From e793b81a87ee9cf1eb25defa8889c46f50a67874 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Wed, 22 Mar 2023 18:11:31 +0800 Subject: [PATCH] Fix CVE-2023-26769 (cherry picked from commit 721e36edaaf2680b0940072423d3c6c97e199309) --- CVE-2023-26769.patch | 65 ++++++++++++++++++++++++++++++++++++++++++++ liblouis.spec | 6 +++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-26769.patch diff --git a/CVE-2023-26769.patch b/CVE-2023-26769.patch new file mode 100644 index 0000000..b45eede --- /dev/null +++ b/CVE-2023-26769.patch @@ -0,0 +1,65 @@ +diff -Naur a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c +--- a/liblouis/compileTranslationTable.c 2023-03-22 17:59:25.331813368 +0800 ++++ b/liblouis/compileTranslationTable.c 2023-03-22 18:05:57.089522644 +0800 +@@ -3628,18 +3628,21 @@ + char *tableFile; + static struct stat info; + ++#define MAX_TABLEFILE_SIZE (MAXSTRING * sizeof(char) * 2) + if (table == NULL || table[0] == '\0') return NULL; +- tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2); ++ tableFile = (char *)malloc(MAX_TABLEFILE_SIZE); + + // + // First try to resolve against base + // + if (base) { + int k; ++ if (strlen(base) >= MAX_TABLEFILE_SIZE) goto failure; + strcpy(tableFile, base); + k = (int)strlen(tableFile); + while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--; + tableFile[++k] = '\0'; ++ if (strlen(tableFile) + strlen(table) >= MAX_TABLEFILE_SIZE) goto failure; + strcat(tableFile, table); + if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { + _lou_logMessage(LOG_DEBUG, "found table %s", tableFile); +@@ -3651,6 +3654,7 @@ + // It could be an absolute path, or a path relative to the current working + // directory + // ++ if (strlen(table) >= MAX_TABLEFILE_SIZE) goto failure; + strcpy(tableFile, table); + if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { + _lou_logMessage(LOG_DEBUG, "found table %s", tableFile); +@@ -3671,6 +3675,10 @@ + last = (*cp == '\0'); + *cp = '\0'; + if (dir == cp) dir = "."; ++ if (strlen(dir) + strlen(table) + 1 >= MAX_TABLEFILE_SIZE) { ++ free(searchPath_copy); ++ goto failure; ++ } + sprintf(tableFile, "%s%c%s", dir, DIR_SEP, table); + if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { + _lou_logMessage(LOG_DEBUG, "found table %s", tableFile); +@@ -3678,6 +3686,11 @@ + return tableFile; + } + if (last) break; ++ if (strlen(dir) + strlen("liblouis") + strlen("tables") + strlen(table) + 3 >= ++ MAX_TABLEFILE_SIZE) { ++ free(searchPath_copy); ++ goto failure; ++ } + sprintf(tableFile, "%s%c%s%c%s%c%s", dir, DIR_SEP, "liblouis", DIR_SEP, + "tables", DIR_SEP, table); + if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { +@@ -3689,6 +3702,7 @@ + } + free(searchPath_copy); + } ++failure: + free(tableFile); + return NULL; + } diff --git a/liblouis.spec b/liblouis.spec index 2f6621b..f9c0cea 100644 --- a/liblouis.spec +++ b/liblouis.spec @@ -2,12 +2,13 @@ Name: liblouis Version: 3.7.0 -Release: 4 +Release: 5 Summary: Braille translation and back-translation library License: LGPLv3+ and GPLv3+ URL: http://liblouis.org Source0: https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz Patch0000: 0001-fix-memory-issue-introduced-with-GCC9.patch +Patch0001: CVE-2023-26769.patch BuildRequires: chrpath gcc help2man texinfo texinfo-tex texlive-eurosym BuildRequires: texlive-xetex python3-devel Provides: bundled(gnulib) = 20130621 @@ -115,6 +116,9 @@ done %{python3_sitelib}/louis/ %changelog +* Wed Mar 22 2023 yaoxin - 3.7.0-5 +- Fix CVE-2023-26769 + * Wed Oct 21 2020 Ge Wang - 3.7.0-4 - remove python2 -- Gitee