leptonica: updated to 1.77.0 1.77.0: Here is the current status of CVE issues with leptonica; see https://security-tracker.debian.org/tracker/source-package/leptonlib * CVE-2018-7442: potential injection attack because '/' is allowed in gplot rootdir. Functions using this command have been disabled by default in the distribution, starting with 1.76.0. As for the specific issue, it is impossible to specify a general path without using the standard directory subdivider '/'. * CVE-2018-7186: number of characters not limited in fscanf or sscanf, allowing possible attack with buffer overflow. This has been fixed in 1.75.3. * CVE-2018-3836: command injection vulnerability in gplotMakeOutput(). This has been fixed in 1.75.3, using stringCheckForChars() to block rootnames containing any of: ;&|>"?*$()/< * CVE-2017-18196: duplicated path components. This was fixed in 1.75.3. * CVE-2018-7441: hardcoded /tmp pathnames. These are all wrapped in special debug functions that are not enabled by default in the distribution, starting with 1.76.0. * CVE-2018-7247: input 'rootname' can overflow a buffer. This was fixed in 1.76.0, using snprintf(). * CVE-2018-7440: command injection in gplotMakeOutput using $(command). Fixed in 1.75.3, which blocks '$' as well as 11 other characters. Wrapped the few 'system' calls in an extra layer of debug code. More coverity scan fixes; defects are about 1 per 10,000 source lines. New regression tests: numa1_reg, numa2_reg, lowaccess_reg, pixmem_reg. New non-regression test programs: histoduptest Juergen Buchmueller is working on Lua bindings. He typedef'd l_ok and used it in 1100 functions that return a success/failure status. He also helped clean up remaining issues in the doxygen-generated documentation. Using a packed struct for bmp headers to avoid crash on some big-endians. Fixed a bug in the prototype parser for xtractprotos that was surfaced by a typedef declaration for the bmp headers. Cleaned up IOS guards to avoid compiling a system(3) call on IOS. Renamed autobuild --> autogen.sh Added some basic pixa functions for rotation and translation. Added an iterative method to find rectangular coverings for arbitrary connected components. Converted two tests to reg tests running in alltests_reg: ptra1_reg, ptra2_reg Enabled read/write for standard jpeg compressed tiff images. Enabled reading for the old (deprecated) jpeg-encoded tiffs. Fix range selectors for pixa, pixaa, boxa, boxaa, pta: Now, last = -1 goes to the end. When reading tiff --> pix, insert IMAGEDESCRIPTION into text field. Converted iotest to reg test iomisc_reg; added to alltests_reg Converted rasterop_reg into a standard regression test; added to alltests_reg. Converted boxa2_reg and fhmtauto_reg into standard regression tests; added to alltests_reg. Split boxa sequence functions out of boxfunc4.c, into a new boxfunc5.c. Simplified bmp header and made reading more clearly endian agnostic (Juergen Buchmueller) New boxa3_reg regression test. This tests sequences of boxes by two new boxfunctions in boxfunc5.c. New bootnumgen4.c for more digit templates. Rename prog/recog_bootnum.c --> prog/recog_bootname1.c New in prog: recog_bootnum2.c, recog_bootnum3.c, recogtest7.c Fixed uninitialized data in pixCentroid() on 1 bpp pix. New reg test: bytea_reg.c. (removed byteatest.c) Fixed bug in non-transcoding pdf generation from 1 bpp png. Added LGTM to static analyzers that run over the library.diff -r1.14 -r1.15 pkgsrc/graphics/leptonica/Makefile
(adam)
@@ -1,37 +1,40 @@ | @@ -1,37 +1,40 @@ | |||
1 | # $NetBSD: Makefile,v 1.14 2018/05/09 11:39:04 adam Exp $ | 1 | # $NetBSD: Makefile,v 1.15 2018/12/16 14:20:22 adam Exp $ | |
