Tue Mar 3 19:57:53 2009 UTC ()
Pullup ticket #2714 - requested by kefren
optipng: security patch
Revisions pulled up:
- graphics/optipng/Makefile 1.17
- graphics/optipng/distinfo 1.13
- graphics/optipng/patches/patch-ab 1.5
- graphics/optipng/patches/patch-ad 1.3
- graphics/optipng/patches/patch-ae 1.1
---
Module Name: pkgsrc
Committed By: kefren
Date: Mon Mar 2 06:20:34 UTC 2009
Modified Files:
pkgsrc/graphics/optipng: Makefile distinfo
Added Files:
pkgsrc/graphics/optipng/patches: patch-ab patch-ad patch-ae
Log Message:
Add patches from upstream in order to update to 0.6.2.1
Changes:
* Fix SA34035: Use after free error that can be used to execute arbitrary
code via a specially crafted GIF image
(tron)
diff -r1.16 -r1.16.2.1 pkgsrc/graphics/optipng/Makefile
diff -r1.12 -r1.12.2.1 pkgsrc/graphics/optipng/distinfo
diff -r0 -r1.4.22.1 pkgsrc/graphics/optipng/patches/patch-ab
diff -r0 -r1.2.24.1 pkgsrc/graphics/optipng/patches/patch-ad
diff -r0 -r1.1.2.2 pkgsrc/graphics/optipng/patches/patch-ae
--- pkgsrc/graphics/optipng/Makefile 2008/11/12 18:45:04 1.16
+++ pkgsrc/graphics/optipng/Makefile 2009/03/03 19:57:53 1.16.2.1
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
| 1 | # $NetBSD: Makefile,v 1.16 2008/11/12 18:45:04 adam Exp $ | | 1 | # $NetBSD: Makefile,v 1.16.2.1 2009/03/03 19:57:53 tron Exp $ |
| 2 | | | 2 | |
| 3 | DISTNAME= optipng-0.6.2 | | 3 | DISTNAME= optipng-0.6.2 |
| | | 4 | PKGNAME= ${DISTNAME}.1 |
| 4 | CATEGORIES= graphics | | 5 | CATEGORIES= graphics |
| 5 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=optipng/} | | 6 | MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=optipng/} |
| 6 | | | 7 | |
| 7 | MAINTAINER= adam@NetBSD.org | | 8 | MAINTAINER= adam@NetBSD.org |
| 8 | HOMEPAGE= http://optipng.sourceforge.net/ | | 9 | HOMEPAGE= http://optipng.sourceforge.net/ |
| 9 | COMMENT= Advanced PNG Optimizer | | 10 | COMMENT= Advanced PNG Optimizer |
| 10 | | | 11 | |
| 11 | PKG_DESTDIR_SUPPORT= user-destdir | | 12 | PKG_DESTDIR_SUPPORT= user-destdir |
| 12 | | | 13 | |
| 13 | BUILDLINK_API_DEPENDS.zlib+= zlib>=1.2.2 | | 14 | BUILDLINK_API_DEPENDS.zlib+= zlib>=1.2.2 |
| 14 | BUILDLINK_API_DEPENDS.png+= png>=1.2.9nb2 | | 15 | BUILDLINK_API_DEPENDS.png+= png>=1.2.9nb2 |
| 15 | | | 16 | |
| 16 | INSTALLATION_DIRS+= bin ${PKGMANDIR}/man1 | | 17 | INSTALLATION_DIRS+= bin ${PKGMANDIR}/man1 |
--- pkgsrc/graphics/optipng/distinfo 2008/11/12 18:45:04 1.12
+++ pkgsrc/graphics/optipng/distinfo 2009/03/03 19:57:53 1.12.2.1
| @@ -1,7 +1,10 @@ | | | @@ -1,7 +1,10 @@ |
| 1 | $NetBSD: distinfo,v 1.12 2008/11/12 18:45:04 adam Exp $ | | 1 | $NetBSD: distinfo,v 1.12.2.1 2009/03/03 19:57:53 tron Exp $ |
| 2 | | | 2 | |
