1 |
commit: 10ca5198d87e67194880e4421dc4a3d348211008 |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Dec 29 20:21:07 2018 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Dec 29 22:02:01 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10ca5198 |
7 |
|
8 |
media-libs/libextractor: Fix CVE-2018-20430, CVE-2018-20431 |
9 |
|
10 |
Bug: https://bugs.gentoo.org/673742 |
11 |
Package-Manager: Portage-2.3.52, Repoman-2.3.12 |
12 |
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> |
13 |
|
14 |
.../files/libextractor-1.8-CVE-2018-20430.patch | 49 +++++++++ |
15 |
.../files/libextractor-1.8-CVE-2018-20431.patch | 39 +++++++ |
16 |
media-libs/libextractor/libextractor-1.8-r1.ebuild | 117 +++++++++++++++++++++ |
17 |
3 files changed, 205 insertions(+) |
18 |
|
19 |
diff --git a/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20430.patch b/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20430.patch |
20 |
new file mode 100644 |
21 |
index 00000000000..d0b5968606b |
22 |
--- /dev/null |
23 |
+++ b/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20430.patch |
24 |
@@ -0,0 +1,49 @@ |
25 |
+From b405d707b36e0654900cba78e89f49779efea110 Mon Sep 17 00:00:00 2001 |
26 |
+From: Christian Grothoff <christian@××××××××.org> |
27 |
+Date: Thu, 20 Dec 2018 22:47:53 +0100 |
28 |
+Subject: fix #5493 (out of bounds read) |
29 |
+ |
30 |
+--- |
31 |
+ src/common/convert.c | 10 +++++----- |
32 |
+ 1 file changed, 5 insertions(+), 5 deletions(-) |
33 |
+ |
34 |
+diff --git a/src/common/convert.c b/src/common/convert.c |
35 |
+index c0edf21..2be2108 100644 |
36 |
+--- a/src/common/convert.c |
37 |
++++ b/src/common/convert.c |
38 |
+@@ -36,8 +36,8 @@ |
39 |
+ * string is returned. |
40 |
+ */ |
41 |
+ char * |
42 |
+-EXTRACTOR_common_convert_to_utf8 (const char *input, |
43 |
+- size_t len, |
44 |
++EXTRACTOR_common_convert_to_utf8 (const char *input, |
45 |
++ size_t len, |
46 |
+ const char *charset) |
47 |
+ { |
48 |
+ #if HAVE_ICONV |
49 |
+@@ -52,7 +52,7 @@ EXTRACTOR_common_convert_to_utf8 (const char *input, |
50 |
+ i = input; |
51 |
+ cd = iconv_open ("UTF-8", charset); |
52 |
+ if (cd == (iconv_t) - 1) |
53 |
+- return strdup (i); |
54 |
++ return strndup (i, len); |
55 |
+ if (len > 1024 * 1024) |
56 |
+ { |
57 |
+ iconv_close (cd); |
58 |
+@@ -67,11 +67,11 @@ EXTRACTOR_common_convert_to_utf8 (const char *input, |
59 |
+ } |
60 |
+ itmp = tmp; |
61 |
+ finSize = tmpSize; |
62 |
+- if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == SIZE_MAX) |
63 |
++ if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == ((size_t) -1)) |
64 |
+ { |
65 |
+ iconv_close (cd); |
66 |
+ free (tmp); |
67 |
+- return strdup (i); |
68 |
++ return strndup (i, len); |
69 |
+ } |
70 |
+ ret = malloc (tmpSize - finSize + 1); |
71 |
+ if (ret == NULL) |
72 |
+-- |
73 |
+cgit v1.1 |
74 |
|
75 |
