diff options
author | niels <niels@FreeBSD.org> | 2010-03-23 05:26:25 +0800 |
---|---|---|
committer | niels <niels@FreeBSD.org> | 2010-03-23 05:26:25 +0800 |
commit | 4348dec82177c659139493534bf9516799ffd78a (patch) | |
tree | b5de216a05f215448cbca0b3e065bb706b7aa615 /graphics/xzgv | |
parent | 4d82e63171d948e8786b848f3e6fa97c781a15bd (diff) | |
download | freebsd-ports-gnome-4348dec82177c659139493534bf9516799ffd78a.tar.gz freebsd-ports-gnome-4348dec82177c659139493534bf9516799ffd78a.tar.zst freebsd-ports-gnome-4348dec82177c659139493534bf9516799ffd78a.zip |
Upgrade to 0.9 in order to fix a security issue
Approved by: itetcu (mentor), miwi (secteam)
Security: http://www.vuxml.org/freebsd/a813a219-d2d4-11da-a672-000e0c2e438a.html
Security: http://www.gentoo.org/security/en/glsa/glsa-200604-10.xml
Diffstat (limited to 'graphics/xzgv')
-rw-r--r-- | graphics/xzgv/Makefile | 21 | ||||
-rw-r--r-- | graphics/xzgv/distinfo | 6 | ||||
-rw-r--r-- | graphics/xzgv/files/patch-aa | 47 | ||||
-rw-r--r-- | graphics/xzgv/files/patch-ab | 77 | ||||
-rw-r--r-- | graphics/xzgv/files/patch-ac | 32 | ||||
-rw-r--r-- | graphics/xzgv/files/patch-security-1 | 197 | ||||
-rw-r--r-- | graphics/xzgv/files/patch-src-readjpeg.c | 80 | ||||
-rw-r--r-- | graphics/xzgv/pkg-descr | 5 |
8 files changed, 52 insertions, 413 deletions
diff --git a/graphics/xzgv/Makefile b/graphics/xzgv/Makefile index c15042e04730..155a69660878 100644 --- a/graphics/xzgv/Makefile +++ b/graphics/xzgv/Makefile @@ -6,31 +6,30 @@ # PORTNAME= xzgv -PORTVERSION= 0.8 -PORTREVISION= 9 +PORTVERSION= 0.9 CATEGORIES= graphics -MASTER_SITES= ${MASTER_SITE_SUNSITE} -MASTER_SITE_SUBDIR= apps/graphics/viewers/X +MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTVERSION}/ MAINTAINER= nosuzuki@postcard.st COMMENT= An image viewer with thumbnail-based file selector for X -USE_GNOME= imlib +BUILD_DEPENDS= gawk:${PORTSDIR}/lang/gawk + +USE_GNOME= imlib gdkpixbuf gtk20 USE_GMAKE= yes MAN1= xzgv.1 -INFO= xzgv PLIST_FILES= bin/xzgv +.include <bsd.port.pre.mk> + post-patch: @${REINPLACE_CMD} -e 's|^CC|#CC|g ; \ s|^CFLAGS|#CFLAGS|g ; \ s|^PREFIX|#PREFIX|g' ${WRKSRC}/config.mk -.include <bsd.port.pre.mk> - -.if defined(WITH_MMX) && (${ARCH} == "i386") -CFLAGS+= -DINTERP_MMX -.endif +do-install: + ${INSTALL_PROGRAM} ${WRKSRC}/src/xzgv ${LOCALBASE}/bin/ + ${INSTALL_MAN} ${WRKSRC}/doc/xzgv.1 ${MANPREFIX}/man/man1 .include <bsd.port.post.mk> diff --git a/graphics/xzgv/distinfo b/graphics/xzgv/distinfo index 8ac1fbcdaec6..ee442f93f754 100644 --- a/graphics/xzgv/distinfo +++ b/graphics/xzgv/distinfo @@ -1,3 +1,3 @@ -MD5 (xzgv-0.8.tar.gz) = e392277f1447076402df2e3d9e782cb2 -SHA256 (xzgv-0.8.tar.gz) = 4f6247665dfc3e4d376f457379b9e4c77c2a848659ff2b0dd5377c0aa09e5884 -SIZE (xzgv-0.8.tar.gz) = 302801 +MD5 (xzgv-0.9.tar.gz) = 7e2dfad595c97c2abbb392b61ea69f1b +SHA256 (xzgv-0.9.tar.gz) = c5716994290dfa495ad5229049c510332d6afd3a0727b35de39436b6b53d1091 +SIZE (xzgv-0.9.tar.gz) = 