diff options
author | Justin Lecher <jlec@gentoo.org> | 2015-01-04 18:18:17 +0000 |
---|---|---|
committer | Justin Lecher <jlec@gentoo.org> | 2015-01-04 18:18:17 +0000 |
commit | 2aab8d54b51b9618ee414f8b4421d6a986cf85e6 (patch) | |
tree | 057afe5fd6d6559713b843e454302e9fa56666c9 | |
parent | version bump, drop old (diff) | |
download | gentoo-2-2aab8d54b51b9618ee414f8b4421d6a986cf85e6.tar.gz gentoo-2-2aab8d54b51b9618ee414f8b4421d6a986cf85e6.tar.bz2 gentoo-2-2aab8d54b51b9618ee414f8b4421d6a986cf85e6.zip |
media-libs/jasper: Import fixes for CVE-2014-8137/8 from fedora, #533744
(Portage version: 2.2.15/cvs/Linux x86_64, signed Manifest commit with key B9D4F231BD1558AB!)
-rw-r--r-- | media-libs/jasper/ChangeLog | 10 | ||||
-rw-r--r-- | media-libs/jasper/files/jasper-CVE-2014-8137.patch | 57 | ||||
-rw-r--r-- | media-libs/jasper/files/jasper-CVE-2014-8138.patch | 14 | ||||
-rw-r--r-- | media-libs/jasper/jasper-1.900.1-r8.ebuild | 52 |
4 files changed, 131 insertions, 2 deletions
diff --git a/media-libs/jasper/ChangeLog b/media-libs/jasper/ChangeLog index 70d96dc7227c..c028cd5af2aa 100644 --- a/media-libs/jasper/ChangeLog +++ b/media-libs/jasper/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for media-libs/jasper -# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/media-libs/jasper/ChangeLog,v 1.104 2014/12/26 10:40:05 jlec Exp $ +# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/media-libs/jasper/ChangeLog,v 1.105 2015/01/04 18:18:17 jlec Exp $ + +*jasper-1.900.1-r8 (04 Jan 2015) + + 04 Jan 2015; Justin Lecher <jlec@gentoo.org> +jasper-1.900.1-r8.ebuild, + +files/jasper-CVE-2014-8137.patch, +files/jasper-CVE-2014-8138.patch: + Import fixes for CVE-2014-8137/8 from fedora, #533744 26 Dec 2014; Justin Lecher <jlec@gentoo.org> -jasper-1.900.1-r6.ebuild: Drop vulnerable version diff --git a/media-libs/jasper/files/jasper-CVE-2014-8137.patch b/media-libs/jasper/files/jasper-CVE-2014-8137.patch new file mode 100644 index 000000000000..9600cd3231de --- /dev/null +++ b/media-libs/jasper/files/jasper-CVE-2014-8137.patch @@ -0,0 +1,57 @@ +--- jasper-1.900.1.orig/src/libjasper/base/jas_icc.c 2014-12-11 14:06:44.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/base/jas_icc.c 2014-12-11 15:16:37.971272386 +0100 +@@ -1009,7 +1009,6 @@ static int jas_icccurv_input(jas_iccattr + return 0; + + error: +- jas_icccurv_destroy(attrval); + return -1; + } + +@@ -1127,7 +1126,6 @@ static int jas_icctxtdesc_input(jas_icca + #endif + return 0; + error: +- jas_icctxtdesc_destroy(attrval); + return -1; + } + +@@ -1206,8 +1204,6 @@ static int jas_icctxt_input(jas_iccattrv + goto error; + return 0; + error: +- if (txt->string) +- jas_free(txt->string); + return -1; + } + +@@ -1328,7 +1324,6 @@ static int jas_icclut8_input(jas_iccattr + goto error; + return 0; + error: +- jas_icclut8_destroy(attrval); + return -1; + } + +@@ -1497,7 +1492,6 @@ static int jas_icclut16_input(jas_iccatt + goto error; + return 0; + error: +- jas_icclut16_destroy(attrval); + return -1; + } + +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:30:54.193209780 