Revision bump adds a upstream security patch which fixes a buffer overflow.

(Portage version: 2.2.0_alpha120/cvs/Linux x86_64)

3 files changed, 39 insertions, 3 deletions

diff --git a/app-office/calligra/ChangeLog b/app-office/calligra/ChangeLog
index 5b9d0fe0d85f..6f33a19231f9 100644
--- a/app-office/calligra/ChangeLog
+++ b/app-office/calligra/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for app-office/calligra
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-office/calligra/ChangeLog,v 1.57 2012/07/20 21:23:34 dilfridge Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-office/calligra/ChangeLog,v 1.58 2012/08/04 16:17:34 johu Exp $
+
+*calligra-2.4.3-r1 (04 Aug 2012)
+
+  04 Aug 2012; Johannes Huber <johu@gentoo.org> +calligra-2.4.3-r1.ebuild,
+  +files/calligra-2.4.3-security-fix-buffer-overflow.patch,
+  -calligra-2.4.3.ebuild:
+  Revision bump adds a upstream security patch which fixes a buffer overflow.
 
 *calligra-2.4.92 (20 Jul 2012)
 
diff --git a/app-office/calligra/calligra-2.4.3.ebuild b/app-office/calligra/calligra-2.4.3-r1.ebuild
index 0ff6f8dd83c3..17585fc68b0d 100644
--- a/app-office/calligra/calligra-2.4.3.ebuild
+++ b/app-office/calligra/calligra-2.4.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-office/calligra/calligra-2.4.3.ebuild,v 1.2 2012/07/19 16:18:40 kensington Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-office/calligra/calligra-2.4.3-r1.ebuild,v 1.1 2012/08/04 16:17:34 johu Exp $
 
 # note: files that need to be checked for dependencies etc:
 # CMakeLists.txt, kexi/CMakeLists.txt kexi/migration/CMakeLists.txt
@@ -121,7 +121,10 @@ PDEPEND=">=app-office/calligra-l10n-$(get_version_component_range 1-2)"
 RESTRICT=test
 # bug 394273
 
-PATCHES=( "${FILESDIR}/${PN}-2.4.2-marble.patch" )
+PATCHES=(
+	"${FILESDIR}/${PN}-2.4.2-marble.patch"
+	"${FILESDIR}/${PN}-2.4.3-security-fix-buffer-overflow.patch"
+)
 
 src_configure() {
 	local cal_ft
diff --git a/app-office/calligra/files/calligra-2.4.3-security-fix-buffer-overflow.patch b/app-office/calligra/files/calligra-2.4.3-security-fix-buffer-overflow.patch
new file mode 100644
index 000000000000..14ec5ae59537
--- /dev/null
+++ b/app-office/calligra/files/calligra-2.4.3-security-fix-buffer-overflow.patch
@@ -0,0 +1,26 @@
+commit 7d72f7dd8d28d18c59a08a7d43bd4e0654043103
+Author: Thorsten Zachmann <t.zachmann@zagge.de>
+Date:   Sat Aug 4 06:42:14 2012 +0200
+
+    Make sure not to write behind the allocated memory
+    
+    Validate the input data to not write behind the allocated memory. This fixes a
+    buffer overflow found by Charlie Miller.
+    (cherry picked from commit 8652ab672eaaa145dfb3782f5011de58aa4cc046)
+
+diff --git a/filters/words/msword-odf/wv2/src/styles.cpp b/filters/words/msword-odf/wv2/src/styles.cpp
+index c3132f0..0d691f5 100644
+--- a/filters/words/msword-odf/wv2/src/styles.cpp
++++ b/filters/words/msword-odf/wv2/src/styles.cpp
+@@ -248,6 +248,11 @@ throw(InvalidFormatException)
+ #ifdef WV2_DEBUG_STYLESHEET
+         wvlog << "cbUPX: " << cbUPX << endl;
+ #endif
++        // do not overflow the allocated buffer grupx
++        if (offset + cbUPX > grupxLen) {
++            wvlog << "====> Error: grupx would overflow!" << endl;
++            return false;
++        }
+         for ( U16 j = 0; j < cbUPX; ++j ) {
+             grupx[ offset + j ] = stream->readU8();  // read the whole UPX
+ #ifdef WV2_DEBUG_STYLESHEET