From 89d9617d29075d341e87e334eb45769fbe6d643d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 1 Feb 2021 13:42:41 +0100 Subject: [PATCH] lout: add patch for CVE-2019-19917 and CVE-2019-19918 --- .../CVE-2019-19917-and-CVE-2019-19918.patch | 95 +++++++++++++++++++ pkgs/tools/typesetting/lout/default.nix | 5 + 2 files changed, 100 insertions(+) create mode 100644 pkgs/tools/typesetting/lout/CVE-2019-19917-and-CVE-2019-19918.patch diff --git a/pkgs/tools/typesetting/lout/CVE-2019-19917-and-CVE-2019-19918.patch b/pkgs/tools/typesetting/lout/CVE-2019-19917-and-CVE-2019-19918.patch new file mode 100644 index 000000000000..b146822c9c51 --- /dev/null +++ b/pkgs/tools/typesetting/lout/CVE-2019-19917-and-CVE-2019-19918.patch @@ -0,0 +1,95 @@ +--- a/externs.h ++++ b/externs.h +@@ -260,6 +260,9 @@ If you're compiling this, you've got the + /* that can appear correctly on one page. Can be */ + /* increased to any small positive integer. */ + /* */ ++/* MAX_FORMAT The maximum number of characters for sscanf formats */ ++/* for splitting strings with tab-delimited fields. */ ++/* */ + /*****************************************************************************/ + + #define MAX_FULL_LENGTH 8388607 /* 2**23 - 1, about 148 metres */ +@@ -275,6 +278,7 @@ If you're compiling this, you've got the + #define MAX_LEX_STACK 20 + #define MAX_CHARS 256 + #define MAX_HCOPIES 3 ++#define MAX_FORMAT 100 + + /*****************************************************************************/ + /* */ +--- a/z02.c ++++ b/z02.c +@@ -378,7 +378,7 @@ static void srcnext(void) + if( blksize != 0 && chpt < limit ) + { debugcond0(DLA, DD, stack_free <= 1, "srcnext: transferring."); + col = buf; +- while( chtbl[(*--col = *--limit)] != NEWLINE ); ++ while( col > mem_block && chtbl[(*--col = *--limit)] != NEWLINE ); + frst = col + 1; limit++; blksize = 0; + } + +--- a/z33.c ++++ b/z33.c +@@ -847,6 +847,7 @@ BOOLEAN DbRetrieve(OBJECT db, BOOLEAN ga + BOOLEAN DbRetrieveNext(OBJECT db, BOOLEAN *gall, OBJECT *sym, FULL_CHAR *tag, + FULL_CHAR *seq, FILE_NUM *dfnum, long *dfpos, int *dlnum, long *cont) + { FULL_CHAR line[MAX_BUFF], *cline, fname[MAX_BUFF]; int symnum; ++ char format[MAX_FORMAT]; + ifdebug(DPP, D, ProfileOn("DbRetrieveNext")); + debug2(DBS, DD, "DbRetrieveNext( %s, %ld )", string(db), *cont); + assert(reading(db), "DbRetrieveNext: not reading"); +@@ -858,6 +859,8 @@ BOOLEAN DbRetrieveNext(OBJECT db, BOOLEA + return FALSE; + } + ++ sprintf(format, "%%d&%%%d[^\t]\t%%%d[^\t]\t%%*[^\t]\t%%ld\t%%d\t%%%d[^\n\f]", MAX_BUFF-1, MAX_BUFF-1, MAX_BUFF-1); ++ + if( in_memory(db) ) + { + /* get next entry from internal database */ +@@ -868,7 +871,7 @@ BOOLEAN DbRetrieveNext(OBJECT db, BOOLEA + } + cline = (FULL_CHAR *) db_lines(db)[*cont]; + *gall = (cline[0] == '0' ? 1 : 0); +- sscanf((char *)&cline[*gall], "%d&%[^\t]\t%[^\t]\t%*[^\t]\t%ld\t%d\t%[^\n\f]", ++ sscanf((char *)&cline[*gall], format, + &symnum, tag, seq, dfpos, dlnum, fname); + *cont = *cont + 1; + } +@@ -882,7 +885,7 @@ BOOLEAN DbRetrieveNext(OBJECT db, BOOLEA + return FALSE; + } + *gall = (line[0] == '0' ? 1 : 0); +- sscanf((char *)&line[*gall], "%d&%[^\t]\t%[^\t]\t%*[^\t]\t%ld\t%d\t%[^\n\f]", ++ sscanf((char *)&line[*gall], format, + &symnum, tag, seq, dfpos, dlnum, fname); + *cont = ftell(db_filep(db)); + } +--- a/z39.c ++++ b/z39.c +@@ -79,11 +79,13 @@ int strcollcmp(char *a, char *b) + int strcollcmp(char *a, char *b) + { char a1[MAX_BUFF], a2[MAX_BUFF], a3[MAX_BUFF]; + char b1[MAX_BUFF], b2[MAX_BUFF], b3[MAX_BUFF]; ++ char format[MAX_FORMAT]; + int order; ++ sprintf(format, "%%%d[^\t]\t%%%d[^\t]\t%%%d[^\t]", MAX_BUFF-1, MAX_BUFF-1, MAX_BUFF-1); + a1[0] = a2[0] = a3[0] = '\0'; +- sscanf(a, "%[^\t]\t%[^\t]\t%[^\t]", a1, a2, a3); ++ sscanf(a, format, a1, a2, a3); + b1[0] = b2[0] = b3[0] = '\0'; +- sscanf(b, "%[^\t]\t%[^\t]\t%[^\t]", b1, b2, b3); ++ sscanf(b, format, b1, b2, b3); + order = strcoll(a1, b1); + if( order == 0 ) + { +@@ -251,7 +253,7 @@ FULL_CHAR *StringQuotedWord(OBJECT x) + *q++ = CH_QUOTE; + for( p = string(x); *p != '\0'; p++ ) + { +- for( r = (FULL_CHAR *) quoted_string[*p]; *r != '\0'; *q++ = *r++ ); ++ for( r = (FULL_CHAR *) quoted_string[*p]; *r != '\0' && q < &buff[MAX_BUFF-2]; *q++ = *r++ ); + } + *q++ = CH_QUOTE; + *q++ = '\0'; diff --git a/pkgs/tools/typesetting/lout/default.nix b/pkgs/tools/typesetting/lout/default.nix index eaeaeb406069..4737c5d74097 100644 --- a/pkgs/tools/typesetting/lout/default.nix +++ b/pkgs/tools/typesetting/lout/default.nix @@ -14,6 +14,11 @@ stdenv.mkDerivation rec { sha256 = "1gb8vb1wl7ikn269dd1c7ihqhkyrwk19jwx5kd0rdvbk6g7g25ix"; }; + patches = [ + # https://build.opensuse.org/request/show/843612 + ./CVE-2019-19917-and-CVE-2019-19918.patch + ]; + buildInputs = [ ghostscript ]; builder = ./builder.sh;