debian/changelog | 6 ++ debian/patches/CVE-2013-XXXX-unlimited-sscanf-can-overflow-stack-bu.patch | 28 ++++++++++ debian/patches/series | 1 3 files changed, 35 insertions(+)
New commits: commit eaa97effca85c48025b44fc27c726f558cc25498 Author: Julien Cristau <[email protected]> Date: Thu Dec 26 21:36:54 2013 +0100 unlimited sscanf can overflow stack buffer in bdfReadCharacters() diff --git a/debian/changelog b/debian/changelog index bab3e01..2e4ddb6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libxfont (1:1.4.1-4) squeeze-security; urgency=high + + * unlimited sscanf can overflow stack buffer in bdfReadCharacters() + + -- Julien Cristau <[email protected]> Thu, 26 Dec 2013 21:36:57 +0100 + libxfont (1:1.4.1-3) squeeze-security; urgency=high * Fix LZW decompression heap corruption (CVE-2011-2895). diff --git a/debian/patches/CVE-2013-XXXX-unlimited-sscanf-can-overflow-stack-bu.patch b/debian/patches/CVE-2013-XXXX-unlimited-sscanf-can-overflow-stack-bu.patch new file mode 100644 index 0000000..fa5f72d --- /dev/null +++ b/debian/patches/CVE-2013-XXXX-unlimited-sscanf-can-overflow-stack-bu.patch @@ -0,0 +1,28 @@ +From b07483b605e77ea475b97d5dc829a7d5eb10a5d6 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <[email protected]> +Date: Mon, 23 Dec 2013 18:34:02 -0800 +Subject: [PATCH:libXfont 1/2] CVE-2013-XXXX: unlimited sscanf can overflow + stack buffer in bdfReadCharacters() + +Fixes cppcheck warning: + [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) + scanf without field width limits can crash with huge input data. + +Signed-off-by: Alan Coopersmith <[email protected]> +--- + src/bitmap/bdfread.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: libxfont/src/bitmap/bdfread.c +=================================================================== +--- libxfont.orig/src/bitmap/bdfread.c ++++ libxfont/src/bitmap/bdfread.c +@@ -341,7 +341,7 @@ bdfReadCharacters(FontFilePtr file, Font + char charName[100]; + int ignore; + +- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) { ++ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) { + bdfError("bad character name in BDF file\n"); + goto BAILOUT; /* bottom of function, free and return error */ + } diff --git a/debian/patches/series b/debian/patches/series index e69de29..756d521 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2013-XXXX-unlimited-sscanf-can-overflow-stack-bu.patch -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
