pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/imlib Bump PKGREVISION, security fix:
details: https://anonhg.NetBSD.org/pkgsrc/rev/ebcdcdcdf6cd
branches: trunk
changeset: 485422:ebcdcdcdf6cd
user: salo <salo%pkgsrc.org@localhost>
date: Fri Dec 10 09:30:42 2004 +0000
description:
Bump PKGREVISION, security fix:
"Multiple buffer overflows in imlib 1.9.14 and earlier, which is used by
gkrellm and several window managers, allow remote attackers to execute
arbitrary code via certain image files." (1.9.15 is also affected)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026
Patch from Pavel Kankovsky.
diffstat:
graphics/imlib/Makefile | 3 +-
graphics/imlib/buildlink3.mk | 4 +-
graphics/imlib/distinfo | 12 ++-
graphics/imlib/patches/patch-ab | 169 ++++++++++++++++++++++++++++++++++++++-
graphics/imlib/patches/patch-ai | 20 +++-
graphics/imlib/patches/patch-aj | 89 +++++++++++++++++++++
graphics/imlib/patches/patch-ak | 13 +++
graphics/imlib/patches/patch-al | 15 +++
graphics/imlib/patches/patch-am | 97 ++++++++++++++++++++++
graphics/imlib/patches/patch-an | 23 +++++
graphics/imlib/patches/patch-ao | 98 +++++++++++++++++++++++
11 files changed, 526 insertions(+), 17 deletions(-)
diffs (truncated from 643 to 300 lines):
diff -r a590143734a9 -r ebcdcdcdf6cd graphics/imlib/Makefile
--- a/graphics/imlib/Makefile Fri Dec 10 06:48:18 2004 +0000
+++ b/graphics/imlib/Makefile Fri Dec 10 09:30:42 2004 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.89 2004/12/03 13:42:47 adam Exp $
+# $NetBSD: Makefile,v 1.90 2004/12/10 09:30:42 salo Exp $
DISTNAME= imlib-1.9.15
+PKGREVISION= 1
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_GNOME:=sources/imlib/1.9/}
EXTRACT_SUFX= .tar.bz2
diff -r a590143734a9 -r ebcdcdcdf6cd graphics/imlib/buildlink3.mk
--- a/graphics/imlib/buildlink3.mk Fri Dec 10 06:48:18 2004 +0000
+++ b/graphics/imlib/buildlink3.mk Fri Dec 10 09:30:42 2004 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.5 2004/10/03 00:14:53 tv Exp $
+# $NetBSD: buildlink3.mk,v 1.6 2004/12/10 09:30:42 salo Exp $
BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH}+
IMLIB_BUILDLINK3_MK:= ${IMLIB_BUILDLINK3_MK}+
@@ -12,7 +12,7 @@
.if !empty(IMLIB_BUILDLINK3_MK:M+)
BUILDLINK_DEPENDS.imlib+= imlib>=1.9.14nb5
-BUILDLINK_RECOMMENDED.imlib+= imlib>=1.9.14nb7
+BUILDLINK_RECOMMENDED.imlib+= imlib>=1.9.15nb1
BUILDLINK_PKGSRCDIR.imlib?= ../../graphics/imlib
.endif # IMLIB_BUILDLINK3_MK
diff -r a590143734a9 -r ebcdcdcdf6cd graphics/imlib/distinfo
--- a/graphics/imlib/distinfo Fri Dec 10 06:48:18 2004 +0000
+++ b/graphics/imlib/distinfo Fri Dec 10 09:30:42 2004 +0000
@@ -1,10 +1,16 @@
-$NetBSD: distinfo,v 1.15 2004/12/03 13:42:47 adam Exp $
+$NetBSD: distinfo,v 1.16 2004/12/10 09:30:42 salo Exp $
SHA1 (imlib-1.9.15.tar.bz2) = c9a732a354fbb3c7e1a426e5d19fc92d73f8f720
Size (imlib-1.9.15.tar.bz2) = 683242 bytes
SHA1 (patch-aa) = 185a5229af781d3dbc57978a3f4acd8308ca4c14
-SHA1 (patch-ab) = df9f9f7c85f0794748a4ca6f58836f8dd230c805
+SHA1 (patch-ab) = d1daff101bec77680f3e17cb776285976a7b5c7a
SHA1 (patch-ae) = 3ed6fff2e73f04ec83c27dc6e3f2db2fa446abbb
