CVE-2009-2905, bug #285854

Package-Manager: portage-2.2_rc40/cvs/Linux x86_64

6 files changed, 29 insertions, 93 deletions

diff --git a/dev-libs/newt/ChangeLog b/dev-libs/newt/ChangeLog
index 50c15e6dddb8..af4ec9c727de 100644
--- a/dev-libs/newt/ChangeLog
+++ b/dev-libs/newt/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for dev-libs/newt
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/newt/ChangeLog,v 1.53 2009/10/04 20:42:10 maekke Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/newt/ChangeLog,v 1.54 2009/10/07 17:25:09 mescalinum Exp $
+
+  07 Oct 2009; Federico Ferri <mescalinum@gentoo.org> newt-0.52.2.ebuild,
+  -newt-0.52.8.ebuild, newt-0.52.10.ebuild, +files/newt-CVE-2009-2905.patch:
+  CVE-2009-2905, bug #285854
 
   04 Oct 2009; Markus Meier <maekke@gentoo.org> newt-0.52.10.ebuild:
   arm stable, bug #281402
diff --git a/dev-libs/newt/Manifest b/dev-libs/newt/Manifest
index e71761418f40..a8db1a00185e 100644
--- a/dev-libs/newt/Manifest
+++ b/dev-libs/newt/Manifest
@@ -1,6 +1,3 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
 AUX newt-0.51.4-fix-wstrlen-for-non-utf8-strings.patch 266 RMD160 e4d6e663febfd5781267fec5db373e629700467f SHA1 4e3bacf0880fc221f26dd003adaa632abc35c86c SHA256 23af6c0ba7e968c37dc036fdb9341d3e5122a4d21edea69995e944921448be18
 AUX newt-0.51.6-assorted-fixes.patch 2794 RMD160 a5c4aee71f56524afe06e363d871ee2803b9410c SHA1 d4af3262835f948d1938137c5693066d55a47625 SHA256 346a2158573e2bff6587d62b31b26c476f53827f00f9eac0c9bac361d7b7d1b0
 AUX newt-0.51.6-do-not-ignore-EARLY-events-in-listbox--and-allow-textbox-to-take-focus.patch 645 RMD160 67e04c4ba98e67c7216fcf1a3169939b29839c25 SHA1 e4e81acd14784572bc794e353f43b9d37b70f4a8 SHA256 b0590b06a77516a4c72c24123a92fea05e2c66f8ea81ebee81a5a7996bdbfa27
@@ -16,19 +13,11 @@ AUX newt-0.52.2-pyexample.patch 372 RMD160 a87fb48b1a80d5043c95053c8ab923d6e8a53
 AUX newt-0.52.2-screensize.patch 1833 RMD160 693c44faa11188f7645e405e15a86ec8f37c5cab SHA1 99e7e27b5ad3b0e0276bbec463d5f4bc565645a1 SHA256 008b839f8820b090a693d68d699ece78888a839d407a12e1a2202dcc77128ddd
 AUX newt-0.52.2-scrollbars.patch 673 RMD160 f17336c885823954889b924d0cb91af9589fdbf7 SHA1 4cd0b263b42383390d93908c6dad7c26f6a4588e SHA256 cc319165b2e8a3874aa03fa58e0f5aec01b4395033850e5c7960389bfff0abc3
 AUX newt-0.52.7-notcl.patch 1583 RMD160 8552db99e00fb56271d613a12b075079a3e5b00e SHA1 ae0e8f61f3d807efb1b4e6594c6d0e7631921b41 SHA256 21ee8810d6587098a5adc7c98cf5bcab15486e7bc4ce66940f24e506dd52fee7
+AUX newt-CVE-2009-2905.patch 466 RMD160 a8a9738005c782ea332de00ebfeb6fc0f7987a65 SHA1 d07a05abf3e9653b6169382939d4c82ae9c03db9 SHA256 4efb6f8d3df83e25576536110092cd1a85b3ba5bae5be7eea05f226c45542cd0
 AUX newt-gpm-fix.diff 177 RMD160 454f9c72c883f0e59113a31e90d1ad1dacd0a13b SHA1 6942c27087891d7f408b5650903935618d73a963 SHA256 ad2dabadf0863313790cd9f8e41babd0ece230b08df735073d74b3cb7b20f291
 DIST newt-0.52.10.tar.gz 170739 RMD160 d24463b61bb7bcd71a87075f02dbe1590d4d8017 SHA1 7a5a0d2251ff913c45691b7c6c1ee0c17c086742 SHA256 da0e6963ba376741d80de8b869dc014cadfc5b0d735cc4f2aa1ff902f1c92892
 DIST newt-0.52.2-9.src.rpm 283433 RMD160 5e33ff2ea5da7e602d0b91287c578bf77c1f6e5b SHA1 eda1f3e1cfb7bed791654fa931c8e6d8904e11d1 SHA256 c28b81fd0464e9e8888c3e79a0fd5485cdfb4f2bb8327af373321735a7e9035b
