Fix CVE-2023-26769

(cherry picked from commit 780a4972e7ddfe208c9d883fc27f7d1d08b54032)
2023-03-22 18:14:38 +08:00 · 2023-03-22 18:14:38 +08:00 · 0e99ad0e16
commit 0e99ad0e16
parent 85b4b4b9aa
2 changed files with 70 additions and 1 deletions
--- a/CVE-2023-26769.patch
+++ b/CVE-2023-26769.patch
@ -0,0 +1,65 @@
+diff -Naur a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+--- a/liblouis/compileTranslationTable.c	2023-03-22 17:59:25.331813368 +0800
+++ b/liblouis/compileTranslationTable.c	2023-03-22 18:05:57.089522644 +0800
+@@ -3628,18 +3628,21 @@
+ 	char *tableFile;
+ 	static struct stat info;
+ 
+#define MAX_TABLEFILE_SIZE (MAXSTRING * sizeof(char) * 2)
+ 	if (table == NULL || table[0] == '\0') return NULL;
+-	tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2);
+	tableFile = (char *)malloc(MAX_TABLEFILE_SIZE);
+ 
+ 	//
+ 	// First try to resolve against base
+ 	//
+ 	if (base) {
+ 		int k;
+		if (strlen(base) >= MAX_TABLEFILE_SIZE) goto failure;
+ 		strcpy(tableFile, base);
+ 		k = (int)strlen(tableFile);
+ 		while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--;
+ 		tableFile[++k] = '\0';
+		if (strlen(tableFile) + strlen(table) >= MAX_TABLEFILE_SIZE) goto failure;
+ 		strcat(tableFile, table);
+ 		if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ 			_lou_logMessage(LOG_DEBUG, "found table %s", tableFile);
+@@ -3651,6 +3654,7 @@
+ 	// It could be an absolute path, or a path relative to the current working
+ 	// directory
+ 	//
+	if (strlen(table) >= MAX_TABLEFILE_SIZE) goto failure;
+ 	strcpy(tableFile, table);
+ 	if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ 		_lou_logMessage(LOG_DEBUG, "found table %s", tableFile);
+@@ -3671,6 +3675,10 @@
+ 			last = (*cp == '\0');
+ 			*cp = '\0';
+ 			if (dir == cp) dir = ".";
+			if (strlen(dir) + strlen(table) + 1 >= MAX_TABLEFILE_SIZE) {
+				free(searchPath_copy);
+				goto failure;
+			}
+ 			sprintf(tableFile, "%s%c%s", dir, DIR_SEP, table);
+ 			if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+ 				_lou_logMessage(LOG_DEBUG, "found table %s", tableFile);
+@@ -3678,6 +3686,11 @@
+ 				return tableFile;
+ 			}
+ 			if (last) break;
+			if (strlen(dir) + strlen("liblouis") + strlen("tables") + strlen(table) + 3 >=
+					MAX_TABLEFILE_SIZE) {
+				free(searchPath_copy);
+				goto failure;
+			}
+ 			sprintf(tableFile, "%s%c%s%c%s%c%s", dir, DIR_SEP, "liblouis", DIR_SEP,
+ 					"tables", DIR_SEP, table);
+ 			if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) {
+@@ -3689,6 +3702,7 @@
+ 		}
+ 		free(searchPath_copy);
+ 	}
+failure:
+ 	free(tableFile);
+ 	return NULL;
+ }
--- a/liblouis.spec
+++ b/liblouis.spec
@ -2,11 +2,12 @@

 Name:           liblouis
 Version:        3.7.0
-Release:        3
+Release:        4
 Summary:        Braille translation and back-translation library
 License:        LGPLv3+ and GPLv3+
 URL:            http://liblouis.org
 Source0:        https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Patch0001:      CVE-2023-26769.patch
 Recommends:	%{name}-help = %{version}-%{release}
 BuildRequires:  chrpath gcc help2man texinfo texinfo-tex texlive-eurosym
 BuildRequires:  texlive-xetex python2-devel python3-devel
@ -134,6 +135,9 @@ done
 %{python3_sitelib}/louis/

 %changelog
+* Wed Mar 22 2023 yaoxin <yaoxin30@h-partners.com> - 3.7.0-4
+- Fix CVE-2023-26769
+
 * Thu Nov 12 2020 xinghe <xinghe1@huawei.com> - 3.7.0-3
 - add help for Recommends