New security patches from Mandriva, bug 174200

(Portage version: 2.1.2.3)

3 files changed, 88 insertions, 0 deletions

diff --git a/net-misc/tightvnc/files/digest-tightvnc-1.2.9-r4 b/net-misc/tightvnc/files/digest-tightvnc-1.2.9-r4
new file mode 100644
index 000000000000..d72709d4f9b6
--- /dev/null
+++ b/net-misc/tightvnc/files/digest-tightvnc-1.2.9-r4
@@ -0,0 +1,3 @@
+MD5 f804b26c098625e3a2675a0aa7709e31 tightvnc-1.2.9_unixsrc.tar.bz2 1738256
+RMD160 57c4d24bbc008b7188ae4bb177fbb409bc1d26d3 tightvnc-1.2.9_unixsrc.tar.bz2 1738256
+SHA256 c1ba77f832d6c81349f05219802c48b3435cfb6db88f496c9bb08b52b8405548 tightvnc-1.2.9_unixsrc.tar.bz2 1738256
diff --git a/net-misc/tightvnc/files/tightvnc-1.2.9-server-CVE-2007-1003.patch b/net-misc/tightvnc/files/tightvnc-1.2.9-server-CVE-2007-1003.patch
new file mode 100644
index 000000000000..0f97c11dc4dc
--- /dev/null
+++ b/net-misc/tightvnc/files/tightvnc-1.2.9-server-CVE-2007-1003.patch
@@ -0,0 +1,36 @@
+--- vnc_unixsrc/Xvnc/programs/Xserver/Xext/xcmisc.c.cve-2007-1003	2000-06-11 06:00:51.000000000 -0600
++++ vnc_unixsrc/Xvnc/programs/Xserver/Xext/xcmisc.c	2007-03-22 07:07:34.000000000 -0600
+@@ -41,6 +41,12 @@ from the X Consortium.
+ #include "swaprep.h"
+ #include "xcmiscstr.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ static unsigned char XCMiscCode;
+ 
+ static void XCMiscResetProc(
+@@ -135,7 +141,10 @@ ProcXCMiscGetXIDList(client)
+ 
+     REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
+ 
+-    pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID));
++    if (stuff->count > UINT32_MAX / sizeof(XID))
++	    return BadAlloc;
++
++    pids = (XID *)Xalloc(stuff->count * sizeof(XID));
+     if (!pids)
+     {
+ 	return BadAlloc;
+@@ -156,7 +165,7 @@ ProcXCMiscGetXIDList(client)
+     	client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
+ 	WriteSwappedDataToClient(client, count * sizeof(XID), pids);
+     }
+-    DEALLOCATE_LOCAL(pids);
++    Xfree(pids);
+     return(client->noClientException);
+ }
+ 
diff --git a/net-misc/tightvnc/files/tightvnc-1.2.9-server-CVE-2007-1351-1352.patch b/net-misc/tightvnc/files/tightvnc-1.2.9-server-CVE-2007-1351-1352.patch
new file mode 100644
index 000000000000..4c9a1adcb2fd
--- /dev/null
+++ b/net-misc/tightvnc/files/tightvnc-1.2.9-server-CVE-2007-1351-1352.patch
@@ -0,0 +1,49 @@
+--- vnc_unixsrc/Xvnc/lib/font/fontfile/fontdir.c.cve-2007-1351-1352	2000-06-11 06:00:53.000000000 -0600
++++ vnc_unixsrc/Xvnc/lib/font/fontfile/fontdir.c	2007-03-28 16:08:03.000000000 -0600
+@@ -35,11 +35,19 @@ in this Software without prior written a
+ #include    "fntfilst.h"
+ #include    <X11/keysym.h>
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT32_MAX)
++#define INT32_MAX 0x7fffffff
++#endif
++	
+ Bool
+ FontFileInitTable (table, size)
+     FontTablePtr    table;
+     int		    size;
+ {
++    if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec)))
++	return FALSE;
+     if (size)
+     {
+ 	table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size);
+--- vnc_unixsrc/Xvnc/lib/font/bitmap/bdfread.c.cve-2007-1351-1352	2000-06-11 06:00:52.000000000 -0600
++++ vnc_unixsrc/Xvnc/lib/font/bitmap/bdfread.c	2007-03-28 16:06:06.000000000 -0600
+@@ -59,6 +59,12 @@ from the X Consortium.
+ #include "bitmap.h"
+ #include "bdfint.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT32_MAX)
++#define INT32_MAX 0x7fffffff
++#endif
++
+ #define INDICES 256
+ #define MAXENCODING 0xFFFF
+ #define BDFLINELEN  1024
+@@ -271,6 +277,11 @@ bdfReadCharacters(file, pFont, pState, b
+ 	bdfError("invalid number of CHARS in BDF file\n");
+ 	return (FALSE);
+     }
++    if (nchars > INT32_MAX / sizeof(CharInfoRec)) {
++	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
++		 sizeof(CharInfoRec));
++	goto BAILOUT;
++    }
+     ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec));
+     if (!ci) {
+ 	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,