-DIST newt-0.52.8.tar.gz 168662 RMD160 b7ebf85f009cad78f0c3314e2aa2da2683d17388 SHA1 7a1946ed312f10a8582ff92fdea7d25c1edfd750 SHA256 d84c9c14cfbb914104ce1971b0bbe2f94942ebe7850c1ae9a8f36c09f2cc5ffc
-EBUILD newt-0.52.10.ebuild 1700 RMD160 f15c9dab52c5b122fb05ff0052bbf1248fcba71a SHA1 bac61ea22812633ac012c28b7b81d96a79a2d216 SHA256 d866da7d92a91b3ffa2f25fe7f568cc643b81110f82dccc0c5e9ab8a85449bde
-EBUILD newt-0.52.2.ebuild 2232 RMD160 ef3894e8c55982a43406af0260d430d810a03d79 SHA1 efa5381c2b60044fa9e9d3e9ad16b79db7ef9211 SHA256 8adf4c5375d13c5c59d29498a8e228fb7349baf370b3b907981e9f3e0142326f
-EBUILD newt-0.52.8.ebuild 1709 RMD160 c3d89e03ff18628bb165aa5cc290a19030076b85 SHA1 704913f5b3744972308bad2efff33201f6ace46c SHA256 9e867dbb4506b531954d2deb432f9b9e2a10560c2fffc951b48cecd79d41e8ce
-MISC ChangeLog 7981 RMD160 2c64c4d4e3200cfdc9cfc6341a8b313d43cf3e38 SHA1 d54d41d853fc134b07f77c72e2fa70ee6140171a SHA256 e33c828e321281288c46f674be62c668038d4f4904b053af71f0c71c32a99cbc
+EBUILD newt-0.52.10.ebuild 1767 RMD160 bbc2b03b6b1eb91b825a52d0c559f6518579b97f SHA1 6509ebe68ba4501f99226261d5106a4854e791ad SHA256 cf4321989d66b456eef0cd7ce0e27969a95b4d11de51803d3f6f598dd845bfbc
+EBUILD newt-0.52.2.ebuild 2300 RMD160 9a4add52d153ebe99691d54bdfbb7bfed6b5b6a3 SHA1 5ef43d6b588dafd20449e7cab207fdb69a5c51c4 SHA256 a81347109a74790501f39abc95bc3eb67b8960b5ac69977c8545e2a22c13f0bd
+MISC ChangeLog 8166 RMD160 12b494161e607c58009a141c2292092c23a8b6bc SHA1 84091fa44f862d63fb7671bb63a810820fd8fe3d SHA256 38c5df7abb71b6c0e036dd08d8e8098aa10cf8231c61954ed26c64d5e1208461
 MISC metadata.xml 296 RMD160 d7a28e6b51fad1a08df2463a91ca67a01f1532cb SHA1 18c4543ffb5a19f961b1fb3a93f9dfb778ec4aec SHA256 f459d90a4ac8a519720141bb9fe29415d65805b03d8288537150350aef1abc3e
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.11 (GNU/Linux)
-
-iEYEARECAAYFAkrJCMYACgkQkKaRLQcq0GKH9ACbBOwNNaj59psnEF1KViW+mnn1
-QQoAoIbne3isgcZ0EkGs0EyeIJe107dg
-=qFfN
------END PGP SIGNATURE-----
diff --git a/dev-libs/newt/files/newt-CVE-2009-2905.patch b/dev-libs/newt/files/newt-CVE-2009-2905.patch
new file mode 100644
index 000000000000..1e45af836519
--- /dev/null
+++ b/dev-libs/newt/files/newt-CVE-2009-2905.patch
@@ -0,0 +1,11 @@
+diff -up newt-0.52.10/textbox.c.orig newt-0.52.10/textbox.c
+--- newt-0.52.10/textbox.c.orig	2008-07-30 14:42:55.000000000 +0200
++++ newt-0.52.10/textbox.c	2009-09-21 14:59:24.000000000 +0200
+@@ -179,7 +179,7 @@ static void doReflow(const char * text, 
+ 
+     if (resultPtr) {
+ 	/* XXX I think this will work */
+-	result = malloc(strlen(text) + (strlen(text) / width) + 2);
++	result = malloc(strlen(text) + (strlen(text) / (width - 1)) + 2);
+ 	*result = '\0';
+     }
diff --git a/dev-libs/newt/newt-0.52.10.ebuild b/dev-libs/newt/newt-0.52.10.ebuild
index f245f63a85fe..46acdb4939e8 100644
--- a/dev-libs/newt/newt-0.52.10.ebuild
+++ b/dev-libs/newt/newt-0.52.10.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2009 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/newt/newt-0.52.10.ebuild,v 1.9 2009/10/04 20:42:10 maekke Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/newt/newt-0.52.10.ebuild,v 1.10 2009/10/07 17:25:09 mescalinum Exp $
 