235367 diff --git a/graphics/xzgv/files/patch-aa b/graphics/xzgv/files/patch-aa index 83fd9485dff3..9ff1bef1a5d1 100644 --- a/graphics/xzgv/files/patch-aa +++ b/graphics/xzgv/files/patch-aa @@ -1,26 +1,35 @@ ---- Makefile.orig Fri Nov 17 13:28:43 2000 -+++ Makefile Sat Jun 9 17:03:04 2001 -@@ -24,9 +24,9 @@ +--- Makefile.orig 2010-03-18 23:04:14.000000000 +0100 ++++ Makefile 2010-03-18 23:05:02.000000000 +0100 +@@ -32,8 +32,8 @@ + xzgv: + cd src && $(MAKE) xzgv +-src/install-info: src/install-info.c +- cd src && $(MAKE) install-info ++#src/install-info: src/install-info.c ++# cd src && $(MAKE) install-info + man: doc/xzgv.1 --all: src man infowarn -+all: src man info #infowarn +@@ -52,13 +52,16 @@ + cd doc && $(MAKE) clean + $(RM) *~ --src: xzgv src/install-info -+src: xzgv #src/install-info +-install: all +- cd src && $(MAKE) install +- cd doc && $(MAKE) install ++#install: all ++# cd src && $(MAKE) install ++# cd doc && $(MAKE) install ++install: ++# cd src && $(MAKE) install ++# cd doc && $(MAKE) install - # We try this the whole time, as the dependancies are a bit - # complicated to duplicate here. -@@ -45,9 +45,9 @@ - # as I don't want to assume everyone has texinfo's `makeinfo' handy. - # So the `infowarn' below is mainly to warn me if the info gets - # out of date. :-) --info: doc/xzgv.gz -+info: doc/xzgv.info + uninstall: +- cd src && $(MAKE) uninstall +- cd doc && $(MAKE) uninstall ++# cd src && $(MAKE) uninstall ++# cd doc && $(MAKE) uninstall --doc/xzgv.gz: doc/xzgv.texi -+doc/xzgv.info: doc/xzgv.texi - cd doc && $(MAKE) info - # Warn if the info is out of date. This *is* automatically done. + # The stuff below makes the distribution tgz. diff --git a/graphics/xzgv/files/patch-ab b/graphics/xzgv/files/patch-ab index 766cc9272486..2303fd7ccd3c 100644 --- a/graphics/xzgv/files/patch-ab +++ b/graphics/xzgv/files/patch-ab @@ -1,74 +1,17 @@ ---- doc/Makefile.orig Thu Dec 21 12:45:20 2000 -+++ doc/Makefile Sat Jun 9 17:08:11 2001 -@@ -10,12 +10,11 @@ - - all: info man - --info: xzgv.gz -+info: xzgv.info - dvi: xzgv.dvi - --xzgv.gz: xzgv.texi -- makeinfo xzgv.texi -- gzip -f xzgv xzgv-? -+xzgv.info: xzgv.texi -+ makeinfo --no-split xzgv.texi -o xzgv.info - - # `-c' removes the huge number of associated files created by TeX. - # This saves doing a `make clean' from hell. :-) -@@ -36,36 +35,36 @@ +--- doc/Makefile.orig 2010-03-18 23:06:01.000000000 +0100 ++++ doc/Makefile 2010-03-18 23:06:17.000000000 +0100 +@@ -36,10 +36,10 @@ installdirs: /bin/sh ../mkinstalldirs $(INFODIR) $(MANDIR) --install: ../src/install-info installdirs +-install: installdirs - install xzgv.1 $(MANDIR) -- install xzgv.gz xzgv-?.gz $(INFODIR) -- chmod 644 $(MANDIR)/xzgv.1 $(INFODIR)/xzgv* +- install xzgv.gz $(INFODIR) +- install-info --infodir=$(INFODIR) xzgv.gz +install: -+ ${BSD_INSTALL_MAN} xzgv.1 $(MANDIR) -+ ${BSD_INSTALL_DATA} xzgv.info $(INFODIR) -+ install-info $(INFODIR)/xzgv.info $(INFODIR)/dir - # Update