SHA1 (patch-ag) = 961a92dfedc79570aacdd75102e63a32171ece55
SHA1 (patch-ah) = edee5311a47d552f9d1b9dcb96f256518040c538
-SHA1 (patch-ai) = 4c1ab5bd72cd3a5070a84b08e7870591d5a3b309
+SHA1 (patch-ai) = df13b72272f754375348437b99d962cb17732619
+SHA1 (patch-aj) = 2769e304deb93dd413fa3c44d53d1d67e92d5d00
+SHA1 (patch-ak) = 4d7ae79f23bf0c64fd85ffebc086b7bb43207718
+SHA1 (patch-al) = 4ad51c7128f7d6a5ecc67f51c745caf53a4def06
+SHA1 (patch-am) = 73c62e11f5b6ac6774e51f8183987b2b4db01465
+SHA1 (patch-an) = 260aeece3eb74d3ec11deed4e38fd46d3f1cde79
+SHA1 (patch-ao) = d4e3df56d2f743e53e73d72551ccd03491bf1c44
diff -r a590143734a9 -r ebcdcdcdf6cd graphics/imlib/patches/patch-ab
--- a/graphics/imlib/patches/patch-ab Fri Dec 10 06:48:18 2004 +0000
+++ b/graphics/imlib/patches/patch-ab Fri Dec 10 09:30:42 2004 +0000
@@ -1,8 +1,37 @@
-$NetBSD: patch-ab,v 1.5 2002/03/19 16:16:08 wiz Exp $
+$NetBSD: patch-ab,v 1.6 2004/12/10 09:30:42 salo Exp $
---- Imlib/load.c.orig Wed Mar 13 19:06:29 2002
-+++ Imlib/load.c
-@@ -254,7 +254,8 @@
+--- Imlib/load.c.orig 2004-09-21 02:23:20.000000000 +0200
++++ Imlib/load.c 2004-12-10 09:58:18.000000000 +0100
+@@ -4,6 +4,8 @@
+ #include "Imlib_private.h"
+ #include <setjmp.h>
+
++#define G_MAXINT ((int) 0x7fffffff)
++
+ /* Split the ID - damages input */
+
+ static char *
+@@ -41,13 +43,17 @@
+
+ /*
+ * Make sure we don't wrap on our memory allocations
++ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp
++ * + 3 is safety margin
+ */
+
+ void * _imlib_malloc_image(unsigned int w, unsigned int h)
+ {
+- if( w > 32767 || h > 32767)
++ if (w <= 0 || w > 32767 ||
++ h <= 0 || h > 32767 ||
++ h >= (G_MAXINT/4 - 1) / w)
+ return NULL;
+- return malloc(w * h * 3);
++ return malloc(w * h * 3 + 3);
+ }
+
+ #ifdef HAVE_LIBJPEG
+@@ -254,7 +260,8 @@
png_read_image(png_ptr, lines);
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
ptr = data;
@@ -12,7 +41,7 @@
{
for (y = 0; y < *h; y++)
{
-@@ -279,6 +280,7 @@
+@@ -279,6 +286,7 @@
}
}
}
@@ -20,7 +49,7 @@
else if (color_type == PNG_COLOR_TYPE_GRAY)
{
for (y = 0; y < *h; y++)
-@@ -294,6 +296,7 @@
+@@ -294,6 +302,7 @@
}
}
}
@@ -28,3 +57,131 @@
else
{
for (y = 0; y < *h; y++)
+@@ -360,7 +369,9 @@
+ npix = ww * hh;
+ *w = (int)ww;
+ *h = (int)hh;
+- if(ww > 32767 || hh > 32767)
++ if (ww <= 0 || ww > 32767 ||
++ hh <= 0 || hh > 32767 ||
++ hh >= (G_MAXINT/sizeof(uint32)) / ww)
+ {
+ TIFFClose(tif);
+ return NULL;
+@@ -463,7 +474,7 @@
+ }
+ *w = gif->Image.Width;
+ *h = gif->Image.Height;
+- if (*h > 32767 || *w > 32767)
++ if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
+ {
+ return NULL;
+ }
+@@ -1000,7 +1011,12 @@
+ comment = 0;
+ quote = 0;
+ context = 0;
++ memset(lookup, 0, sizeof(lookup));
++
+ line = malloc(lsz);
++ if (!line)
++ return NULL;
++
+ while (!done)
+ {
+ pc = c;
+@@ -1029,25 +1045,25 @@
+ {
+ /* Header */
+ sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
+- if (ncolors > 32766)
++ if (ncolors <= 0 || ncolors > 32766)
+ {
+ fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n");
+ free(line);
+ return NULL;
+ }
+- if (cpp > 5)