| 3 | SHA1 (optipng-0.6.2.tar.gz) = 374b3537a262590ba2822f2b10d9241247b4da95 | | 3 | SHA1 (optipng-0.6.2.tar.gz) = 374b3537a262590ba2822f2b10d9241247b4da95 |
| 4 | RMD160 (optipng-0.6.2.tar.gz) = cd9ecfbd1c8901d14cb93fbc9f07403071cea37e | | 4 | RMD160 (optipng-0.6.2.tar.gz) = cd9ecfbd1c8901d14cb93fbc9f07403071cea37e |
| 5 | Size (optipng-0.6.2.tar.gz) = 1052509 bytes | | 5 | Size (optipng-0.6.2.tar.gz) = 1052509 bytes |
| 6 | SHA1 (patch-aa) = 0a0c92b9786193862465646373b82c6bc47cee2c | | 6 | SHA1 (patch-aa) = 0a0c92b9786193862465646373b82c6bc47cee2c |
| | | 7 | SHA1 (patch-ab) = 7816dcfe5505695a3032bdb399b904e5db33a182 |
| 7 | SHA1 (patch-ac) = fb4eb567b5a24b2d26bf357061be80c57b4d4a3c | | 8 | SHA1 (patch-ac) = fb4eb567b5a24b2d26bf357061be80c57b4d4a3c |
| | | 9 | SHA1 (patch-ad) = f44f5862de983da3a78529db1ba1b53d40d16dde |
| | | 10 | SHA1 (patch-ae) = cf8a80e056bc25d59e2ffda73127e71056cc8ce2 |
$NetBSD: patch-ab,v 1.4.22.1 2009/03/03 19:57:53 tron Exp $
diff -ru optipng-0.6.2/lib/pngxtern/gif/gifread.c optipng-0.6.2.1/lib/pngxtern/gif/gifread.c
--- lib/pngxtern/gif/gifread.c 2006-08-10 20:17:00.000000000 -0400
+++ lib/pngxtern/gif/gifread.c 2009-02-20 03:11:00.000000000 -0500
@@ -219,8 +219,7 @@
**/
static void GIFReadNextExtension(struct GIFExtension *ext, FILE *stream)
{
- unsigned char *ptr;
- unsigned int len;
+ unsigned int offset, len;
int count, label;
GIF_FGETC(label, stream);
@@ -233,7 +232,7 @@
return;
}
- ptr = ext->Buffer;
+ offset = 0;
len = ext->BufferSize;
for ( ;; )
{
@@ -243,10 +242,10 @@
ext->BufferSize += 1024;
ext->Buffer = realloc(ext->Buffer, ext->BufferSize);
}
- count = ReadDataBlock(ptr, stream);
+ count = ReadDataBlock(ext->Buffer + offset, stream);
if (count == 0)
break;
- ptr += count;
+ offset += count;
len -= count;
}
}
$NetBSD: patch-ad,v 1.2.24.1 2009/03/03 19:57:53 tron Exp $
diff -ru optipng-0.6.2/src/optipng.c optipng-0.6.2.1/src/optipng.c
--- src/optipng.c 2008-11-09 23:56:00.000000000 -0500
+++ src/optipng.c 2008-11-11 13:57:00.000000000 -0500
@@ -542,6 +542,7 @@
static void
app_init(void)
{
+ setvbuf(stdout, NULL, _IONBF, 0);
if (options.log_name != NULL)
{
/* Open the log file, line-buffered. */
$NetBSD: patch-ae,v 1.1.2.2 2009/03/03 19:57:53 tron Exp $
diff -ru optipng-0.6.2/src/proginfo.h optipng-0.6.2.1/src/proginfo.h
--- src/proginfo.h 2008-11-09 23:56:00.000000000 -0500
+++ src/proginfo.h 2009-02-22 23:38:00.000000000 -0500
@@ -1,5 +1,5 @@
#define PROGRAM_NAME "OptiPNG"
#define PROGRAM_DESCRIPTION "Advanced PNG optimizer"
-#define PROGRAM_VERSION "0.6.2"
-#define PROGRAM_COPYRIGHT "Copyright (C) 2001-2008 Cosmin Truta"
+#define PROGRAM_VERSION "0.6.2.1"
+#define PROGRAM_COPYRIGHT "Copyright (C) 2001-2009 Cosmin Truta"
#define PROGRAM_URI "http://optipng.sourceforge.net/"