 inherit python toolchain-funcs eutils rpm
 
@@ -37,6 +37,9 @@ src_unpack() {
 	sed -i -e 's:-ltcl8.4:-ltcl8.5:g' "${S}"/Makefile.in
 
 	sed -i -e 's:instroot:DESTDIR:g' "${S}"/Makefile.in || die
+
+	# bug 285854
+	epatch "${FILESDIR}"/newt-CVE-2009-2905.patch
 }
 
 src_compile() {
diff --git a/dev-libs/newt/newt-0.52.2.ebuild b/dev-libs/newt/newt-0.52.2.ebuild
index a55525186291..0e41865a7ccd 100644
--- a/dev-libs/newt/newt-0.52.2.ebuild
+++ b/dev-libs/newt/newt-0.52.2.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2008 Gentoo Foundation
+# Copyright 1999-2009 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/newt/newt-0.52.2.ebuild,v 1.14 2008/06/15 09:48:50 drac Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/newt/newt-0.52.2.ebuild,v 1.15 2009/10/07 17:25:09 mescalinum Exp $
 
 inherit python toolchain-funcs eutils rpm
 
@@ -49,6 +49,9 @@ src_unpack() {
 	fi
 
 	sed -i -e 's:0.52.1:0.52.2:g' "${S}"/configure || die
+
+	# bug 285854
+	epatch "${FILESDIR}"/newt-CVE-2009-2905.patch
 }
 
 src_compile() {
diff --git a/dev-libs/newt/newt-0.52.8.ebuild b/dev-libs/newt/newt-0.52.8.ebuild
deleted file mode 100644
index 9cfc9a0f54ce..000000000000
--- a/dev-libs/newt/newt-0.52.8.ebuild
+++ /dev/null
@@ -1,74 +0,0 @@
-# Copyright 1999-2008 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/newt/newt-0.52.8.ebuild,v 1.3 2008/06/15 09:48:50 drac Exp $
-
-inherit python toolchain-funcs eutils rpm
-
-DESCRIPTION="Redhat's Newt windowing toolkit development files"
-HOMEPAGE="http://www.redhat.com/"
-SRC_URI="mirror://gentoo/${P}.tar.gz
-	http://dev.gentoo.org/~xmerlin/misc/${P}.tar.gz"
-
-LICENSE="LGPL-2"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86"
-IUSE="gpm tcl nls"
-
-RDEPEND="=sys-libs/slang-2*
-	>=dev-libs/popt-1.6
-	dev-lang/python
-	elibc_uclibc? ( sys-libs/ncurses )
-	gpm? ( sys-libs/gpm )
-	tcl? ( =dev-lang/tcl-8.4* )
-	"
-
-DEPEND="${RDEPEND}"
-
-src_unpack() {
-	unpack ${A}
-	#rpm_src_unpack
-	cd "${S}"
-
-	if ! use tcl; then
-		epatch "${FILESDIR}"/${PN}-0.52.7-notcl.patch || die
-	fi
-
-	# bug 73850
-	if use elibc_uclibc; then
-		sed -i -e 's:-lslang:-lslang -lncurses:g' "${S}"/Makefile.in
-	fi
-
-	sed -i -e 's:instroot:DESTDIR:g' "${S}"/Makefile.in || die
-}
-
-src_compile() {
-	python_version
-
-	econf \
-		$(use_with gpm gpm-support) \
-		$(use_enable nls)
-
-	# not parallel safe
-	emake -j1 \
-		CC="$(tc-getCC)" \
-		PYTHONVERS="python${PYVER}" \
-		RPM_OPT_FLAGS="${CFLAGS}" \
-		|| die "emake failed"
-}
-
-src_install () {
-	python_version
-	# the RPM_OPT_FLAGS="ERROR" is there to catch a build error
-	# if it fails, that means something in src_compile() didn't build properly
-	# not parallel safe
-	emake \
-		DESTDIR="${D}" \
-		prefix="/usr" \
-		libdir="/usr/$(get_libdir)" \
-		PYTHONVERS="python${PYVER}" \
-		RPM_OPT_FLAGS="ERROR" \
-		install || die "make install failed"
-	dodoc peanuts.py popcorn.py tutorial.sgml
-	doman whiptail.1
-
-}