info `dir' file. - # Info always uses a dir file in preference to a dir.gz, so we don't use - # dir.gz unless it's the only game in town. -- if [ "$(INFO_DIR_UPDATE)" != no ]; then \ -- gzip -d xzgv.gz; \ -- if [ -f $(INFODIR)/dir.gz -a ! -f $(INFODIR)/dir ]; then \ -- gzip -d $(INFODIR)/dir.gz; \ -- ../src/install-info xzgv $(INFODIR)/dir; \ -- gzip $(INFODIR)/dir; \ -- else \ -- ../src/install-info xzgv $(INFODIR)/dir; \ -- fi; \ -- chmod a+r $(INFODIR)/dir; \ -- gzip xzgv; \ -- fi -+# if [ "$(INFO_DIR_UPDATE)" != no ]; then \ -+# gzip -d xzgv.gz; \ -+# if [ -f $(INFODIR)/dir.gz -a ! -f $(INFODIR)/dir ]; then \ -+# gzip -d $(INFODIR)/dir.gz; \ -+# ../src/install-info xzgv $(INFODIR)/dir; \ -+# gzip $(INFODIR)/dir; \ -+# else \ -+# ../src/install-info xzgv $(INFODIR)/dir; \ -+# fi; \ -+# chmod a+r $(INFODIR)/dir; \ -+# gzip xzgv; \ -+# fi - - ../src/install-info: ../src/install-info.c - cd ../src && $(MAKE) install-info ++# install xzgv.1 $(MANDIR) ++# install xzgv.gz $(INFODIR) ++# install-info --infodir=$(INFODIR) xzgv.gz - # can't easily fix dir :-/, but do remove the files. uninstall: -- $(RM) $(MANDIR)/xzgv.1 -- $(RM) $(INFODIR)/{xzgv.gz,xzgv-?.gz} -+ install-info --delete $(INFODIR)/xzgv.info $(INFODIR)/dir -+ $(RM) $(INFODIR)/xzgv.info - - # This *doesn't* remove the Info files, which should stick around to - # be included in the distribution. Ditto for the man page, since - # building it requires gawk. - clean: -- $(RM) *~ xzgv.dvi -+ $(RM) *~ xzgv.dvi xzgv.info + $(RM) $(MANDIR)/xzgv.1 diff --git a/graphics/xzgv/files/patch-ac b/graphics/xzgv/files/patch-ac deleted file mode 100644 index 7a126a0c250a..000000000000 --- a/graphics/xzgv/files/patch-ac +++ /dev/null @@ -1,32 +0,0 @@ ---- src/Makefile.orig Tue Apr 10 21:37:01 2001 -+++ src/Makefile Sat Jun 9 17:09:29 2001 -@@ -9,7 +9,7 @@ - # This gets definitions for CC, CFLAGS, BINDIR etc. - include ../config.mk - --CFLAGS+=-DBACKEND_$(BACKEND) `gtk-config --cflags` -+CFLAGS+=-DBACKEND_$(BACKEND) `${GTK_CONFIG} --cflags` - - # I could do this less horribly if I made it GNU-make-specific, - # but I decided not to. And here we are. :-( -@@ -30,7 +30,7 @@ - # compile when you do `make install'. :-) - # (It would also be weird to have it made by the `doc' Makefile, IMHO.) - --all: xzgv install-info -+all: xzgv #install-info - - OBJS= main.o \ - filedetails.o gotodir.o updatetn.o confirm.o help.o \ -@@ -57,9 +57,8 @@ - installdirs: - /bin/sh ../mkinstalldirs $(BINDIR) - --install: xzgv installdirs -- install xzgv $(BINDIR) -- chmod 755 $(BINDIR)/xzgv -+install: xzgv #installdirs -+ ${BSD_INSTALL_PROGRAM} xzgv $(BINDIR) - - uninstall: - $(RM) $(BINDIR)/xzgv diff --git a/graphics/xzgv/files/patch-security-1 b/graphics/xzgv/files/patch-security-1 deleted file mode 100644 index 4beba6fadc89..000000000000 --- a/graphics/xzgv/files/patch-security-1 +++ /dev/null @@ -1,197 +0,0 @@ -diff -urN xzgv-0.8/ChangeLog xzgv/ChangeLog ---- xzgv-0.8/ChangeLog