libsixel: update to 1.8.4. (security update)

Upstream changes:

v1.8.4
* Security fix for CVE-2019-11024 (#85), recursive loop problem,
  reported by @Loginsoft-Research.

* Security fix for #73, illegal memory access problem,
  reported by @HongxuChen.

* Security fix for #89, core dumped issue,
  reported by @niugx.

* Security fix for #107, large memory allocation problem,
  reported by @cuanduo.

* Security fix for #114, heap-buffer-overflow problem,
  reported by @SuhwanSong.

* Security fix for #116, heap-buffer-overflow problem,
  reported by @SuhwanSong.

* Security fix for #118, heap-buffer-overflow problem,
  reported by @SuhwanSong.

* Security fix for #121, heap-buffer-overflow problem,
  reported by @gutiniao

(tsutsui)

(math/mpfr) Fix build of gcc-4.8,4.9 for NetBSD 9.x

Re: http://mail-index.netbsd.org/pkgsrc-users/2019/12/22/msg030057.html

(mef)

Fix build with various Python versions.

(joerg)

Adjust for kqueue interface change on NetBSD.

(joerg)

Ignore deprecation with clang.

(joerg)

Needs libXmu and libXt, formerly pulled in via Mesa.

(joerg)

Remove non-ASCII characters for Python 3.6.

(joerg)

Do not disable the C compiler, it is used by the cFFI Python module.

(joerg)

Not MAKE_JOBS_SAFE.

(joerg)

Use c++03, code is not c++11 clean.

(joerg)

Disable some warnings for clang.

(joerg)

Needs libtool.

(joerg)

Don't build header files.

(joerg)

Don't build & install PIC libraries consistently. Bump revision.

(joerg)

Deal with exiv2 interface changes.

(joerg)

Needs libXi, formerly pulled in by Mesa.

(joerg)

Uses c++03 only.

(joerg)

Don't use gethostbyname_r on NetBSD. Needs convert.

(joerg)

export means something different in C++, nothing is actually correct
here. Fix button IDs to actually allow matching. Bump revision.

(joerg)

Add missing include.

(joerg)

Don't use -pedenatic(-errors), they don't do what people think they do.

(joerg)

Drop non-ASCII characters for Python 3.6 build.

(joerg)

Drop reference to non-existing file. Bump revision.

(joerg)

Deref a pointer when checking for empty strings. Bump revision.

(joerg)

Needs mouse API from ncurses.

(joerg)

Don't try to build header files. Fix C/C++ interaction.

(joerg)

Look into ${PREFIX}/lib when checking for libBlocksRuntime.

(joerg)

Don't hardcode libgomp, but use -fopenmp for linking. Fixes clang with
libomp.

(joerg)

Patch local WAF copy to run ${CXX} with -x c++ when detecting it.
Otherwise clang will bail out on - as it is considered a C source and
-std=c++11 as injected by the wrappers conflict.

(joerg)

Revbump dhcpcd-gtk and dhcpcd-qt due to PLIST change

Set the right values this time.

(nros)

Revbump dhcpcd-gtk and dhcpcd-qt due to PLIST change

(nros)

Fix installation of xdg autostart desktop files in dhcpcd-*

Make dhcpcd-gtk and dhcpcd-qt install xdg autostart files in the right
locations and use pkg_install framework to put then in PKG_SYSCONFDIR.
Fixes installation that was broken due to non updated PLIST files.

(nros)

opencv: fix PLIST for python != 3.7

(markd)

devel/guile-git: Fix build (info files)

(ng0)

csound6: Not actually PYTHON_FOR_BUILD_ONLY

(nia)

lgogdownloader: Fix jsoncpp detection and remove some unused CMAKE_ARGS

(nia)

pidgin: Fix building with d-bus enabled

(nia)

asc: Add missing file

(nia)

Turn off -Werror for telepathy-qt

Warnings are emitted in example code because some dependencies has depracated
some things. This breaks the build because -Werror is used. So turn it off.

(nros)

doc: Updated chat/hexchat to 2.14.3

(nia)

hexchat: Update to 2.14.3

Bug fix only update to a leaf package.

* fix various incorrect parsing of IRC messages relating to trailing parameters
* fix SASL negotiation combined with multi-line cap
* fix input box theming with Yaru theme
* python: Work around Python 3.7 regression causing crash on unload
* sysinfo: Add support for /etc/os-release
* sysinfo: Ignore irrelevant mounts when calculating storage size

(nia)

doc: update php packages

lang/php73 7.3.13
lang/php74 7.4.1
lang/php72 7.2.26

(taca)

lang/php72: update to 7.2.26

Update php73 to 7.2.26, including security fixes.

