9c3ad422d0
* gnu/packages/patches/libgxps-CVE-2017-11590.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnome.scm (libgxps)[source]: Use it.
48 lines
1.7 KiB
Diff
48 lines
1.7 KiB
Diff
Fix CVE-2017-11590:
|
|
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=785479
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11590
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://git.gnome.org/browse/libgxps/commit/?id=9d5d292055250ed298f3b89dc332d6db4003a031
|
|
|
|
From 9d5d292055250ed298f3b89dc332d6db4003a031 Mon Sep 17 00:00:00 2001
|
|
From: Marek Kasik <mkasik@redhat.com>
|
|
Date: Wed, 26 Jul 2017 16:23:37 +0200
|
|
Subject: archive: Check for pathname being NULL before dereferencing
|
|
|
|
Check whether "archive_entry_pathname ()" returns a non-NULL pathname
|
|
before using it to avoid a NULL pointer being dereferenced.
|
|
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=785479
|
|
---
|
|
libgxps/gxps-archive.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/libgxps/gxps-archive.c b/libgxps/gxps-archive.c
|
|
index acf8d7d..e763773 100644
|
|
--- a/libgxps/gxps-archive.c
|
|
+++ b/libgxps/gxps-archive.c
|
|
@@ -257,6 +257,7 @@ gxps_archive_initable_init (GInitable *initable,
|
|
GXPSArchive *archive;
|
|
ZipArchive *zip;
|
|
struct archive_entry *entry;
|
|
+ const gchar *pathname;
|
|
|
|
archive = GXPS_ARCHIVE (initable);
|
|
|
|
@@ -281,7 +282,9 @@ gxps_archive_initable_init (GInitable *initable,
|
|
|
|
while (gxps_zip_archive_iter_next (zip, &entry)) {
|
|
/* FIXME: We can ignore directories here */
|
|
- g_hash_table_add (archive->entries, g_strdup (archive_entry_pathname (entry)));
|
|
+ pathname = archive_entry_pathname (entry);
|
|
+ if (pathname != NULL)
|
|
+ g_hash_table_add (archive->entries, g_strdup (pathname));
|
|
archive_read_data_skip (zip->archive);
|
|
}
|
|
|
|
--
|
|
cgit v0.12
|
|
|