Tue Sep 16 15:08:42 2003 -+++ ChangeLog Wed Dec 15 03:30:46 2004 -@@ -1,3 +1,13 @@ -+2004-11-03 Russell Marks <russell.marks@ntlworld.com> -+ -+ * Added width/height limits to all native picture readers. This is -+ a crude (albeit effective) fix for heap overflow bugs - there may -+ yet be more subtle problems, but I can't really fix them until I -+ know they're there. :-) Thanks to Luke Macken for letting me know -+ about the heap overflow problems (in zgv). I suppose I should also -+ thank "infamous41md" for publishing the original advisory/exploit -+ (again for zgv), even if he didn't bother emailing me or anything. -+ - 2003-09-16 Russell Marks <russell.marks@ntlworld.com> - - * Version 0.8. -diff -urN xzgv-0.8/src/Makefile xzgv/src/Makefile ---- xzgv-0.8/src/Makefile Tue Jan 1 05:37:45 2002 -+++ src/Makefile Wed Dec 15 03:30:46 2004 -@@ -84,18 +84,19 @@ - logo.o: logo.c logodata.h - logoconv.o: logoconv.c - main.o: main.c backend.h readmrf.h readgif.h readpng.h readjpeg.h \ -- readtiff.h resizepic.h rcfile.h filedetails.h gotodir.h updatetn.h \ -- confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \ -+ readtiff.h readprf.h resizepic.h rcfile.h filedetails.h gotodir.h \ -+ updatetn.h confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \ - dir_icon_small.xpm file_icon.xpm file_icon_small.xpm logo.h \ - icon-48.xpm main.h - misc.o: misc.c misc.h - rcfile.o: rcfile.c getopt.h rcfile.h rcfile_opt.h rcfile_var.h \ - rcfile_short.h --readgif.o: readgif.c readgif.h --readjpeg.o: readjpeg.c rcfile.h readjpeg.h --readmrf.o: readmrf.c readmrf.h -+readgif.o: readgif.c reader.h readgif.h -+readjpeg.o: readjpeg.c rcfile.h reader.h readjpeg.h -+readmrf.o: readmrf.c reader.h readmrf.h - readpng.o: readpng.c readpng.h --readtiff.o: readtiff.c readtiff.h -+readprf.o: readprf.c reader.h readprf.h -+readtiff.o: readtiff.c reader.h readtiff.h - rename.o: rename.c backend.h main.h rename.h - resizepic.o: resizepic.c resizepic.h - updatetn.o: updatetn.c backend.h main.h rcfile.h dither.h resizepic.h \ -diff -urN xzgv-0.8/src/reader.h xzgv/src/reader.h ---- xzgv-0.8/src/reader.h Thu Jan 1 01:00:00 1970 -+++ src/reader.h Wed Dec 15 03:30:46 2004 -@@ -0,0 +1,15 @@ -+/* xzgv 0.8 - picture viewer for X, with file selector. -+ * Copyright (C) 1999-2004 Russell Marks. See main.c for license details. -+ * -+ * reader.h -+ */ -+ -+/* range check on width and height as a crude way of avoiding overflows -+ * when calling malloc/calloc. 32767 is the obvious limit to use given that -+ * xzgv effectively imposes such a limit anyway. -+ * Adds an extra 2 to height for max-height check, partly to reflect what -+ * the check in zgv does but also to allow for readtiff.c allocating an -+ * extra line (so at least an extra 1 would have been needed in any case). -+ */ -+#define WH_MAX 32767 -+#define WH_BAD(w,h) ((w)<=0 || (w)>WH_MAX || (h)<=0 || ((h)+2)>WH_MAX) -diff -urN xzgv-0.8/src/readgif.c xzgv/src/readgif.c ---- xzgv-0.8/src/readgif.c Sun Mar 3 04:34:32 2002 -+++ src/readgif.c Wed Dec 15 03:30:46 2004 -@@ -8,6 +8,7 @@ - #include <string.h> - #include <unistd.h> - #include <stdlib.h> -+#include "reader.h" - #include "readgif.h" - - -@@ -103,7 +104,7 @@ - - if(local_colour_map) readcolmap(in); - -- if((image=malloc(width*height*3))==NULL) -+ if(WH_BAD(width,height) || (image=malloc(width*height*3))==NULL) - { - fclose(in); - return(0); -diff -urN xzgv-0.8/src/readjpeg.c xzgv/src/readjpeg.c ---- xzgv-0.8/src/readjpeg.c Tue Sep 16 12:52:04 2003 -+++ src/readjpeg.c Wed Dec 15 03:30:46 2004 -@@ -13,6 +13,7 @@ - #include <jpeglib.h> - - #include "rcfile.h" -+#include "reader.h" - - #include "readjpeg.h" - -@@ -265,7 +266,7 @@ - /* this one shouldn't hurt */ - cinfo.do_block_smoothing=FALSE; - --if((*imagep=image=malloc(width*height*3))==NULL) -+if(WH_BAD(width,height) || (*imagep=image=malloc(width*height*3))==NULL) - longjmp(jerr.setjmp_buffer,1); - - jpeg_start_decompress(&cinfo); -diff -urN xzgv-0.8/src/readmrf.c xzgv/src/readmrf.c ---- xzgv-0.8/src/readmrf.c Sat Oct 7 14:26:55 2000 -+++ src/readmrf.c Wed Dec 15 03:30:46 2004 -@@ -7,6 +7,7 @@ - #include <stdio.h> - #include <string.h> - #include <stdlib.h> -+#include "reader.h" - #include "readmrf.h" - - -@@ -91,7 +92,8 @@ - w64=(w+63)/64; - h64=(h+63)/64; - --if((*bmap=malloc(w*h*3))==NULL || -+if(WH_BAD(w64*64,h64*64) || WH_BAD(w,h) || -+ (*bmap=malloc(w*h*3))==NULL || - (image=calloc(w64*h64*64*64,1))==NULL) - { - if(*bmap) free(*bmap),*bmap=NULL; -diff -urN xzgv-0.8/src/readpng.c xzgv/src/readpng.c ---- xzgv-0.8/src/readpng.c Thu Jul 10 16:13:43 2003 -+++ src/readpng.c Wed Dec 15 03:32:46 2004 -@@ -16,6 +16,7 @@ - #include <stdlib.h> - #include <png.h> - #include <setjmp.h> /* after png.h to avoid horrible thing in pngconf.h */ -+#include "reader.h" - #include "readpng.h" - - -@@ -129,7 +130,8 @@ - } - - /* allocate image memory */ --if((*theimageptr=theimage=malloc(width*height*3))==NULL) -+if(WH_BAD(width,height) || -+ (*theimageptr=theimage=malloc(width*height*3))==NULL) - { - png_read_end(png_ptr,info_ptr); - png_destroy_read_struct(&png_ptr,&info_ptr,NULL); -diff -urN xzgv-0.8/src/readprf.c xzgv/src/readprf.c ---- xzgv-0.8/src/readprf.c Mon Apr 9 19:08:19 2001 -+++ src/readprf.c Wed Dec 15 03:30:46 2004 -@@ -7,6 +7,7 @@ - #include <stdio.h> - #include <string.h> - #include <stdlib.h> -+#include "reader.h" - #include "readprf.h" - - #define squaresize 64 -@@ -164,7 +165,7 @@ - bytepp=1; - - n=width*squaresize; --if((planebuf[0]=calloc(n,planes))==NULL) -+if(WH_BAD(width,height) || (planebuf[0]=calloc(n,planes))==NULL) - { - fclose(in); - return(0); -@@ -173,6 +174,7 @@ - for(f=1;f<planes;f++) - planebuf[f]=planebuf[f-1]+n; - -+/* width/height already checked above */ - if((*theimageptr=malloc(width*height*3))==NULL) - { - free(planebuf[0]); -diff -urN xzgv-0.8/src/readtiff.c xzgv/src/readtiff.c ---- xzgv-0.8/src/readtiff.c Thu Dec 28 