libgxps: fix CVE-2017-11590

2018-10-03 12:50:00 -03:00
parent 8a843c3ebe
commit 33055b32c2
2 changed files with 43 additions and 3 deletions
--- a/srcpkgs/libgxps/patches/CVE-2017-11590.patch
+++ b/srcpkgs/libgxps/patches/CVE-2017-11590.patch
@@ -0,0 +1,40 @@
+From 9d5d292055250ed298f3b89dc332d6db4003a031 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Wed, 26 Jul 2017 16:23:37 +0200
+Subject: [PATCH] archive: Check for pathname being NULL before dereferencing
+
+Check whether "archive_entry_pathname ()" returns a non-NULL pathname
+before using it to avoid a NULL pointer being dereferenced.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=785479
+---
+ libgxps/gxps-archive.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libgxps/gxps-archive.c b/libgxps/gxps-archive.c
+index acf8d7d..e763773 100644
+--- libgxps/gxps-archive.c
+++ libgxps/gxps-archive.c
+@@ -257,6 +257,7 @@ gxps_archive_initable_init (GInitable     *initable,
+ 	GXPSArchive          *archive;
+ 	ZipArchive           *zip;
+ 	struct archive_entry *entry;
+	const gchar          *pathname;
+ 
+ 	archive = GXPS_ARCHIVE (initable);
+ 
+@@ -281,7 +282,9 @@ gxps_archive_initable_init (GInitable     *initable,
+ 
+         while (gxps_zip_archive_iter_next (zip, &entry)) {
+                 /* FIXME: We can ignore directories here */
+-                g_hash_table_add (archive->entries, g_strdup (archive_entry_pathname (entry)));
+                pathname = archive_entry_pathname (entry);
+                if (pathname != NULL)
+                        g_hash_table_add (archive->entries, g_strdup (pathname));
+                 archive_read_data_skip (zip->archive);
+         }
+ 
+-- 
+2.18.0
+
+
--- a/srcpkgs/libgxps/template
+++ b/srcpkgs/libgxps/template
@@ -1,7 +1,7 @@
 # Template file for 'libgxps'
 pkgname=libgxps
 version=0.2.5
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--disable-static $(vopt_enable gir introspection)"
 hostmakedepends="pkg-config $(vopt_if gir gobject-introspection)"
@@ -9,9 +9,9 @@ makedepends="cairo-devel libglib-devel libjpeg-turbo-devel libpng-devel
 tiff-devel lcms2-devel libarchive-devel freetype-devel"
 short_desc="GObject base library for XPS documents"
 maintainer="Juan RP <xtraeme@voidlinux.eu>"
-license="LGPL-2.1"
+license="LGPL-2.1-or-later"
 homepage="http://live.gnome.org/libgxps"
-distfiles="${GNOME_SITE}/$pkgname/0.2/$pkgname-$version.tar.xz"
+distfiles="${GNOME_SITE}/${pkgname}/0.2/${pkgname}-${version}.tar.xz"
 checksum=3e7594c5c9b077171ec9ccd3ff2b4f4c4b29884d26d4f35e740c8887b40199a0

 # Package build options