[pkgsrc/pkgsrc-2009Q1]: pkgsrc/print/ghostscript Pullup ticket 2738 - request...

[spz <spz%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/62461ab7a6e8
branches:  pkgsrc-2009Q1
changeset: 556780:62461ab7a6e8
user:      spz <spz%pkgsrc.org@localhost>
date:      Fri Apr 17 21:43:51 2009 +0000

description:
Pullup ticket 2738 - requested by tron
Security fix

Revisions pulled up:
- pkgsrc/graphics/ghostscript/Makefile                  1.61
- pkgsrc/graphics/ghostscript/distinfo                  1.23
- pkgsrc/graphics/ghostscript/patches/patch-aa          1.4

   Module Name: pkgsrc
   Committed By:        tron
   Date:                Tue Apr 14 19:32:54 UTC 2009

   Modified Files:
        pkgsrc/print/ghostscript: Makefile distinfo
   Added Files:
        pkgsrc/print/ghostscript/patches: patch-aa

   Log Message:
   Add patch for the security vulnerability reported in CVE-2009-0196
   taken from Redhat's Bugzilla.


   To generate a diff of this commit:
   cvs rdiff -u -r1.60 -r1.61 pkgsrc/print/ghostscript/Makefile
   cvs rdiff -u -r1.22 -r1.23 pkgsrc/print/ghostscript/distinfo
   cvs rdiff -u -r0 -r1.4 pkgsrc/print/ghostscript/patches/patch-aa

diffstat:

 print/ghostscript/Makefile         |   4 ++--
 print/ghostscript/distinfo         |   3 ++-
 print/ghostscript/patches/patch-aa |  24 ++++++++++++++++++++++++
 3 files changed, 28 insertions(+), 3 deletions(-)

diffs (55 lines):

diff -r 78ef1594913b -r 62461ab7a6e8 print/ghostscript/Makefile
--- a/print/ghostscript/Makefile        Fri Apr 17 14:49:13 2009 +0000
+++ b/print/ghostscript/Makefile        Fri Apr 17 21:43:51 2009 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.60 2009/03/25 10:42:13 drochner Exp $
+# $NetBSD: Makefile,v 1.60.2.1 2009/04/17 21:43:51 spz Exp $
 
 DISTNAME=      ghostscript-8.64
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    print
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=ghostscript/}
 EXTRACT_SUFX=  .tar.bz2
diff -r 78ef1594913b -r 62461ab7a6e8 print/ghostscript/distinfo
--- a/print/ghostscript/distinfo        Fri Apr 17 14:49:13 2009 +0000
+++ b/print/ghostscript/distinfo        Fri Apr 17 21:43:51 2009 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.22 2009/03/25 10:42:13 drochner Exp $
+$NetBSD: distinfo,v 1.22.2.1 2009/04/17 21:43:51 spz Exp $
 
 SHA1 (ghostscript-8.64.tar.bz2) = 4c2a6e04145428d35da73fbc4db9c66a75e336e0
 RMD160 (ghostscript-8.64.tar.bz2) = 565134dcfe1e823b435c3761461c5eb394bd633c
 Size (ghostscript-8.64.tar.bz2) = 16921504 bytes
+SHA1 (patch-aa) = 31d077502dba343c5834e5ee9fdb42102ef47668
 SHA1 (patch-ab) = 7a98cad37f94394f172bdac23f5dd73fb1f08006
 SHA1 (patch-ad) = 8b3b743b2d6405ea35bfb16970942ecd55702401
 SHA1 (patch-ae) = 50335e72adebe95ab0cb5873d1c6dd00e971579a
diff -r 78ef1594913b -r 62461ab7a6e8 print/ghostscript/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/ghostscript/patches/patch-aa        Fri Apr 17 21:43:51 2009 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-aa,v 1.4.2.2 2009/04/17 21:43:51 spz Exp $
+
+Patch for CVE-2009-0196 taken from Redhat's Bugzilla:
+
+https://bugzilla.redhat.com/attachment.cgi?id=337747
+
+--- jbig2dec/jbig2_symbol_dict.c.orig  2007-12-11 08:29:58.000000000 +0000
++++ jbig2dec/jbig2_symbol_dict.c       2009-04-14 20:19:01.000000000 +0100
+@@ -699,6 +699,15 @@
+         exrunlength = params->SDNUMEXSYMS;
+       else
+         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
++      if (exrunlength > params->SDNUMEXSYMS - j) {
++        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++          "runlength too large in export symbol table (%d > %d - %d)\n",
++          exrunlength, params->SDNUMEXSYMS, j);
++        jbig2_sd_release(ctx, SDEXSYMS);
++        /* skip to the cleanup code and return SDEXSYMS = NULL */
++        SDEXSYMS = NULL;
++        break;
++      }
+       for(k = 0; k < exrunlength; k++)
+         if (exflag) {
+           SDEXSYMS->glyphs[j++] = (i < m) ?