03:20:55 2000 -+++ src/readtiff.c Wed Dec 15 03:30:46 2004 -@@ -11,7 +11,7 @@ - #include <setjmp.h> - #include <sys/file.h> /* for open et al */ - #include <tiffio.h> -- -+#include "reader.h" - #include "readtiff.h" - - -@@ -36,7 +36,8 @@ - * spare for the flip afterwards. - */ - numpix=width*height; --if((image=malloc(numpix*sizeof(uint32)+width*3))==NULL) -+if(WH_BAD(width,height) || -+ (image=malloc(numpix*sizeof(uint32)+width*3))==NULL) - { - TIFFClose(in); - return(0); diff --git a/graphics/xzgv/files/patch-src-readjpeg.c b/graphics/xzgv/files/patch-src-readjpeg.c deleted file mode 100644 index b5457ac68df5..000000000000 --- a/graphics/xzgv/files/patch-src-readjpeg.c +++ /dev/null @@ -1,80 +0,0 @@ ---- src/readjpeg.c Tue Mar 21 12:16:07 2006 -+++ src/readjpeg.c Wed Sep 21 21:15:01 2005 -@@ -179,11 +179,13 @@ - static int have_image; - static int width,height; - static unsigned char *image; -+static int cmyk; - unsigned char *ptr,*ptr2; - int chkw,chkh; - int f,rec; - static int greyscale; /* static to satisfy gcc -Wall */ - -+cmyk=0; - greyscale=0; - - lineptrs=NULL; -@@ -225,6 +227,15 @@ - greyscale=1; - } - -+if(cinfo.jpeg_color_space==JCS_CMYK) -+ cmyk=1; -+ -+if(cinfo.jpeg_color_space==JCS_YCCK) -+ { -+ cmyk=1; -+ cinfo.out_color_space=JCS_CMYK; -+ } -+ - *wp=width=cinfo.image_width; - *hp=height=cinfo.image_height; - -@@ -266,7 +277,7 @@ - /* this one shouldn't hurt */ - cinfo.do_block_smoothing=FALSE; - --if(WH_BAD(width,height) || (*imagep=image=malloc(width*height*3))==NULL) -+if(WH_BAD(width,height) || (*imagep=image=malloc(width*(height+cmyk)*3))==NULL) - longjmp(jerr.setjmp_buffer,1); - - jpeg_start_decompress(&cinfo); -@@ -279,12 +290,33 @@ - for(f=0;f<height;f++,ptr+=width*3) - lineptrs[f]=ptr; - --rec=cinfo.rec_outbuf_height; --while(cinfo.output_scanline<height) -+if(!cmyk) - { -- f=height-cinfo.output_scanline; -- jpeg_read_scanlines(&cinfo,lineptrs+cinfo.output_scanline, -- f>rec?rec:f); -+ rec=cinfo.rec_outbuf_height; -+ while(cinfo.output_scanline<height) -+ { -+ f=height-cinfo.output_scanline; -+ jpeg_read_scanlines(&cinfo,lineptrs+cinfo.output_scanline, -+ f>rec?rec:f); -+ } -+ } -+else /* cmyk output */ -+ { -+ int tmp; -+ -+ ptr=image; -+ while(cinfo.output_scanline<height) -+ { -+ jpeg_read_scanlines(&cinfo,&ptr,1); -+ ptr2=ptr; -+ for(f=0;f<width;f++,ptr+=3,ptr2+=4) -+ { -+ tmp=ptr2[3]; -+ ptr[0]=(tmp*ptr2[0])/255; -+ ptr[1]=(tmp*ptr2[1])/255; -+ ptr[2]=(tmp*ptr2[2])/255; -+ } -+ } - } - - free(lineptrs); diff --git a/graphics/xzgv/pkg-descr b/graphics/xzgv/pkg-descr index 2b4105996236..09b3f911351c 100644 --- a/graphics/xzgv/pkg-descr +++ b/graphics/xzgv/pkg-descr @@ -6,7 +6,4 @@ In contrast to other image file viewers for X, xzgv uses only one window and can fit a large image to the size of the window without changing the aspect ratio. -WWW: http://rus.members.beeb.net/xzgv.html - -Norio Suzuki -nosuzuki@e-mail.ne.jp +WWW: http://rus.members.beeb.net/xzgv.html |