Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Apr 2014 15:35:18 +0000 (UTC)
From:      Christian Weisgerber <naddy@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r350627 - in head/multimedia/xmms: . files
Message-ID:  <201404081535.s38FZIwG078361@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: naddy
Date: Tue Apr  8 15:35:18 2014
New Revision: 350627
URL: http://svnweb.freebsd.org/changeset/ports/350627
QAT: https://qat.redports.org/buildarchive/r350627/

Log:
  Fix for integer overflow and underflow vulnerabilities in the
  processing of skin bitmap images.
  
  Obtained from:	Ubuntu (originally)
  Security:	http://www.vuxml.org/freebsd/20e23b65-a52e-11e3-ae3a-00224d7c32a2.html

Added:
  head/multimedia/xmms/files/patch-xmms_bmp.c   (contents, props changed)
Modified:
  head/multimedia/xmms/Makefile

Modified: head/multimedia/xmms/Makefile
==============================================================================
--- head/multimedia/xmms/Makefile	Tue Apr  8 15:33:31 2014	(r350626)
+++ head/multimedia/xmms/Makefile	Tue Apr  8 15:35:18 2014	(r350627)
@@ -3,7 +3,7 @@
 
 PORTNAME=	xmms
 PORTVERSION=	1.2.11
-PORTREVISION?=	20	# Also chinese/xmms and russian/xmms
+PORTREVISION?=	21	# Also chinese/xmms and russian/xmms
 CATEGORIES+=	multimedia audio ipv6
 MASTER_SITES=	http://www.xmms.org/files/1.2.x/ \
 		http://legacy.xmms2.org/ \
@@ -16,13 +16,10 @@ COMMENT?=	X Multimedia System -- An audi
 LICENSE=	GPLv2
 
 DEPRECATED=	Abandonware, please consider using multimedia/audacious instead
-FORBIDDEN=	Vulnerable: CVE-2007-0653 CVE-2007-0654
-EXPIRATION_DATE=	2014-05-01
 
 CONFLICTS?=	ru-xmms-[0-9]* zh-xmms-[0-9]*
 GNU_CONFIGURE=	yes
-USES=		desktop-file-utils pathfix gmake iconv
-USE_BZIP2=	yes
+USES=		desktop-file-utils pathfix gmake iconv tar:bzip2
 USE_GNOME=	gtk12
 USE_LDCONFIG=	yes
 USE_XORG=	sm x11 xxf86vm

Added: head/multimedia/xmms/files/patch-xmms_bmp.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/multimedia/xmms/files/patch-xmms_bmp.c	Tue Apr  8 15:35:18 2014	(r350627)
@@ -0,0 +1,43 @@
+--- xmms/bmp.c.orig	2006-07-16 15:40:04.000000000 +0200
++++ xmms/bmp.c	2014-04-08 17:04:26.000000000 +0200
+@@ -19,6 +19,12 @@
+  */
+ #include "xmms.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ struct rgb_quad
+ {
+ 	guchar rgbBlue;
+@@ -183,7 +189,7 @@ GdkPixmap *read_bmp(gchar * filename)
+ 	}
+ 	else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
+ 	{
+-		gint ncols, i;
++		guint32 ncols, i;
+ 
+ 		ncols = offset - headSize - 14;
+ 		if (headSize == 12)
+@@ -201,9 +207,17 @@ GdkPixmap *read_bmp(gchar * filename)
+ 		}
+ 	}
+ 	fseek(file, offset, SEEK_SET);
++	/* verify buffer size */
++	if (!h || !w ||
++	    w > (((UINT32_MAX - 3) / 3) / h) ||
++	    h > (((UINT32_MAX - 3) / 3) / w)) {
++		g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
++		fclose(file);
++		return NULL;
++	}
++	data = g_malloc0((w * 3 * h) + 3);	/* +3 is just for safety */
+ 	buffer = g_malloc(imgsize);
+ 	fread(buffer, imgsize, 1, file);
+-	data = g_malloc0((w * 3 * h) + 3);	/* +3 is just for safety */
+ 
+ 	if (bitcount == 1)
+ 		read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404081535.s38FZIwG078361>