diff --git a/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20431.patch b/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20431.patch |
76 |
new file mode 100644 |
77 |
index 00000000000..2cd0448ba89 |
78 |
--- /dev/null |
79 |
+++ b/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20431.patch |
80 |
@@ -0,0 +1,39 @@ |
81 |
+From 489c4a540bb2c4744471441425b8932b97a153e7 Mon Sep 17 00:00:00 2001 |
82 |
+From: Christian Grothoff <christian@××××××××.org> |
83 |
+Date: Thu, 20 Dec 2018 23:02:28 +0100 |
84 |
+Subject: fix #5494 |
85 |
+ |
86 |
+--- |
87 |
+ ChangeLog | 3 ++- |
88 |
+ src/plugins/ole2_extractor.c | 9 +++++++-- |
89 |
+ 2 files changed, 9 insertions(+), 3 deletions(-) |
90 |
+ |
91 |
+diff --git a/src/plugins/ole2_extractor.c b/src/plugins/ole2_extractor.c |
92 |
+index 53fa1b9..a48b726 100644 |
93 |
+--- a/src/plugins/ole2_extractor.c |
94 |
++++ b/src/plugins/ole2_extractor.c |
95 |
+@@ -173,7 +173,7 @@ struct ProcContext |
96 |
+ EXTRACTOR_MetaDataProcessor proc; |
97 |
+ |
98 |
+ /** |
99 |
+- * Closure for 'proc'. |
100 |
++ * Closure for @e proc. |
101 |
+ */ |
102 |
+ void *proc_cls; |
103 |
+ |
104 |
+@@ -213,7 +213,12 @@ process_metadata (gpointer key, |
105 |
+ |
106 |
+ if (G_VALUE_TYPE(gval) == G_TYPE_STRING) |
107 |
+ { |
108 |
+- contents = strdup (g_value_get_string (gval)); |
109 |
++ const char *gvals; |
110 |
++ |
111 |
++ gvals = g_value_get_string (gval); |
112 |
++ if (NULL == gvals) |
113 |
++ return; |
114 |
++ contents = strdup (gvals); |
115 |
+ } |
116 |
+ else |
117 |
+ { |
118 |
+-- |
119 |
+cgit v1.1 |
120 |
|
121 |
diff --git a/media-libs/libextractor/libextractor-1.8-r1.ebuild b/media-libs/libextractor/libextractor-1.8-r1.ebuild |
122 |
new file mode 100644 |
123 |
index 00000000000..45171230791 |
124 |
--- /dev/null |
125 |
+++ b/media-libs/libextractor/libextractor-1.8-r1.ebuild |
126 |
@@ -0,0 +1,117 @@ |
127 |
+# Copyright 1999-2018 Gentoo Authors |
128 |
+# Distributed under the terms of the GNU General Public License v2 |
129 |
+ |
130 |
+EAPI=7 |
131 |
+ |
132 |
+DESCRIPTION="Library to extract metadata from files of arbitrary type" |
133 |
+HOMEPAGE="https://www.gnu.org/software/libextractor/" |
134 |
+SRC_URI="mirror://gnu/${PN}/${P}.tar.gz" |
135 |
+ |
136 |
+LICENSE="GPL-3" |
137 |
+SLOT="0" |
138 |
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86" |
139 |
+IUSE="apparmor +archive +bzip2 ffmpeg flac gif gsf gstreamer gtk jpeg +magic midi mp4 mpeg tidy tiff vorbis +zlib" # test |
140 |
+ |
141 |
+RESTRICT="test" |
142 |
+ |
143 |
+DEPEND=" |
144 |
+ app-text/iso-codes |
145 |
+ dev-libs/glib:2 |
146 |
+ <media-gfx/exiv2-0.27:= |
147 |
+ sys-devel/libtool |
148 |
+ virtual/libiconv |
149 |
+ virtual/libintl |
150 |
+ apparmor? ( sys-libs/libapparmor ) |
151 |
+ archive? ( app-arch/libarchive:= ) |
152 |
+ bzip2? ( app-arch/bzip2 ) |
153 |
+ ffmpeg? ( virtual/ffmpeg ) |
154 |
+ flac? ( |
155 |
