diff options
author | Alexandre Rostovtsev <tetromino@gentoo.org> | 2013-10-01 17:57:31 +0000 |
---|---|---|
committer | Alexandre Rostovtsev <tetromino@gentoo.org> | 2013-10-01 17:57:31 +0000 |
commit | 9e704652422d1a2c343defc2a857acf42618e811 (patch) | |
tree | 802ed2853124398c3a3c81051009f4b426df2aa9 /gnome-base | |
parent | Version bump. Fixes double checking of git-2.eclass packages. (diff) | |
download | historical-9e704652422d1a2c343defc2a857acf42618e811.tar.gz historical-9e704652422d1a2c343defc2a857acf42618e811.tar.bz2 historical-9e704652422d1a2c343defc2a857acf42618e811.zip |
Fix information disclosure vulnerability (CVE-2013-1881, bug #486600, thanks to Agostino Sarubbo). Drop vulnerable version.
Package-Manager: portage-2.2.7/cvs/Linux x86_64
Manifest-Sign-Key: 0xCF0ADD61
Diffstat (limited to 'gnome-base')
-rw-r--r-- | gnome-base/librsvg/ChangeLog | 12 | ||||
-rw-r--r-- | gnome-base/librsvg/Manifest | 20 | ||||
-rw-r--r-- | gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch | 117 | ||||
-rw-r--r-- | gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch | 57 | ||||
-rw-r--r-- | gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch | 173 | ||||
-rw-r--r-- | gnome-base/librsvg/librsvg-2.36.4-r1.ebuild (renamed from gnome-base/librsvg/librsvg-2.37.0.ebuild) | 28 |
6 files changed, 386 insertions, 21 deletions
diff --git a/gnome-base/librsvg/ChangeLog b/gnome-base/librsvg/ChangeLog index 7fcd92dd91f5..e63f29aefe0c 100644 --- a/gnome-base/librsvg/ChangeLog +++ b/gnome-base/librsvg/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for gnome-base/librsvg # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/gnome-base/librsvg/ChangeLog,v 1.310 2013/09/30 21:57:30 pacho Exp $ +# $Header: /var/cvsroot/gentoo-x86/gnome-base/librsvg/ChangeLog,v 1.311 2013/10/01 17:57:25 tetromino Exp $ + +*librsvg-2.36.4-r1 (01 Oct 2013) + + 01 Oct 2013; Alexandre Rostovtsev <tetromino@gentoo.org> + +librsvg-2.36.4-r1.ebuild, -librsvg-2.37.0.ebuild, + +files/librsvg-2.36.4-resource-uri-1.patch, + +files/librsvg-2.36.4-resource-uri-2.patch, + +files/librsvg-2.36.4-resource-uri-3.patch: + Fix information disclosure vulnerability (CVE-2013-1881, bug #486600, thanks + to Agostino Sarubbo). Drop vulnerable version. *librsvg-2.39.0 (30 Sep 2013) diff --git a/gnome-base/librsvg/Manifest b/gnome-base/librsvg/Manifest index c922de28d180..861d9a98c50f 100644 --- a/gnome-base/librsvg/Manifest +++ b/gnome-base/librsvg/Manifest @@ -2,18 +2,24 @@ Hash: SHA256 AUX librsvg-2.36.0-rsvg-view-automagic.patch 1955 SHA256 74577e5f2d0f3de93d3e66f194310d591d66d69581ac6586f44be78ced85e185 SHA512 30e259916ac7d969001350576719de6865e48b0d482028a37a61ecc88e3e33d68eadc31e7933e455490aa226609ddd0236a22c5b8b2af37da9b04158cc5de993 WHIRLPOOL 198850d5a23958919f891269746590f9076b3d3f731c2a4ea6b1e9e0d9023cc8c63769c9ca3eaad5b2586fa4e31e4505a8a87d802102ffceb642e62b3c7bdbfc +AUX librsvg-2.36.4-resource-uri-1.patch 3668 SHA256 1feffc8fc503971b87157d8d05fb957912c256eb094615f9f5c649ece991b565 SHA512 ae9b171cf0c9e76ce6d2099df90e15671e834e47d8cbcd48ac742521c1a3f68209cc275424a1aa987aff4ceb0a6c9657c148facd41d87c34bd916ea37b013ddf