19 Dec 2019, PHP 7.2.26

- Bcmath:
  . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
    (cmb)

- Core:
  . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
    (CVE-2019-11044). (cmb)
  . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
    byte). (CVE-2019-11045). (cmb)

- EXIF:
  . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
    (CVE-2019-11050). (Nikita)
  . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047).
    (Nikita)

- GD:
  . Fixed bug #78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb)

- Intl:
  . Fixed bug #78804 (Segmentation fault in Locale::filterMatches). (Stas)

- OPcache:
  . Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice).
    (Tyson Andre)

- Standard:
  . Fixed bug #78759 (array_search in $GLOBALS). (Nikita)
  . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
    (cmb)
  . Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass).
    (cmb)

(taca)

lang/php74: update to 7.4.1

Update php74 to 7.4.1, including security fixes.

19 Dec 2019, PHP 7.4.1

- Bcmath:
  . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
    (cmb)

- Core:
  . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
    (CVE-2019-11044). (cmb)
  . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
    byte). (CVE-2019-11045). (cmb)
  . Fixed bug #78943 (mail() may release string with refcount==1 twice).
    (CVE-2019-11049). (cmb)
  . Fixed bug #78810 (RW fetches do not throw "uninitialized property"
    exception). (Nikita)
  . Fixed bug #78868 (Calling __autoload() with incorrect EG(fake_scope) value).
    (Antony Dovgal, Dmitry)
  . Fixed bug #78296 (is_file fails to detect file). (cmb)
  . Fixed bug #78883 (fgets(STDIN) fails on Windows). (cmb)
  . Fixed bug #78898 (call_user_func(['parent', ...]) fails while other
    succeed). (Nikita)
  . Fixed bug #78904 (Uninitialized property triggers __get()). (Nikita)
  . Fixed bug #78926 (Segmentation fault on Symfony cache:clear). (Nikita)

- GD:
  . Fixed bug #78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb)
  . Fixed bug #78923 (Artifacts when convoluting image with transparency).
    (wilson chen)

- EXIF:
  . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
    (CVE-2019-11050). (Nikita)
  . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047).
    (Nikita)

- FPM:
  . Fixed bug #76601 (Partially working php-fpm ater incomplete reload).
    (Maksim Nikulin)
  . Fixed bug #78889 (php-fpm service fails to start). (Jakub Zelenka)
  . Fixed bug #78916 (php-fpm 7.4.0 don't send mail via mail()).
    (Jakub Zelenka)

- Intl:
  . Implemented FR #78912 (INTL Support for accounting format). (cmb)

- Mysqlnd:
  . Fixed bug #78823 (ZLIB_LIBS not added to EXTRA_LIBS). (Arjen de Korte)

- OPcache:
  . Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice).
    (Tyson Andre)
  . Fixed bug #78935 (Preloading removes classes that have dependencies).
    (Nikita, Dmitry)

- PCRE:
  . Fixed bug #78853 (preg_match() may return integer > 1). (cmb)

- Reflection:
  . Fixed bug #78895 (Reflection detects abstract non-static class as abstract
    static. IS_IMPLICIT_ABSTRACT is not longer used). (Dmitry)

- Standard:
  . Fixed bug #77638 (var_export'ing certain class instances segfaults). (cmb)
  . Fixed bug #78840 (imploding $GLOBALS crashes). (cmb)
  . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
    (cmb)
  . Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass).
    (cmb)

(taca)

lang/php73: update to 7.3.13

Update php73 to 7.3.13, including security fixes.

19 Dec 2019, PHP 7.3.13

- Bcmath:
  . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
    (cmb)

- Core:
  . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
    (CVE-2019-11044). (cmb)
  . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
    byte). (CVE-2019-11045). (cmb)
  . Fixed bug #78943 (mail() may release string with refcount==1 twice).
    (CVE-2019-11049). (cmb)
  . Fixed bug #78787 (Segfault with trait overriding inherited private shadow
    property). (Nikita)
  . Fixed bug #78868 (Calling __autoload() with incorrect EG(fake_scope) value).
    (Antony Dovgal, Dmitry)
  . Fixed bug #78296 (is_file fails to detect file). (cmb)

- EXIF:
  . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
    (CVE-2019-11050). (Nikita)
  . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047).
    (Nikita)

- GD:
  . Fixed bug #78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb)

