summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJustin Lecher <jlec@gentoo.org>2015-01-04 18:18:17 +0000
committerJustin Lecher <jlec@gentoo.org>2015-01-04 18:18:17 +0000
commit2aab8d54b51b9618ee414f8b4421d6a986cf85e6 (patch)
tree057afe5fd6d6559713b843e454302e9fa56666c9
parentversion bump, drop old (diff)
downloadgentoo-2-2aab8d54b51b9618ee414f8b4421d6a986cf85e6.tar.gz
gentoo-2-2aab8d54b51b9618ee414f8b4421d6a986cf85e6.tar.bz2
gentoo-2-2aab8d54b51b9618ee414f8b4421d6a986cf85e6.zip
media-libs/jasper: Import fixes for CVE-2014-8137/8 from fedora, #533744
(Portage version: 2.2.15/cvs/Linux x86_64, signed Manifest commit with key B9D4F231BD1558AB!)
-rw-r--r--media-libs/jasper/ChangeLog10
-rw-r--r--media-libs/jasper/files/jasper-CVE-2014-8137.patch57
-rw-r--r--media-libs/jasper/files/jasper-CVE-2014-8138.patch14
-rw-r--r--media-libs/jasper/jasper-1.900.1-r8.ebuild52
4 files changed, 131 insertions, 2 deletions
diff --git a/media-libs/jasper/ChangeLog b/media-libs/jasper/ChangeLog
index 70d96dc7227c..c028cd5af2aa 100644
--- a/media-libs/jasper/ChangeLog
+++ b/media-libs/jasper/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for media-libs/jasper
-# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/jasper/ChangeLog,v 1.104 2014/12/26 10:40:05 jlec Exp $
+# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/jasper/ChangeLog,v 1.105 2015/01/04 18:18:17 jlec Exp $
+
+*jasper-1.900.1-r8 (04 Jan 2015)
+
+ 04 Jan 2015; Justin Lecher <jlec@gentoo.org> +jasper-1.900.1-r8.ebuild,
+ +files/jasper-CVE-2014-8137.patch, +files/jasper-CVE-2014-8138.patch:
+ Import fixes for CVE-2014-8137/8 from fedora, #533744
26 Dec 2014; Justin Lecher <jlec@gentoo.org> -jasper-1.900.1-r6.ebuild:
Drop vulnerable version
diff --git a/media-libs/jasper/files/jasper-CVE-2014-8137.patch b/media-libs/jasper/files/jasper-CVE-2014-8137.patch
new file mode 100644
index 000000000000..9600cd3231de
--- /dev/null
+++ b/media-libs/jasper/files/jasper-CVE-2014-8137.patch
@@ -0,0 +1,57 @@
+--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100
+@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr
+ return 0;
+
+ error:
+- jas_icccurv_destroy(attrval);
+ return -1;
+ }
+
+@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca
+ #endif
+ return 0;
+ error:
+- jas_icctxtdesc_destroy(attrval);
+ return -1;
+ }
+
+@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv
+ goto error;
+ return 0;
+ error:
+- if (txt->string)
+- jas_free(txt->string);
+ return -1;
+ }
+
+@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr
+ goto error;
+ return 0;
+ error:
+- jas_icclut8_destroy(attrval);
+ return -1;
+ }
+
+@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt
+ goto error;
+ return 0;
+ error:
+- jas_icclut16_destroy(attrval);
+ return -1;
+ }
+
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100
+@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ case JP2_COLR_ICC:
+ iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp,
+ dec->colr->data.colr.iccplen);
+- assert(iccprof);
++ if (!iccprof) {
++ jas_eprintf("error: failed to parse ICC profile\n");
++ goto error;
++ }
+ jas_iccprof_gethdr(iccprof, &icchdr);
+ jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc);
+ jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc));
diff --git a/media-libs/jasper/files/jasper-CVE-2014-8138.patch b/media-libs/jasper/files/jasper-CVE-2014-8138.patch
new file mode 100644
index 000000000000..5aaf8abb1d5e
--- /dev/null
+++ b/media-libs/jasper/files/jasper-CVE-2014-8138.patch
@@ -0,0 +1,14 @@
+--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100
++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100
+@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in
+ /* Determine the type of each component. */
+ if (dec->cdef) {
+ for (i = 0; i < dec->numchans; ++i) {
++ /* Is the channel number reasonable? */
++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
++ jas_eprintf("error: invalid channel number in CDEF box\n");
++ goto error;
++ }
+ jas_image_setcmpttype(dec->image,
+ dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo],
+ jp2_getct(jas_image_clrspc(dec->image),
diff --git a/media-libs/jasper/jasper-1.900.1-r8.ebuild b/media-libs/jasper/jasper-1.900.1-r8.ebuild
new file mode 100644
index 000000000000..b3e32ae7b1a9
--- /dev/null
+++ b/media-libs/jasper/jasper-1.900.1-r8.ebuild
@@ -0,0 +1,52 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/jasper/jasper-1.900.1-r8.ebuild,v 1.1 2015/01/04 18:18:17 jlec Exp $
+
+EAPI=5
+
+# outdated './configure': breaks in 'USE=opengl ABI_X86="32 64"' case:
+# uses /usr/lib64 for 32-bit ABI.
+AUTOTOOLS_AUTORECONF=yes
+
+inherit autotools-multilib
+
+DESCRIPTION="software-based implementation of the codec specified in the JPEG-2000 Part-1 standard"
+HOMEPAGE="http://www.ece.uvic.ca/~mdadams/jasper/"
+SRC_URI="
+ http://www.ece.uvic.ca/~mdadams/${PN}/software/${P}.zip
+ mirror://gentoo/${P}-fixes-20120611.patch.bz2"
+
+LICENSE="JasPer2.0"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~x64-solaris ~x86-solaris"
+IUSE="jpeg opengl static-libs"
+
+RDEPEND="
+ jpeg? ( >=virtual/jpeg-0-r2:0[${MULTILIB_USEDEP}] )
+ opengl? (
+ >=virtual/opengl-7.0-r1:0[${MULTILIB_USEDEP}]
+ >=media-libs/freeglut-2.8.1:0[${MULTILIB_USEDEP}]
+ virtual/glu
+ )"
+DEPEND="${RDEPEND}
+ app-arch/unzip"
+
+PATCHES=(
+ "${WORKDIR}"/${P}-fixes-20120611.patch
+ "${FILESDIR}"/${PN}-1.701.0-GL-ac.patch
+ "${FILESDIR}"/${PN}-1.701.0-GL.patch
+ "${FILESDIR}"/${PN}-CVE-2014-9029.patch
+ "${FILESDIR}"/${PN}-CVE-2014-8137.patch
+ "${FILESDIR}"/${PN}-CVE-2014-8138.patch
+ "${FILESDIR}"/${PN}-pkgconfig.patch
+ )
+
+DOCS=( NEWS README doc/. )
+
+src_configure() {
+ local myeconfargs=(
+ $(use_enable jpeg libjpeg)
+ $(use_enable opengl)
+ )
+ autotools-multilib_src_configure
+}