WHIRLPOOL 0d54e10bc06ec72121637083101b28f1c9b0479c6c7542fdec4a5f8f6d0d41f82110f5b20cd9b7d7838a50d9f8ed4e576c2e27ed1aa71a30a84d4181ea0fb941 +AUX librsvg-2.36.4-resource-uri-2.patch 2423 SHA256 00ab1759bdaef45083c30f4b1744555487819774edda4a7aec1165e6a010765a SHA512 8f81b68f92a0dd071021c231c75dc2b8397edc27c77868bce9742ad7dec2ee9f9048656b816932466a271ce499551376573fabefd6e76c42bf44c2f8ededab51 WHIRLPOOL 802477a1c112a6f7fc22dfb658369754c2799bb2730aafa8aa1af960b4f79942c9d1b3059fc7fa4bb50c582f5dd1f292c889bd8ba0575ea44c26d45ee96d6000 +AUX librsvg-2.36.4-resource-uri-3.patch 4543 SHA256 512ff5ace57cc2b40e42128cbe8c9653562c0501593c09b84ec105d56da5ca4d SHA512 60307bbdbcf8e597027b2f7cf7606afafc52855ed09d7fcff42de09cd8522d3bbe468d85a85cd915f81fdb82895565931706a7f8572fe65f31111883e7e68a60 WHIRLPOOL 4ecf3dac3b808eee0cacba6618f3fe75ba2ead09c51b961da68f4d1a4ebc915557220285466b0f31b4ad052a769215b8b1359496a79d6861ed06bed931dd9a30 DIST librsvg-2.36.4.tar.xz 513028 SHA256 1021935204798f4f0ad3004a09b583668ea94a48593461b147fdcff68a18e6c2 SHA512 447435b2fab0ca7147b68c02a622df8049d56844360e8e361bf5abfbec12c33d46393bad3c099c2819f68d1b7595616d1f35d2cea58ee94d873c1c34e9362d37 WHIRLPOOL 9d8f0f09279be182e061f6b2e0a43d89f62ba5e0aa253373f70266865125b246fd683ed42b134a55e86ebb808bba10207ecc661e1b47e50ce29456d2cdf40a1c -DIST librsvg-2.37.0.tar.xz 515416 SHA256 06c57dbcb29369d147b4e6ff4257c42ae5120c504c30fb567a27034ee30fd835 SHA512 ba7207258503467cd8ffa041b216800bd558ad57c0868ff03309a1d6fd58757e9e28d9cd29106cb1f9fb3b349c58335cdf40a923a0856df870f1c3a279080265 WHIRLPOOL 98ee4730b4e77851fe3728e0339478b3684e5ac4c7bc954e91cc1bbbbf596360ab93dd359dbf42507fe8a3a4af99ce59e4a84bb75a482665d2b11598764125dd DIST librsvg-2.39.0.tar.xz 519088 SHA256 aa47dcde0128eee6e3595d203bc673d9c27389588842f401bf585f31fc65095f SHA512 14e3224c2fad8c92beabce9b486d8cc94e288db5d7d0bda9016fa953ad31456f3934ad847dc7288185fcba840731c25c2eca75288cb2518d2d501abea9ecd98d WHIRLPOOL 3348a50701b3661cb96de039f868c21a319752e2f014329b2ab77bcf6d66ebba1b553f7d10334146a4c3f96d4c0e26defbd02424b8f1deae0483d59e5a3ede50 +EBUILD librsvg-2.36.4-r1.ebuild 2506 SHA256 f3a657dd343ffbb6afb56a25e0adbe53ec1a948c3cbf0fee196394b3024aac72 SHA512 929a91bd31f90be5af8a9da9d96108f485aad4f94dbd284f1c07eed62e814daa02885246f41e6e7b693893b25857a5172135927babf28b531508569cd0f05ccd WHIRLPOOL 1d0799080eb2a3d4ace01032f452c14878ad0cfef41835ea1d1175f0e7b307c227e7d8b172e34cc74a51cdeda26a87296f947813125437dfa29d1896f9ad20e4 EBUILD librsvg-2.36.4.ebuild 2303 SHA256 c07919618db34c85547406552ea3083dee4122f6ebcb93df7e09fd10ef1d400b SHA512 e92b3942f8b8cfb3a944edacc0e742c91cc06ae8caebbc98e3d7038f95a8670e1f466dbcdbc100a8893754eefeb0b609283257d5e97d8a4ae852a8889024a340 WHIRLPOOL 2872351cc1b3de3751facc8598a1cefc3adcc0cadf19921878b973747ae0ecd9c846191f24eb7e1103408e8cb78c29665ec6c15a13edf348fa7464caf4e9c899 -EBUILD librsvg-2.37.0.ebuild 2317 SHA256 125d746ec94ceb18035d0aefbf66814ed3d76369a1e9952c40bdc8274e3f7ae0 SHA512 a779766112b319bc3618d9d2103f1bdd4a8410d3d1c18b36b4fde023426efaf44ea081e3a840249bfbe30b0028dd8b5f65b09e8d2ae78138e28d35d0ebb0a12c