++ if (cpp <= 0 || cpp > 5)
+ {
+ fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n");
+ free(line);
+ return NULL;
+ }
+- if (*w > 32767)
++ if (*w <= 0 || *w > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
+ free(line);
+ return NULL;
+ }
+- if (*h > 32767)
++ if (*h <= 0 || *h > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
+ free(line);
+@@ -1080,11 +1096,13 @@
+ {
+ int slen;
+ int hascolor, iscolor;
++ int space;
+
+ iscolor = 0;
+ hascolor = 0;
+ tok[0] = 0;
+ col[0] = 0;
++ space = sizeof(col) - 1;
+ s[0] = 0;
+ len = strlen(line);
+ strncpy(cmap[j].str, line, cpp);
+@@ -1107,10 +1125,10 @@
+ {
+ if (k >= len)
+ {
+- if (col[0])
+- strcat(col, " ");
+- if (strlen(col) + strlen(s) < sizeof(col))
+- strcat(col, s);
++ if (col[0] && space > 0)
++ strcat(col, " "), space -= 1;
++ if (slen <= space)
++ strcat(col, s), space -= slen;
+ }
+ if (col[0])
+ {
+@@ -1140,14 +1158,17 @@
+ }
+ }
+ }
++ if (slen < sizeof(tok));
+ strcpy(tok, s);
+ col[0] = 0;
++ space = sizeof(col) - 1;
+ }
+ else
+ {
+- if (col[0])
+- strcat(col, " ");
+- strcat(col, s);
++ if (col[0] && space > 0)
++ strcat(col, " "), space -=1;
++ if (slen <= space)
++ strcat(col, s), space -= slen;
+ }
+ }
+ }
+@@ -1376,12 +1397,12 @@
+ sscanf(s, "%i %i", w, h);
+ a = *w;
+ b = *h;
+- if (a > 32767)
++ if (a <= 0 || a > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
+ return NULL;
+ }
+- if (b > 32767)
++ if (b <= 0 || b > 32767)
+ {
+ fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
+ return NULL;
diff -r a590143734a9 -r ebcdcdcdf6cd graphics/imlib/patches/patch-ai
--- a/graphics/imlib/patches/patch-ai Fri Dec 10 06:48:18 2004 +0000
+++ b/graphics/imlib/patches/patch-ai Fri Dec 10 09:30:42 2004 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-ai,v 1.1 2004/03/13 17:35:54 cube Exp $
+$NetBSD: patch-ai,v 1.2 2004/12/10 09:30:42 salo Exp $
--- gdk_imlib/io-ppm.c.orig 2002-03-04 18:06:29.000000000 +0100
-+++ gdk_imlib/io-ppm.c
-@@ -50,7 +50,7 @@ loader_ppm (FILE * f, int *w, int *h, in
++++ gdk_imlib/io-ppm.c 2004-12-10 10:00:56.000000000 +0100
+@@ -50,15 +50,15 @@
if (s[0] != '#')
{
done = 0;
@@ -10,8 +10,18 @@
+ sscanf(s, "%d %d", w, h);
a = *w;
b = *h;
- if (a > 32767)
-@@ -66,7 +66,7 @@ loader_ppm (FILE * f, int *w, int *h, in
+- if (a > 32767)
++ if (a <= 0 || a > 32767)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
+ return NULL;
+ }
+- if (b > 32767)
++ if (b <= 0 || b > 32767)
+ {
+ fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
+ return NULL;
+@@ -66,7 +66,7 @@
if (!bw)
{
fgets(s, 256, f);
diff -r a590143734a9 -r ebcdcdcdf6cd graphics/imlib/patches/patch-aj
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/imlib/patches/patch-aj Fri Dec 10 09:30:42 2004 +0000
@@ -0,0 +1,89 @@
+$NetBSD: patch-aj,v 1.1 2004/12/10 09:30:42 salo Exp $
+
+--- Imlib/utils.c.orig 2004-09-21 02:22:59.000000000 +0200
++++ Imlib/utils.c 2004-12-10 09:58:18.000000000 +0100
+@@ -1496,36 +1496,56 @@
+ context = 0;
+ ptr = NULL;
+ end = NULL;
++ memset(lookup, 0, sizeof(lookup));
+
+ while (!done)
+ {
Home |
Main Index |
Thread Index |
Old Index