- MBString:
  . Upgraded bundled Oniguruma to 6.9.4. (cmb)

- OPcache:
  . Fixed potential ASLR related invalid opline handler issues. (cmb)
  . Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice).
    (Tyson Andre)

- PCRE:
  . Fixed bug #78853 (preg_match() may return integer > 1). (cmb)

- Standard:
  . Fixed bug #78759 (array_search in $GLOBALS). (Nikita)
  . Fixed bug #77638 (var_export'ing certain class instances segfaults). (cmb)
  . Fixed bug #78840 (imploding $GLOBALS crashes). (cmb)
  . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
    (cmb)
  . Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass).
    (cmb)

(taca)

doc: Updated net/dhcpcd to 8.1.4

(roy)

Update to dhcpcd-8.1.4 with the following change:

* options: Fix allocating the script option

(roy)

doc: Updated security/libprelude to 0.9.24.1nb19

(gutteridge)

libprelude: fix build with GNU awk >= 5.0

Rename the awk variable "namespace" to "name_space", since the former
is now a reserved word with GNU awk 5.0, and was causing parsing
errors.

(gutteridge)

gns3-gui: PKGREVISION bump for permissions change

(markd)

gns3-server: PKGREVISION bump for permissions change

(markd)

doc: Updated games/tcl-theo to 0.0.1nb1

(kamil)

tcl-theo: Require tcl

(kamil)

ufetch: Revert import

It is a freeze according to https://www.pkgsrc.org/is-a-freeze-on/

(kamil)

Import dhcpcd-8.1.3 with the following changes:

* Linux: prefer ms RA times
* Linux: Support kernels without PR_SET_MM_MAP
* dhcpcd: Only report SSID when we have a carrier
* IPv6ND: Fix reachable test
* DHCP6: Work better with infinite addresses
* DHCP6: Suboption 3 of NTP Server is a FQDN
* DHCP6: Fix deprecating a delegated prefix
* DHCP: Ensure we have a lease to extract options from

(roy)

doc: Updated print/zathura to 0.4.4

(leot)

zathura: Update to 0.4.4

Changes:
0.4.4
-----
- Fix expansion of ~ and ~user when opening files
- Add fish completion
- Various fixes and improvements
- Drop support for old libsyntex
- Updated translations

(leot)

girara: Sort PLIST (NFCI)

(leot)

doc: Updated graphics/girara to 0.3.3

(leot)

girara: Update to 0.3.3

Changes:
0.3.3
-----
- Various fixes and improvements
- Update transations

(leot)

doc: Added sysutils/ufetch version 0.1

(kamil)

+ ufetch

(kamil)

sysutils/ufetch: import ufetch-0.1

Tiny system info for Unix-like operating systems.

(kamil)

doc: Updated audio/fasttracker2 to 1.04

(fox)

audio/fasttracker2: Update to v1.04

- MASTER_SITES has been updated to Github since the author has moved to the
  source there.

Changes since v1.03:

v1.04 - 17.12.2019
- Fixed rare crash (or strange behaviors) when changing pattern and/or pattern
  length while the song is playing.
- Properly restore channel mute flags when loading a new song (fixes mute bugs)
- Fixed a few bugs with different pattern buttons (Ins./Del., Ln. up/down etc)
- Config: "Hardware mouse" was changed to "Software mouse" (and "Software mouse"
  is now disabled in the default config).
- Added a routine to create scaled FT2 mouse cursors for software mouse mode,
  though the "busy mouse" will stand still and not animate.
  Hopefully the new default "hardware mouse" mode will satisfy some people!
- MacOS: Pass NDEBUG to clang preprocessor defines, to prevent debug code
  from being compiled in release mode (performance increase).
- MacOS/Linux: make scripts had Windows linefeeds and would thus break!

* Note: I highly recommend that you go to "Config -> Layout" and disable
  "Software mouse"! This will make the mouse way less laggy. However, it will
  still be one frame delayed internally unless you disable VSync.

(fox)

Needs libXmu no longer exposed by Mesa. Fix concurrent build.

(joerg)

Needs lrelease for the translation files.

(joerg)

Always skip PIC libraries. Bump revisions. Add RCS IDs.

(joerg)

Deal with custom bitrates on NetBSD. Always build Alsa support, it is
unconditionally at the moment anyway.

(joerg)

Fix popcount conflict on NetBSD. Avoid LTO and 32bit binaries on NetBSD.

(joerg)

Needs to be build as c++03.

(joerg)

Use protected names in attributes, avoids overlap with SSP. Bump
revision.

