braille translation and back-translation library Summary: Braille translation and back-translation library
License: LGPLv3+ and GPLv3+ License: LGPLv3+ and GPLv3+
URL: http://liblouis.org URL: http://liblouis.org
Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch0000: 0001-fix-memory-issue-introduced-with-GCC9.patch Patch0000: 0001-fix-memory-issue-introduced-with-GCC9.patch
Patch0001: CVE-2023-26769.patch
BuildRequires: chrpath gcc help2man texinfo texinfo-tex texlive-eurosym BuildRequires: chrpath gcc help2man texinfo texinfo-tex texlive-eurosym
BuildRequires: texlive-xetex python3-devel BuildRequires: texlive-xetex python3-devel
Provides: bundled(gnulib) = 20130621 Provides: bundled(gnulib) = 20130621
@ -115,6 +116,9 @@ done
%{python3_sitelib}/louis/ %{python3_sitelib}/louis/
%changelog %changelog
* Wed Mar 22 2023 yaoxin <yaoxin30@h-partners.com> - 3.7.0-5
- Fix CVE-2023-26769
* Wed Oct 21 2020 Ge Wang <wangge20@huawei.com> - 3.7.0-4 * Wed Oct 21 2020 Ge Wang <wangge20@huawei.com> - 3.7.0-4
- remove python2 - remove python2