From 9b8d3346ecef740823cdeaf0a8ec876c792c3b3f Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@fedoraproject.org>
Date: Nov 07 2007 14:16:03 +0000
Subject: - Fix overflow in Mono.Math.BigInteger class (#367551) CVE-2007-5197


---

diff --git a/mono-big-integer-CVE-2007-5197.patch b/mono-big-integer-CVE-2007-5197.patch
new file mode 100644
index 0000000..17d0772
--- /dev/null
+++ b/mono-big-integer-CVE-2007-5197.patch
@@ -0,0 +1,22 @@
+--- mcs/class/corlib/Mono.Math/BigInteger.cs	2007-09-19 19:06:06.000000000 +0200
++++ mcs/class/corlib/Mono.Math/BigInteger.cs	2007-10-25 23:46:55.000000000 +0200
+@@ -1607,7 +1607,7 @@
+ 						uint j = 1;
+ 
+ 						// Multiply and add
+-						for (; j < m.length; j++) {
++						for (; j < m.length && j < A.length; j++) {
+ 							c += (ulong)u_i * (ulong)*(mP++) + *(aSP++);
+ 							*(aDP++) = (uint)c;
+ 							c >>= 32;
+--- mcs/class/Mono.Security/Mono.Math/BigInteger.cs	2007-07-24 23:48:50.000000000 +0200
++++ mcs/class/Mono.Security/Mono.Math/BigInteger.cs	2007-10-25 23:45:01.000000000 +0200
+@@ -1601,7 +1601,7 @@
+ 						uint j = 1;
+ 
+ 						// Multiply and add
+-						for (; j < m.length; j++) {
++						for (; j < m.length && j < A.length; j++) {
+ 							c += (ulong)u_i * (ulong)*(mP++) + *(aSP++);
+ 							*(aDP++) = (uint)c;
+ 							c >>= 32;
diff --git a/mono.spec b/mono.spec
index cc6e01d..6e2789c 100644
--- a/mono.spec
+++ b/mono.spec
@@ -1,6 +1,6 @@
 Name:           mono
 Version:        1.2.5.1
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        a .NET runtime environment
 
 Group:          Development/Languages
@@ -34,6 +34,8 @@ Patch4: mono-1.2.3-use-monodir.patch
 Patch5: mono-1.2.4-metadata.patch
 Patch6: mono-1251-metadata.patch
 
+Patch7: mono-big-integer-CVE-2007-5197.patch
+
 %description
 The Mono runtime implements a JIT engine for the ECMA CLI
 virtual machine (as well as a byte code interpreter, the
@@ -257,6 +259,8 @@ which is fully managed and actively maintained.
 %patch3 -p1 -b .libdir
 %patch4 -p1 -b .use-monodir
 
+%patch7 -p0 -b .big-integer
+
 %build
 %ifarch ia64 s390
 export CFLAGS="-O2 -fno-strict-aliasing"
@@ -571,6 +575,10 @@ install monodir $RPM_BUILD_ROOT%{_bindir}
 %gac_dll IBM.Data.DB2
 
 %changelog
+* Wed Nov  7 2007 Alexander Larsson <alexl@redhat.com> - 1.2.5.1-3
+- Fix overflow in Mono.Math.BigInteger class (#367551)
+  CVE-2007-5197
+
 * Fri Oct 05 2007 Paul F. Johnson <paul@all-the-johnsons.co.uk> - 1.2.5.1-1
 - bump
 - added new parts (mono-linker, resgen and mono-cecil)