(joerg)

fetch-1.9: Fix inode check for conditional GET.

(joerg)

Specify correct name of rst2xxx binaries.

(joerg)

Needs py-requests.

(joerg)

Spell include path correctly, even though it is not actually used.

(joerg)

Needs pkg-config.

(joerg)

Uses Python 2 syntax.

(joerg)

Add missing errno.h

(joerg)

Package makefile is spelled with lower case m.

(joerg)

Fix compatability with regex restrictions in current Perl. Bump
revision.

(joerg)

Deal with bind vs std::bind conflict.

(joerg)

Add missing dependency for lrelease.

(joerg)

Avoid using a non-literal string as format string.

(joerg)

Add missing py-test-runner dependency.

(joerg)

Deal with the kqueue type change in NetBSD.

(joerg)

Force extraction with bsdtar, pax-as-tar leaves around too much garbage.

(joerg)

Uses backtrace(3), so pull in libexecinfo. Add missing network headers.

(joerg)

Don't hardcode /usr/bin/gcc.

(joerg)

Don't install PIC libs to avoid different PLISTs depending on the
NetBSD version.

(joerg)

PYTHON_VERSIONS_ACCEPTED must be set before including the Python
fragments.

(joerg)

Needs to be build as gnu++03. Doesn't work yet due to PaX mprotect
restrictions.

(joerg)

Ignore unknown warnings and deprecation attributes with clang.

(joerg)

Fix parallel build.

(joerg)

Needs libXmu, which used to be pulled in by Mesa.

(joerg)

Uses C++ extensions, so go with gnu++03.

(joerg)

When using std::setlocale, also include <clocale> on all systems.

(joerg)

Add missing errno.h. Explicitly load atomic in switch.

(joerg)

Add dependencies formerly pulled in by Mesa.

(joerg)

Add missing <string>.

(joerg)

Fix ctype use.

(joerg)

Add missing bdftopcf dependency.

(joerg)

Add missing dependency on generated files. Build as C++03.

(joerg)

Needs py-test-runner.

(joerg)

Build shared module as PIC. Bump revision.

(joerg)

Needs docbook-xsl.

(joerg)

Don't depend on TRUE/FALSE, they are gone in newer PostgreSQL.

(joerg)

Requires C++03 to build.

(joerg)

Don't buildlink py-dbus, it might not even be the correct version.

(joerg)

gns3-gui: fix permissions of installed files

(markd)

gns3-server: fix install for python != 3.7.
Also fix permissions of installed files

(markd)

ns: modern compilers fussy about unsigned char

(markd)

nam: modern compilers fussy about unsigned char

(markd)

Don't touch RLIMIT_STACK for now, see https://gnats.netbsd.org/51158

(kim)

Note update of the "mutt" package to version 1.13.2

(tron)

mutt: Update to version 1.13.2

Changes since version 1.13.1:
! Bug fix release.

Update during freeze approved by gdt@

(tron)

doc: Updated games/nethack to 3.6.4

(rhialto)

games/nethack: security update to 3.6.4.

https://www.nethack.org/security/index.html:

NetHack: Privilege escalation/remote code execution/crash in
configuration parsing

Severity: High
Affected versions: 3.6.0, 3.6.1, 3.6.2, 3.6.3
First Patched Version: 3.6.4

Basic Information:
A buffer overflow issue exists when reading very long lines from a
NetHack configuration file (usually named .nethackrc).

This vulnerability affects systems that have NetHack installed suid/sgid
and shared systems that allow users to upload their own configuration
files.

All users are urged to upgrade to NetHack 3.6.4 as soon as possible.

Additional information related to this advisory, if any, will be made
available at https://nethack.org/security.

(rhialto)

Updated www/py-django, www/py-django2

(adam)

py-django2: updated to 2.2.9

Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.

CVE-2019-19844: Potential account hijack via password reset form

By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.

In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address.

Bugfixes
* Fixed a data loss possibility in SplitArrayField. When using with ArrayField(BooleanField()), all values after the first True value were marked as checked instead of preserving passed values

(adam)

py-django: updated to 1.11.27

Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.

CVE-2019-19844: Potential account hijack via password reset form

By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.

In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address.

Bugfixes
* Fixed a data loss possibility in SplitArrayField. When using with ArrayField(BooleanField()), all values after the first True value were marked as checked instead of preserving passed values

(adam)

Fix patch or sys/loadavg.h

The patch for including sys/loadavg.h included the file in the section where
getloadavg isn't used so the patch did nothing. Include it in the right
place to fix it.

(nros)