+ media-libs/flac |
156 |
+ media-libs/libogg |
157 |
+ ) |
158 |
+ gif? ( media-libs/giflib:= ) |
159 |
+ gsf? ( gnome-extra/libgsf:= ) |
160 |
+ gstreamer? ( |
161 |
+ media-libs/gstreamer:1.0 |
162 |
+ media-libs/gst-plugins-base:1.0 |
163 |
+ ) |
164 |
+ gtk? ( x11-libs/gtk+:3 ) |
165 |
+ jpeg? ( virtual/jpeg:0 ) |
166 |
+ magic? ( sys-apps/file ) |
167 |
+ midi? ( media-libs/libsmf ) |
168 |
+ mp4? ( media-libs/libmp4v2:0 ) |
169 |
+ mpeg? ( media-libs/libmpeg2 ) |
170 |
+ tidy? ( app-text/tidy-html5 ) |
171 |
+ tiff? ( media-libs/tiff:0 ) |
172 |
+ vorbis? ( |
173 |
+ media-libs/libogg |
174 |
+ media-libs/libvorbis |
175 |
+ ) |
176 |
+ zlib? ( sys-libs/zlib ) |
177 |
+" |
178 |
+BDEPEND=" |
179 |
+ sys-devel/gettext |
180 |
+ virtual/pkgconfig |
181 |
+" |
182 |
+# test? ( app-forensics/zzuf ) |
183 |
+RDEPEND="${DEPEND} |
184 |
+ !sci-biology/glimmer |
185 |
+" |
186 |
+ |
187 |
+PATCHES=( "${FILESDIR}"/${P}-CVE-2018-2043{0,1}.patch ) |
188 |
+ |
189 |
+src_prepare() { |
190 |
+ default |
191 |
+ |
192 |
+ # m4/ax_create_pkgconfig_info.m4 is passing environment LDFLAGS to Libs: |
193 |
+ sed -i \ |
194 |
+ -e '/^ax_create_pkgconfig_ldflags=/s:$LDFLAGS ::' \ |
195 |
+ -e 's:tidy/tidy.h:tidy.h:' \ |
196 |
+ -e 's:tidy/tidybuffio.h:buffio.h:' \ |
197 |
+ configure src/plugins/html_extractor.c || die |
198 |
+ |
199 |
+ if ! use tidy; then |
200 |
+ sed -i -e 's:tidy.h:dIsAbLe&:' configure || die |
201 |
+ fi |
202 |
+} |
203 |
+ |
204 |
+src_configure() { |
205 |
+ e_ac_cv() { |
206 |
+ export ac_cv_"$@" |
207 |
+ } |
208 |
+ |
209 |
+ e_ac_cv {lib_rpm_rpmReadPackageFile,prog_HAVE_ZZUF}=no |
210 |
+ |
211 |
+ e_ac_cv header_FLAC_all_h=$(usex flac) |
212 |
+ e_ac_cv lib_FLAC_FLAC__stream_decoder_init_stream=$(usex flac) |
213 |
+ e_ac_cv lib_FLAC_FLAC__stream_decoder_init_ogg_stream=$(usex flac) |
214 |
+ |
215 |
+ e_ac_cv header_sys_apparmor_h=$(usex apparmor) |
216 |
+ e_ac_cv header_archive_h=$(usex archive) |
217 |
+ e_ac_cv header_bzlib_h=$(usex bzip2) |
218 |
+ e_ac_cv header_gif_lib_h=$(usex gif) |
219 |
+ e_ac_cv header_jpeglib_h=$(usex jpeg) |
220 |
+ e_ac_cv header_magic_h=$(usex magic) |
221 |
+ e_ac_cv header_mpeg2dec_mpeg2_h=$(usex mpeg) |
222 |
+ e_ac_cv header_tiffio_h=$(usex tiff) |
223 |
+ e_ac_cv header_vorbis_vorbisfile_h=$(usex vorbis) |
224 |
+ e_ac_cv header_zlib_h=$(usex zlib) |
225 |
+ e_ac_cv lib_mp4v2_MP4ReadProvider=$(usex mp4) |
226 |
+ e_ac_cv lib_smf_smf_load_from_memory=$(usex midi) |
227 |
+ |
228 |
+ local myeconfargs=( |
229 |
+ --disable-static |
230 |
+ --enable-experimental |
231 |
+ --enable-glib |
232 |
+ --disable-gsf-gnome |
233 |
+ $(use_enable ffmpeg) |
234 |
+ $(use_enable gsf) |
235 |
+ $(use_with gstreamer) |
236 |
+ ) |
237 |
+ econf "${myeconfargs[@]}" |
238 |
+} |
239 |
+ |
240 |
+src_install() { |
241 |
+ default |
242 |
+ find "${ED}" -name '*.la' -delete || die |
243 |
+} |