diff --git a/CVE-2019-25051.patch b/CVE-2019-25051.patch new file mode 100644 index 0000000000000000000000000000000000000000..d72194a9e8a71bc5ff0a879489f47a11b67047d6 --- /dev/null +++ b/CVE-2019-25051.patch @@ -0,0 +1,98 @@ +From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 +From: Kevin Atkinson +Date: Sat, 21 Dec 2019 20:32:47 +0000 +Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk + to prevent a buffer overflow + +Origin: https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a + +Bug found using OSS-Fuze. +--- + common/objstack.hpp | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/common/objstack.hpp b/common/objstack.hpp +index 3997bf7..bd97ccd 100644 +--- a/common/objstack.hpp ++++ b/common/objstack.hpp +@@ -5,6 +5,7 @@ + #include "parm_string.hpp" + #include + #include ++#include + + namespace acommon { + +@@ -26,6 +27,12 @@ class ObjStack + byte * temp_end; + void setup_chunk(); + void new_chunk(); ++ bool will_overflow(size_t sz) const { ++ return offsetof(Node,data) + sz > chunk_size; ++ } ++ void check_size(size_t sz) { ++ assert(!will_overflow(sz)); ++ } + + ObjStack(const ObjStack &); + void operator=(const ObjStack &); +@@ -56,7 +63,7 @@ class ObjStack + void * alloc_bottom(size_t size) { + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} ++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} + return tmp; + } + // This alloc_bottom will insure that the object is aligned based on the +@@ -66,7 +73,7 @@ class ObjStack + align_bottom(align); + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); goto loop;} ++ if (bottom > top) {check_size(size); new_chunk(); goto loop;} + return tmp; + } + char * dup_bottom(ParmString str) { +@@ -79,7 +86,7 @@ class ObjStack + // always be aligned as such. + void * alloc_top(size_t size) { + top -= size; +- if (top < bottom) {new_chunk(); top -= size;} ++ if (top < bottom) {check_size(size); new_chunk(); top -= size;} + return top; + } + // This alloc_top will insure that the object is aligned based on +@@ -88,7 +95,7 @@ class ObjStack + {loop: + top -= size; + align_top(align); +- if (top < bottom) {new_chunk(); goto loop;} ++ if (top < bottom) {check_size(size); new_chunk(); goto loop;} + return top; + } + char * dup_top(ParmString str) { +@@ -117,6 +124,7 @@ class ObjStack + void * alloc_temp(size_t size) { + temp_end = bottom + size; + if (temp_end > top) { ++ check_size(size); + new_chunk(); + temp_end = bottom + size; + } +@@ -131,6 +139,7 @@ class ObjStack + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; +@@ -150,6 +159,7 @@ class ObjStack + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; diff --git a/aspell.spec b/aspell.spec index 8962d8fc9e5e4793936f607f93d699d2df9ab184..37dc945eb727d29a8335b9347a3f99378154fa07 100644 --- a/aspell.spec +++ b/aspell.spec @@ -1,6 +1,6 @@ Name: aspell Version: 0.60.6.1 -Release: 29 +Release: 30 Summary: Spell checker Epoch: 12 License: LGPLv2+ and LGPLv2 and GPLv2+ and BSD @@ -20,6 +20,7 @@ Patch0009: CVE-2019-17544.patch Patch0010: CVE-2019-20433-1.patch Patch0011: CVE-2019-20433-2.patch Patch0012: aspell-0.60.6.1-sw.patch +Patch0013: CVE-2019-25051.patch BuildRequires: chrpath gettext ncurses-devel pkgconfig perl-interpreter gcc-c++ @@ -114,6 +115,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man1/aspell-import.1 %{_mandir}/man1/pspell-config.1* %changelog +* Mon Mar 18 2024 wangkai <13474090681@163.com> - 12:0.60.6.1-30 +- Fix CVE-2019-25051 + * Thu Jul 28 2022 wuzx - 12:0.60.6.1-29 - add sw64 patch