2 | 2 | |||
3 | DISTNAME= leptonica-1.76.0 | 3 | DISTNAME= leptonica-1.77.0 | |
4 | CATEGORIES= graphics | 4 | CATEGORIES= graphics | |
5 | MASTER_SITES= ${MASTER_SITE_GITHUB:=danbloomberg/} | 5 | MASTER_SITES= ${MASTER_SITE_GITHUB:=danbloomberg/} | |
6 | 6 | |||
7 | MAINTAINER= adam@NetBSD.org | 7 | MAINTAINER= adam@NetBSD.org | |
8 | HOMEPAGE= http://www.leptonica.org/ | 8 | HOMEPAGE= http://www.leptonica.org/ | |
9 | COMMENT= Software for image processing and image analysis applications | 9 | COMMENT= Software for image processing and image analysis applications | |
10 | LICENSE= 2-clause-bsd | 10 | LICENSE= 2-clause-bsd | |
11 | 11 | |||
12 | GITHUB_RELEASE= ${PKGVERSION_NOREV} | 12 | GITHUB_RELEASE= ${PKGVERSION_NOREV} | |
13 | 13 | |||
14 | USE_LANGUAGES= c c++ | 14 | USE_LANGUAGES= c c++ | |
15 | USE_LIBTOOL= yes | 15 | USE_LIBTOOL= yes | |
16 | USE_TOOLS+= pkg-config | 16 | USE_TOOLS+= pkg-config | |
17 | GNU_CONFIGURE= yes | 17 | GNU_CONFIGURE= yes | |
18 | TEST_TARGET= check | 18 | TEST_TARGET= check | |
19 | 19 | |||
20 | .include "../../mk/bsd.prefs.mk" | 20 | .include "../../mk/bsd.prefs.mk" | |
21 | 21 | |||
22 | # The presence of fmemopen() assumes open_memstream() is also available, | 22 | # The presence of fmemopen() assumes open_memstream() is also available, | |
23 | # which is wrong on platforms other than Linux. | 23 | # which is wrong on platforms other than Linux. | |
24 | .if ${OPSYS} != "Linux" | 24 | .if ${OPSYS} != "Linux" | |
25 | CONFIGURE_ENV+= ac_cv_func_fmemopen=no | 25 | CONFIGURE_ENV+= ac_cv_func_fmemopen=no | |
26 | .endif | 26 | .endif | |
27 | 27 | |||
28 | # Silence console messages | |||
29 | CPPFLAGS+= -DNO_CONSOLE_IO=1 | |||
30 | ||||
28 | # Pass a SunOS that the build relies on | 31 | # Pass a SunOS that the build relies on | |
29 | CPPFLAGS.SunOS+= -D__SOLARIS__=1 | 32 | CPPFLAGS.SunOS+= -D__SOLARIS__=1 | |
30 | 33 | |||
31 | .include "../../graphics/giflib/buildlink3.mk" | 34 | .include "../../graphics/giflib/buildlink3.mk" | |
32 | .include "../../graphics/libwebp/buildlink3.mk" | 35 | .include "../../graphics/libwebp/buildlink3.mk" | |
33 | .include "../../graphics/openjpeg/buildlink3.mk" | 36 | .include "../../graphics/openjpeg/buildlink3.mk" | |
34 | .include "../../graphics/png/buildlink3.mk" | 37 | .include "../../graphics/png/buildlink3.mk" | |
35 | .include "../../graphics/tiff/buildlink3.mk" | 38 | .include "../../graphics/tiff/buildlink3.mk" | |
36 | .include "../../mk/jpeg.buildlink3.mk" | 39 | .include "../../mk/jpeg.buildlink3.mk" | |
37 | .include "../../mk/bsd.pkg.mk" | 40 | .include "../../mk/bsd.pkg.mk" |
@@ -1,6 +1,6 @@ | @@ -1,6 +1,6 @@ | |||
1 | $NetBSD: distinfo,v 1.12 2018/05/09 11:39:04 adam Exp $ | 1 | $NetBSD: distinfo,v 1.13 2018/12/16 14:20:22 adam Exp $ | |
2 | 2 | |||
3 | SHA1 (leptonica-1.76.0.tar.gz) = 5b93531f6f7e5b6c6870c9fba743008a77a93e4e | 3 | SHA1 (leptonica-1.77.0.tar.gz) = 12a2fc81b4d0c1f910c29b831811b88cca8ae7ef | |
4 | RMD160 (leptonica-1.76.0.tar.gz) = 23a3a09614290d04de43e05df1b45b0b5adc9b42 | 4 | RMD160 (leptonica-1.77.0.tar.gz) = 577ae581b2a9fb8feff130f9bed37ecb45cb71d8 | |
5 | SHA512 (leptonica-1.76.0.tar.gz) = 83c77bebbf739cecab997ee08f7c9abf3ca884019c559b8f77c292ea2676c464cbf9b6812d7f12aefceef86c19d04bb3bc85119de298647a641b984dcdf3b111 | 5 | SHA512 (leptonica-1.77.0.tar.gz) = 3cf764c76d5acb6d5982c44e78c02d7a7c3b5e79937c41df193e71dd8a02dbbf965d34a2ecdf0444e907cb73c06bdb8bcae4ceafbf5ee1483c022659e897015b | |
6 | Size (leptonica-1.76.0.tar.gz) = 12436958 bytes | 6 | Size (leptonica-1.77.0.tar.gz) = 12888756 bytes |