!62 Fix CVE-2023-46048

From: @wk333 Reviewed-by: @starlet-dx Signed-off-by: @starlet-dx
2024-08-09 03:25:08 +00:00 · 2024-08-09 03:25:08 +00:00 · a56f0d3a99
commit a56f0d3a99
parent 0bd5c69939 5eafb97022
2 changed files with 59 additions and 1 deletions
--- a/CVE-2023-46048.patch
+++ b/CVE-2023-46048.patch
@ -0,0 +1,54 @@
 Origin:
 https://github.com/TeX-Live/texlive-source/commit/33b330bc48ed2df69daf80a81be3cde8bf794816
 https://tug.org/pipermail/tex-live/2023-August/049402.html
 From 33b330bc48ed2df69daf80a81be3cde8bf794816 Mon Sep 17 00:00:00 2001
 From: Karl Berry <karl@freefriends.org>
 Date: Sat, 26 Aug 2023 17:50:10 +0000
 Subject: [PATCH] guard against corrupt pfb in dup tests, pdftex r910
 git-svn-id: svn://tug.org/texlive/trunk/Build/source@68069 c570f23f-e606-0410-a88d-b1316a301751
 ---
 texlive-20180414-source/texk/web2c/pdftexdir/writet1.c | 15 ++++++++++++---
 1 files changed, 12 insertions(+), 3 deletions(-)
 diff --git a/texlive-20180414-source/texk/web2c/pdftexdir/writet1.c b/texlive-20180414-source/texk/web2c/pdftexdir/writet1.c
 index 0444d46be0..f2a8386cab 100644
 --- a/texlive-20180414-source/texk/web2c/pdftexdir/writet1.c
 +++ b/texlive-20180414-source/texk/web2c/pdftexdir/writet1.c
@@ -841,7 +841,10 @@ static char **t1_builtin_enc(void)
                 *t1_buf_array == '/' && valid_code(i)) {
                 if (strcmp(t1_buf_array + 1, notdef) != 0)
                     glyph_names[i] = xstrdup(t1_buf_array + 1);
 -                p = strstr(p, " put") + strlen(" put");
 +                p = strstr(p, " put");
 +                if (!p)
 +                    pdftex_fail("invalid pfb, no put found in dup");
 +                p += strlen(" put");
                 skip(p, ' ');
             }
             /*
@@ -850,7 +853,10 @@ static char **t1_builtin_enc(void)
             else if (sscanf(p, "dup dup %i exch %i get put", &b, &a) == 2
                      && valid_code(a) && valid_code(b)) {
                 copy_glyph_names(glyph_names, a, b);
 -                p = strstr(p, " get put") + strlen(" get put");
 +                p = strstr(p, " get put");
 +                if (!p)
 +                    pdftex_fail("invalid pfb, no get put found in dup dup");
 +                p += strlen(" get put");
                 skip(p, ' ');
             }
             /*
@@ -861,7 +867,10 @@ static char **t1_builtin_enc(void)
                      && valid_code(a) && valid_code(b) && valid_code(c)) {
                 for (i = 0; i < c; i++)
                     copy_glyph_names(glyph_names, a + i, b + i);
 -                p = strstr(p, " putinterval") + strlen(" putinterval");
 +                p = strstr(p, " putinterval");
 +                if (!p)
 +                   pdftex_fail("invalid pfb, no putinterval found in dup dup");
 +                p += strlen(" putinterval");
                 skip(p, ' ');
             }
             /*
--- a/texlive-base.spec
+++ b/texlive-base.spec
@ -4,7 +4,7 @@
 Name:           texlive-base
 Version:        20180414
-Release:        32
+Release:        33
 Epoch:          7
 Summary:        TeX formatting system
 License:        ASL 2.0 and Artistic 2.0 and BSD and GFDL-1.1-or-later and GPL+ and GPLv2 and GPLv3 and Knuth-CTAN and LGPLv2+ and LGPLv3+ and LPPL-1.2 and LPPL-1.3 and LPPL-1.3c and OFL-1.1 and Public Domain
@ -380,6 +380,7 @@ Patch0003:      texlive-20180414-synctex-version.patch
 Patch0004:      texlive-base-CVE-2018-17407.patch
 Patch0005:      remove-support-of-poppler.patch
 Patch0006:      CVE-2023-32700.patch
 Patch0007:      CVE-2023-46048.patch
 BuildRequires:  xz libXaw-devel libXi-devel ncurses-devel bison flex file perl(Digest::MD5) texinfo gcc-c++
 BuildRequires:  gd-devel freetype-devel libpng-devel zlib-devel
@ -8095,6 +8096,9 @@ done <<< "$list"
 %doc %{_datadir}/texlive/texmf-dist/doc/latex/yplan/
 %changelog
 * Mon Aug 05 2024 wangkai <13474090681@163.com> - 7:20180414-33
 - Fix CVE-2023-46048
 * Mon Jul 03 2023 yaoxin <yao_xin001@hoperun.com> - 7:20180414-32
 - Fix CVE-2023-32700