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:36:46.313217814 +0100 +@@ -291,7 +291,10 @@ jas_image_t *jp2_decode(jas_stream_t *in + case JP2_COLR_ICC: + iccprof = jas_iccprof_createfrombuf(dec->colr->data.colr.iccp, + dec->colr->data.colr.iccplen); +- assert(iccprof); ++ if (!iccprof) { ++ jas_eprintf("error: failed to parse ICC profile\n"); ++ goto error; ++ } + jas_iccprof_gethdr(iccprof, &icchdr); + jas_eprintf("ICC Profile CS %08x\n", icchdr.colorspc); + jas_image_setclrspc(dec->image, fromiccpcs(icchdr.colorspc)); diff --git a/media-libs/jasper/files/jasper-CVE-2014-8138.patch b/media-libs/jasper/files/jasper-CVE-2014-8138.patch new file mode 100644 index 000000000000..5aaf8abb1d5e --- /dev/null +++ b/media-libs/jasper/files/jasper-CVE-2014-8138.patch @@ -0,0 +1,14 @@ +--- jasper-1.900.1.orig/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:44.000000000 +0100 ++++ jasper-1.900.1/src/libjasper/jp2/jp2_dec.c 2014-12-11 14:06:26.000000000 +0100 +@@ -386,6 +386,11 @@ jas_image_t *jp2_decode(jas_stream_t *in + /* Determine the type of each component. */ + if (dec->cdef) { + for (i = 0; i < dec->numchans; ++i) { ++ /* Is the channel number reasonable? */ ++ if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) { ++ jas_eprintf("error: invalid channel number in CDEF box\n"); ++ goto error; ++ } + jas_image_setcmpttype(dec->image, + dec->chantocmptlut[dec->cdef->data.cdef.ents[i].channo], + jp2_getct(jas_image_clrspc(dec->image), diff --git a/media-libs/jasper/jasper-1.900.1-r8.ebuild b/media-libs/jasper/jasper-1.900.1-r8.ebuild new file mode 100644 index 000000000000..b3e32ae7b1a9 --- /dev/null +++ b/media-libs/jasper/jasper-1.900.1-r8.ebuild @@ -0,0 +1,52 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/media-libs/jasper/jasper-1.900.1-r8.ebuild,v 1.1 2015/01/04 18:18:17 jlec Exp $ + +EAPI=5 + +# outdated './configure': breaks in 'USE=opengl ABI_X86="32 64"' case: +# uses /usr/lib64 for 32-bit ABI. +AUTOTOOLS_AUTORECONF=yes + +inherit autotools-multilib + +DESCRIPTION="software-based implementation of the codec specified in the JPEG-2000 Part-1 standard" +HOMEPAGE="http://www.ece.uvic.ca/~mdadams/jasper/" +SRC_URI=" + http://www.ece.uvic.ca/~mdadams/${PN}/software/${P}.zip + mirror://gentoo/${P}-fixes-20120611.patch.bz2" + +LICENSE="JasPer2.0" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~x64-solaris ~x86-solaris" +IUSE="jpeg opengl static-libs" + +RDEPEND=" + jpeg? ( >=virtual/jpeg-0-r2:0[${MULTILIB_USEDEP}] ) + opengl? ( + >=virtual/opengl-7.0-r1:0[${MULTILIB_USEDEP}] + >=media-libs/freeglut-2.8.1:0[${MULTILIB_USEDEP}] + virtual/glu + )" +DEPEND="${RDEPEND} + app-arch/unzip" + +PATCHES=( + "${WORKDIR}"/${P}-fixes-20120611.patch + "${FILESDIR}"/${PN}-1.701.0-GL-ac.patch + "${FILESDIR}"/${PN}-1.701.0-GL.patch + "${FILESDIR}"/${PN}-CVE-2014-9029.patch + "${FILESDIR}"/${PN}-CVE-2014-8137.patch + "${FILESDIR}"/${PN}-CVE-2014-8138.patch + "${FILESDIR}"/${PN}-pkgconfig.patch + ) + +DOCS=( NEWS README doc/. ) + +src_configure() { + local myeconfargs=( + $(use_enable jpeg libjpeg) + $(use_enable opengl) + ) + autotools-multilib_src_configure +} |