Slackware 13.0slackware-13.0

Wed Aug 26 10:00:38 CDT 2009
Slackware 13.0 x86_64 is released as stable!  Thanks to everyone who
helped make this release possible -- see the RELEASE_NOTES for the
credits.  The ISOs are off to the replicator.  This time it will be a
6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD.
We're taking pre-orders now at store.slackware.com.  Please consider
picking up a copy to help support the project.  Once again, thanks to
the entire Slackware community for all the help testing and fixing
things and offering suggestions during this development cycle.
As always, have fun and enjoy!  -P.

1 files changed, 62 insertions, 0 deletions

diff --git a/source/l/glib2/glib-CVE-2008-4316.diff b/source/l/glib2/glib-CVE-2008-4316.diff
new file mode 100644
index 000000000..5d9bddee1
--- /dev/null
+++ b/source/l/glib2/glib-CVE-2008-4316.diff
@@ -0,0 +1,62 @@
+--- trunk/glib/gbase64.c	2009/02/23 04:30:06	7897
++++ trunk/glib/gbase64.c	2009/03/12 13:30:55	7973
+@@ -54,8 +54,9 @@
+  *
+  * The output buffer must be large enough to fit all the data that will
+  * be written to it. Due to the way base64 encodes you will need
+- * at least: @len * 4 / 3 + 6 bytes. If you enable line-breaking you will
+- * need at least: @len * 4 / 3 + @len * 4 / (3 * 72) + 7 bytes.
++ * at least: (@len / 3 + 1) * 4 + 4 bytes (+ 4 may be needed in case of
++ * non-zero state). If you enable line-breaking you will need at least:
++ * ((@len / 3 + 1) * 4 + 4) / 72 + 1 bytes of extra space.
+  *
+  * @break_lines is typically used when putting base64-encoded data in emails.
+  * It breaks the lines at 72 columns instead of putting all of the text on 
+@@ -233,8 +234,14 @@
+   g_return_val_if_fail (data != NULL, NULL);
+   g_return_val_if_fail (len > 0, NULL);
+ 
+-  /* We can use a smaller limit here, since we know the saved state is 0 */
+-  out = g_malloc (len * 4 / 3 + 4);
++  /* We can use a smaller limit here, since we know the saved state is 0,
++     +1 is needed for trailing \0, also check for unlikely integer overflow */
++  if (len >= ((G_MAXSIZE - 1) / 4 - 1) * 3)
++    g_error("%s: input too large for Base64 encoding (%"G_GSIZE_FORMAT" chars)",
++        G_STRLOC, len);
++
++  out = g_malloc ((len / 3 + 1) * 4 + 1);
++
+   outlen = g_base64_encode_step (data, len, FALSE, out, &state, &save);
+   outlen += g_base64_encode_close (FALSE, out + outlen, &state, &save);
+   out[outlen] = '\0';
+@@ -275,7 +282,8 @@
+  *
+  * The output buffer must be large enough to fit all the data that will
+  * be written to it. Since base64 encodes 3 bytes in 4 chars you need
+- * at least: @len * 3 / 4 bytes.
++ * at least: (@len / 4) * 3 + 3 bytes (+ 3 may be needed in case of non-zero
++ * state).
+  * 
+  * Return value: The number of bytes of output that was written
+  *
+@@ -358,7 +366,8 @@
+ 		 gsize       *out_len)
+ {
+   guchar *ret;
+-  gint input_length, state = 0;
++  gsize input_length;
++  gint state = 0;
+   guint save = 0;
+   
+   g_return_val_if_fail (text != NULL, NULL);
+@@ -368,7 +377,9 @@
+ 
+   g_return_val_if_fail (input_length > 1, NULL);
+ 
+-  ret = g_malloc0 (input_length * 3 / 4);
++  /* We can use a smaller limit here, since we know the saved state is 0,
++     +1 used to avoid calling g_malloc0(0), and hence retruning NULL */
++  ret = g_malloc0 ((input_length / 4) * 3 + 1);
+   
+   *out_len = g_base64_decode_step (text, input_length, ret, &state, &save);
+