diff --git a/CVE-2023-46048.patch b/CVE-2023-46048.patch new file mode 100644 index 0000000000000000000000000000000000000000..f7d710b9a1dce4004c165bddc2ea9bf27660e543 --- /dev/null +++ b/CVE-2023-46048.patch @@ -0,0 +1,54 @@ +Origin: +https://github.com/TeX-Live/texlive-source/commit/33b330bc48ed2df69daf80a81be3cde8bf794816 +https://tug.org/pipermail/tex-live/2023-August/049402.html + +From 33b330bc48ed2df69daf80a81be3cde8bf794816 Mon Sep 17 00:00:00 2001 +From: Karl Berry +Date: Sat, 26 Aug 2023 17:50:10 +0000 +Subject: [PATCH] guard against corrupt pfb in dup tests, pdftex r910 + +git-svn-id: svn://tug.org/texlive/trunk/Build/source@68069 c570f23f-e606-0410-a88d-b1316a301751 +--- + texlive-20210325-source/texk/web2c/pdftexdir/writet1.c | 15 ++++++++++++--- + 1 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/texlive-20210325-source/texk/web2c/pdftexdir/writet1.c b/texlive-20210325-source/texk/web2c/pdftexdir/writet1.c +index 0444d46be0..f2a8386cab 100644 +--- a/texlive-20210325-source/texk/web2c/pdftexdir/writet1.c ++++ b/texlive-20210325-source/texk/web2c/pdftexdir/writet1.c +@@ -841,7 +841,10 @@ static char **t1_builtin_enc(void) + *t1_buf_array == '/' && valid_code(i)) { + if (strcmp(t1_buf_array + 1, notdef) != 0) + glyph_names[i] = xstrdup(t1_buf_array + 1); +- p = strstr(p, " put") + strlen(" put"); ++ p = strstr(p, " put"); ++ if (!p) ++ pdftex_fail("invalid pfb, no put found in dup"); ++ p += strlen(" put"); + skip(p, ' '); + } + /* +@@ -850,7 +853,10 @@ static char **t1_builtin_enc(void) + else if (sscanf(p, "dup dup %i exch %i get put", &b, &a) == 2 + && valid_code(a) && valid_code(b)) { + copy_glyph_names(glyph_names, a, b); +- p = strstr(p, " get put") + strlen(" get put"); ++ p = strstr(p, " get put"); ++ if (!p) ++ pdftex_fail("invalid pfb, no get put found in dup dup"); ++ p += strlen(" get put"); + skip(p, ' '); + } + /* +@@ -861,7 +867,10 @@ static char **t1_builtin_enc(void) + && valid_code(a) && valid_code(b) && valid_code(c)) { + for (i = 0; i < c; i++) + copy_glyph_names(glyph_names, a + i, b + i); +- p = strstr(p, " putinterval") + strlen(" putinterval"); ++ p = strstr(p, " putinterval"); ++ if (!p) ++ pdftex_fail("invalid pfb, no putinterval found in dup dup"); ++ p += strlen(" putinterval"); + skip(p, ' '); + } + /* diff --git a/CVE-2023-46051.patch b/CVE-2023-46051.patch new file mode 100644 index 0000000000000000000000000000000000000000..bbe2cdca67056745826e94885904ae14b5d7fbec --- /dev/null +++ b/CVE-2023-46051.patch @@ -0,0 +1,37 @@ +Origin: +https://github.com/TeX-Live/texlive-source/commit/8215ee325f74405f795a02d247fbd99302810261 +https://tug.org/pipermail/tex-live/2023-August/049415.html + +From 8215ee325f74405f795a02d247fbd99302810261 Mon Sep 17 00:00:00 2001 +From: Karl Berry +Date: Mon, 28 Aug 2023 22:32:09 +0000 +Subject: [PATCH] guard against undump of corrupt .fmt + +git-svn-id: svn://tug.org/texlive/trunk/Build/source@68100 c570f23f-e606-0410-a88d-b1316a301751 +--- + texlive-20210325-source/texk/web2c/pdftexdir/tounicode.c | 9 ++++++++- + 1 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/texlive-20210325-source/texk/web2c/pdftexdir/tounicode.c b/texlive-20210325-source/texk/web2c/pdftexdir/tounicode.c +index e658064abb..e57c36f6be 100644 +--- a/texlive-20210325-source/texk/web2c/pdftexdir/tounicode.c ++++ b/texlive-20210325-source/texk/web2c/pdftexdir/tounicode.c +@@ -535,10 +535,17 @@ void undumptounicode(void) + void **result; + glyph_unicode_entry *gu = new_glyph_unicode_entry(); + undumpcharptr(gu->name); ++ if (gu->name == NULL) { ++ pdftex_fail("undumpcharptr(gu->name) got NULL"); ++ } + generic_undump(gu->code); + +- if (gu->code == UNI_STRING) ++ if (gu->code == UNI_STRING) { + undumpcharptr(gu->unicode_seq); ++ if (gu->unicode_seq == NULL) { ++ pdftex_fail("undumpcharptr(gu->unicode_seq) got NULL"); ++ } ++ } + + result = avl_probe(glyph_unicode_tree, gu); + assert(*result == gu); diff --git a/texlive-20180414-synctex-version.patch b/texlive-20180414-synctex-version.patch deleted file mode 100644 index 7a92ef2b5c5a504670bd920c67b5a2472fa9eaf6..0000000000000000000000000000000000000000 --- a/texlive-20180414-synctex-version.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 28fe90a530c055abce7af362512b81a70d296e7d Mon Sep 17 00:00:00 2001 -From: Akira Kakuto -Date: Mon, 23 Jul 2018 21:21:12 +0000 -Subject: [PATCH] add synctex_version.h (report from Johannes) - -git-svn-id: svn://tug.org/texlive/trunk/Build/source@48260 c570f23f-e606-0410-a88d-b1316a301751 ---- - texk/web2c/Makefile.in | 3 ++- - texk/web2c/synctexdir/am/synctex.am | 1 + - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/texk/web2c/Makefile.in b/texk/web2c/Makefile.in -index abdd6dfef..4872c68f2 100644 ---- a/texlive-20210325-source/texk/web2c/Makefile.in -+++ b/texlive-20210325-source/texk/web2c/Makefile.in -@@ -2420,7 +2420,7 @@ NROFF = nroff - MANS = $(dist_man_MANS) $(nodist_man_MANS) - DATA = $(pkgconfig_DATA) - am__syncinclude_HEADERS_DIST = synctexdir/synctex_parser.h \ -- synctexdir/synctex_parser_utils.h -+ synctexdir/synctex_version.h synctexdir/synctex_parser_utils.h - HEADERS = $(syncinclude_HEADERS) - RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ - distclean-recursive maintainer-clean-recursive -@@ -4687,6 +4687,7 @@ syncincludedir = ${includedir}/synctex - pkgconfigdir = ${libdir}/pkgconfig - @SYNCTEX_TRUE@syncinclude_HEADERS = \ - @SYNCTEX_TRUE@ synctexdir/synctex_parser.h \ -+@SYNCTEX_TRUE@ synctexdir/synctex_version.h \ - @SYNCTEX_TRUE@ synctexdir/synctex_parser_utils.h - - @SYNCTEX_TRUE@pkgconfig_DATA = synctexdir/synctex.pc -diff --git a/texk/web2c/synctexdir/am/synctex.am b/texk/web2c/synctexdir/am/synctex.am -index 316ffbbae..b69cb260a 100644 ---- a/texlive-20210325-source/texk/web2c/synctexdir/am/synctex.am -+++ b/texlive-20210325-source/texk/web2c/synctexdir/am/synctex.am -@@ -55,6 +55,7 @@ pkgconfigdir = ${libdir}/pkgconfig - if SYNCTEX - syncinclude_HEADERS = \ - synctexdir/synctex_parser.h \ -+ synctexdir/synctex_version.h \ - synctexdir/synctex_parser_utils.h - - pkgconfig_DATA = synctexdir/synctex.pc --- -2.17.1 - diff --git a/texlive-base-CVE-2018-17407.patch b/texlive-base-CVE-2018-17407.patch deleted file mode 100644 index 7e5d45d97b1d411c150bbb556e1a0b1f81dd043f..0000000000000000000000000000000000000000 --- a/texlive-base-CVE-2018-17407.