Bug#775691: matplotlib: printf buffer overrun

Michael Gilbert Fri, 13 Feb 2015 17:37:16 -0800

Hi,

I've uploaded an nmu fixing this issue.  Please see attached patch.


Best wishes,
Mike

diff -Nru matplotlib-1.4.2/debian/changelog matplotlib-1.4.2/debian/changelog
--- matplotlib-1.4.2/debian/changelog	2014-10-30 23:31:05.000000000 +0000
+++ matplotlib-1.4.2/debian/changelog	2015-02-14 00:52:10.000000000 +0000
@@ -1,3 +1,10 @@
+matplotlib (1.4.2-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2013-1424: printf buffer overrun (closes: #775691).
+
+ -- Michael Gilbert <mgilb...@debian.org>  Fri, 13 Feb 2015 23:16:11 +0000
+
 matplotlib (1.4.2-3) unstable; urgency=medium
 
   * debian/patches/test_backend_with_timeout.patch
diff -Nru matplotlib-1.4.2/debian/patches/matplotlib-printf-buffer-overrun.patch matplotlib-1.4.2/debian/patches/matplotlib-printf-buffer-overrun.patch
--- matplotlib-1.4.2/debian/patches/matplotlib-printf-buffer-overrun.patch	1970-01-01 00:00:00.000000000 +0000
+++ matplotlib-1.4.2/debian/patches/matplotlib-printf-buffer-overrun.patch	2015-02-14 00:52:10.000000000 +0000
@@ -0,0 +1,39 @@
+--- a/lib/matplotlib/__init__.py
++++ b/lib/matplotlib/__init__.py
+@@ -1398,6 +1398,7 @@ default_test_modules = [
+     'matplotlib.tests.test_lines',
+     'matplotlib.tests.test_mathtext',
+     'matplotlib.tests.test_mlab',
++    'matplotlib.tests.test_mplutils',
+     'matplotlib.tests.test_patches',
+     'matplotlib.tests.test_path',
+     'matplotlib.tests.test_patheffects',
+--- /dev/null
++++ b/lib/matplotlib/tests/test_mplutils.py
+@@ -0,0 +1,12 @@
++from __future__ import print_function
++from nose.tools import assert_raises
++from matplotlib import ft2font
++from matplotlib.testing.decorators import knownfailureif
++import sys
++
++def test_printf_buffer():
++    """Tests Printf for buffer overrun."""
++    # Use ft2font.FT2Font, which indirectly calls the Printf function in
++    # mplutils.cpp.
++    # Expect a RuntimeError, since the font is not found.
++    assert_raises(RuntimeError, ft2font.FT2Font, 'x' * 2048)
+--- a/src/mplutils.cpp
++++ b/src/mplutils.cpp
+@@ -18,7 +18,10 @@ Printf::Printf(const char *fmt, ...)
+ {
+     va_list ap;
+     va_start(ap, fmt);
+-    vsprintf(buffer, fmt, ap);
++    vsnprintf(buffer, 1024, fmt, ap);
++    // Null-terminate the string. Non-standard C implementations (e.g.,
++    // Microsoft Visual C++) do not do this automatically.
++    buffer[1023] = '\0';
+     va_end(ap);  // look ma - I rememberd it this time
+ }
+ 
diff -Nru matplotlib-1.4.2/debian/patches/series matplotlib-1.4.2/debian/patches/series
--- matplotlib-1.4.2/debian/patches/series	2014-10-30 23:30:51.000000000 +0000
+++ matplotlib-1.4.2/debian/patches/series	2015-02-14 00:52:10.000000000 +0000
@@ -7,3 +7,4 @@
 gtk3agg_check_no-multiprocessing.patch
 gtk3cairo_check_no-multiprocessing.patch
 test_backend_with_timeout.patch
+matplotlib-printf-buffer-overrun.patch

Bug#775691: matplotlib: printf buffer overrun

Reply via email to