WHIRLPOOL d439830568ff7df1b9123a16dccc72bddaa8c77a080ecd31376762182d95a44c54f4b8a56d97daaca9fefc4c4008dbaf3fee072437b057f3e8ad31f13d33c873 EBUILD librsvg-2.39.0.ebuild 2304 SHA256 3072c6ebca1ca6f4a52a348c388395a875324ad14cef2b34c58af81022f463ac SHA512 e99daa46d3a9442607a0cacb4a1a3f05ece33b8da6d83250c8acaf464d2bf1dfa0dda5e846611880c9898b20b24ddeae8aa32b2bb397e8eefddd7998e207fbe6 WHIRLPOOL 389f27835922b0d5cf9973f3744f1094ad4ddf86f2b85b46e1f287aadf0698c9b086757974e5c25ddeb3622658e67123b8b259939fb6f6ff26181c2ed7174d23 -MISC ChangeLog 40534 SHA256 3fd27c743dea1c4bc1b605ed0350e85a3a176468b4da26b5243ca4f9eab84902 SHA512 419343a5aa8489fc1c7ff948f82c705b4f61228dfc8668e3b9c26edbddfeb90f39bedbd743812ba97adc3728edd695771e25f3c1c1aa93d3dd575787cea1634a WHIRLPOOL b81eb551a4c754b03f044be28ada0b438140af29a57628dd129c47f8f5cd5c8adc23513aca4122b1060af6d766d4b077fffe8cd353530d383bcab8d717df3da3 +MISC ChangeLog 40951 SHA256 16969ceac76b2ecfcac0c16d0ec83651b915779cdf20d69152e1b2ae85769e98 SHA512 bd825b181bc4aed23b139a9fc58042988efa1ea841078f41a4b19a994557ae7b2671f3d9c4628bfa04f275ac70f262a73737a317a6864b94444a51357918bc7a WHIRLPOOL bfaf1d2362d05bdc63314dbc611adbc5ae4c86ac5e78e5f5700953815118758eda3ecf2fa0b10f287d660e9eed57e16851b5e8f8ec261ba69a2287729eed030d MISC metadata.xml 395 SHA256 7f63e0973cef8b5da30264661e4bf924bdd228b26d0301760a70474d6a9a6945 SHA512 9dba6907b92f041a26e18cad46d3080120e19231c09eca5f76d80321a59806b049e56b9fce0ea729603d590609aa92b68de98a47937780ef8e67213cf89f119e WHIRLPOOL a735011b1461245244b67939ab7415401847c4d034ac14b2784538e5143eeacd4649f3a735901e7761bd200531ccf87dcf2578a014473ec79c9b1ac258666669 -----BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.20 (GNU/Linux) +Version: GnuPG v2.0.21 (GNU/Linux) -iEYEAREIAAYFAlJJ88wACgkQCaWpQKGI+9R2NACcC+Ozx1vOvFj82yuDGNrQqgXC -3noAn0bGubp2WBcaA6vMxyRuD5UNmjbk -=LCRD +iQEcBAEBCAAGBQJSSw0gAAoJEJ0WA1zPCt1hqA0IAKknrULYIdmki362PXfpx4+E +dq80phmnIZfiQAZ/Qn7DwbCJJobGtJZUmlPlZXEQogoQkjYHWY1gIuz5JCtE0u0C +8OUu8RXDfG2ct5xlBOkzKtOrmjTYfqTvr289F1Ad3gYh7ha9632rltFGU7GXO3FO +7DPeKRYVK6oh5f5zIUiIyTMJB0vQFQFTIov8QFmOGg7bvP+lK5Tis9TuRqybGRoI +m3z6Vd7MeZXj4Msfuw/W1kvdqtTXoH8NZDxN16gT3WAUdiP9vbFrMr8MX4Ft2SiF +Jp24LLUw7i4loQ5T3mdC/EO1DWKA5T82IkwOaZx6o2rJIq/Z26MXl4cguu5BcsI= +=15iQ -----END PGP SIGNATURE----- diff --git a/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch new file mode 100644 index 000000000000..4cf6efbf1e1e --- /dev/null +++ b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-1.patch @@ -0,0 +1,117 @@ +From 56d0018d911eb5783f22125d9893fce075778c64 Mon Sep 17 00:00:00 2001 +From: Christian Persch <chpe@gnome.org> +Date: Sun, 3 Mar 2013 20:32:09 +0100 +Subject: [PATCH 1/3] io: Resolve relative URIs + +--- + rsvg-base.