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up a/texlive-20210325-source/texk/dvipsk/writet1.c.CVE-2018-17407 a/texlive-20210325-source/texk/dvipsk/writet1.c ---- a/texlive-20210325-source/texk/dvipsk/writet1.c.CVE-2018-17407 2018-10-01 11:03:50.140899732 -0400 -+++ a/texlive-20210325-source/texk/dvipsk/writet1.c 2018-10-01 11:04:31.425999765 -0400 -@@ -1449,7 +1449,9 @@ static void t1_check_unusual_charstring( - *(strend(t1_buf_array) - 1) = ' '; - - t1_getline(); -+ alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE); - strcat(t1_buf_array, t1_line_array); -+ alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE); - strcpy(t1_line_array, t1_buf_array); - t1_line_ptr = eol(t1_line_array); - } -diff -up a/texlive-20210325-source/texk/web2c/luatexdir/font/writet1.w.CVE-2018-17407 a/texlive-20210325-source/texk/web2c/luatexdir/font/writet1.w ---- a/texlive-20210325-source/texk/web2c/luatexdir/font/writet1.w.CVE-2018-17407 2018-10-01 11:05:54.404187837 -0400 -+++ a/texlive-20210325-source/texk/web2c/luatexdir/font/writet1.w 2018-10-01 11:06:33.537335758 -0400 -@@ -1625,7 +1625,9 @@ static void t1_check_unusual_charstring( - if (sscanf(p, "%i", &i) != 1) { - strcpy(t1_buf_array, t1_line_array); - t1_getline(); -+ alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE); - strcat(t1_buf_array, t1_line_array); -+ alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE); - strcpy(t1_line_array, t1_buf_array); - t1_line_ptr = eol(t1_line_array); - } -diff -up a/texlive-20210325-source/texk/web2c/pdftexdir/writet1.c.CVE-2018-17407 a/texlive-20210325-source/texk/web2c/pdftexdir/writet1.c ---- a/texlive-20210325-source/texk/web2c/pdftexdir/writet1.c.CVE-2018-17407 2018-10-01 11:06:57.881806099 -0400 -+++ a/texlive-20210325-source/texk/web2c/pdftexdir/writet1.c 2018-10-01 11:08:06.424314628 -0400 -@@ -1598,7 +1598,9 @@ static void t1_check_unusual_charstring( - *(strend(t1_buf_array) - 1) = ' '; - - t1_getline(); -+ alloc_array(t1_buf, strlen(t1_line_array) + strlen(t1_buf_array) + 1, T1_BUF_SIZE); - strcat(t1_buf_array, t1_line_array); -+ alloc_array(t1_line, strlen(t1_buf_array) + 1, T1_BUF_SIZE); - strcpy(t1_line_array, t1_buf_array); - t1_line_ptr = eol(t1_line_array); - } diff --git a/texlive-base.spec b/texlive-base.spec index 8b658bc8047b1ba5bc9b6eca5faf1429e8485ba7..c6fc884086f3f8f507868d026471e258ac81348f 100644 --- a/texlive-base.spec +++ b/texlive-base.spec @@ -4,7 +4,7 @@ Name: texlive-base Version: 20210325 -Release: 7 +Release: 8 Epoch: 9 Summary: TeX formatting system License: ASL 2.0 and LGPL-2.1-only and Zlib and OFL-1.1 and Public Domain and LGPL-2.0-only and GPLv2+ and MPL-1.1 and Libpng and LGPL-3.0-only and BSL-1.0 and GPLv2 and GPLv3 and CPL-1.0 and IJG and MIT and LPPL-1.3c and ICU and psutils @@ -428,6 +428,8 @@ Patch0032: texlive-base-20210325-mendex-weird-arch-fixes.patch Patch0033: texlive-base-20210325-no-setpdfwrite.patch Patch0034: CVE-2023-32700.patch +Patch0035: CVE-2023-46048.patch +Patch0036: CVE-2023-46051.patch BuildRequires: xz libXaw-devel libXi-devel ncurses-devel bison flex file perl(Digest::MD5) texinfo gcc-c++ BuildRequires: gd-devel freetype-devel libpng-devel zlib-devel potrace-devel @@ -8652,6 +8654,9 @@ yes | %{_bindir}/updmap-sys --quiet --syncwithtrees >/dev/null 2>&1 || : %doc %{_datadir}/texlive/texmf-dist/doc/latex/yplan/ %changelog +* Mon Aug 05 2024 wangkai <13474090681@163.com> - 9:20210325-8 +- Fix CVE-2023-46048, CVE-2023-46051 + * Mon Nov 27 2023 jiahua.yu - 9:20210325-7 - Init support for ppc64le