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 64 insertions(+), 17 deletions(-) + +diff --git a/rsvg-base.c b/rsvg-base.c +index 6210716..ed383d2 100644 +--- a/rsvg-base.c ++++ b/rsvg-base.c +@@ -2154,36 +2154,83 @@ _rsvg_handle_allow_load (RsvgHandle *handle, + return TRUE; + } + ++static char * ++_rsvg_handle_resolve_uri (RsvgHandle *handle, ++ const char *uri) ++{ ++ RsvgHandlePrivate *priv = handle->priv; ++ char *scheme, *resolved_uri; ++ GFile *base, *resolved; ++ ++ if (uri == NULL) ++ return NULL; ++ ++ scheme = g_uri_parse_scheme (uri); ++ if (scheme != NULL || ++ priv->base_gfile == NULL || ++ (base = g_file_get_parent (priv->base_gfile)) == NULL) { ++ g_free (scheme); ++ return g_strdup (uri); ++ } ++ ++ resolved = g_file_resolve_relative_path (base, uri); ++ resolved_uri = g_file_get_uri (resolved); ++ ++ g_free (scheme); ++ g_object_unref (base); ++ g_object_unref (resolved); ++ ++ return resolved_uri; ++} ++ + guint8* + _rsvg_handle_acquire_data (RsvgHandle *handle, +- const char *uri, ++ const char *url, + char **content_type, + gsize *len, + GError **error) + { +- if (!_rsvg_handle_allow_load (handle, uri, error)) +- return NULL; ++ char *uri; ++ guint8 *data; ++ ++ uri = _rsvg_handle_resolve_uri (handle, url); ++ ++ if (_rsvg_handle_allow_load (handle, uri, error)) { ++ data = _rsvg_io_acquire_data (uri, ++ rsvg_handle_get_base_uri (handle), ++ content_type, ++ len, ++ handle->priv->cancellable, ++ error); ++ } else { ++ data = NULL; ++ } + +- return _rsvg_io_acquire_data (uri, +- rsvg_handle_get_base_uri (handle), +- content_type, +- len, +- handle->priv->cancellable, +- error); ++ g_free (uri); ++ return data; + } + + GInputStream * + _rsvg_handle_acquire_stream (RsvgHandle *handle, +- const char *uri, ++ const char *url, + char **content_type, + GError **error) + { +- if (!_rsvg_handle_allow_load (handle, uri, error)) +- return NULL; ++ char *uri; ++ GInputStream *stream; ++ ++ uri = _rsvg_handle_resolve_uri (handle, url); ++ ++ if (_rsvg_handle_allow_load (handle, uri, error)) { ++ stream = _rsvg_io_acquire_stream (uri, ++ rsvg_handle_get_base_uri (handle), ++ content_type, ++ handle->priv->cancellable, ++ error); ++ } else { ++ stream = NULL; ++ } + +- return _rsvg_io_acquire_stream (uri, +- rsvg_handle_get_base_uri (handle), +- content_type, +- handle->priv->cancellable, +- error); ++ g_free (uri); ++ return stream; + } +-- +1.8.3.2 + diff --git a/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch new file mode 100644 index 000000000000..bd5459fc78af --- /dev/null +++ b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-2.patch @@ -0,0 +1,57 @@ +From d83e426fff3f6d0fa6042d0930fb70357db24125 Mon Sep 17 00:00:00 2001 +From: Christian Persch <chpe@gnome.org> +Date: Mon, 11 Feb 2013 22:36:30 +0100 +Subject: [PATCH 2/3] io: Use XML_PARSE_NONET + +We don't want to load resources off the net. + +Bug #691708. +--- + rsvg-base.c | 3 +++ + rsvg-css.c | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/rsvg-base.c b/rsvg-base.c +index ed383d2..1f88479 100644 +--- a/rsvg-base.c ++++ b/rsvg-base.c +@@ -572,6 +572,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, RsvgPropertyBag * atts) + goto fallback; + + xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL); ++ xml_parser->options |= XML_PARSE_NONET; + + buffer = _rsvg_xml_input_buffer_new_from_stream (stream, NULL /* cancellable */, XML_CHAR_ENCODING_NONE, &err); + g_object_unref (stream); +@@ -1111,6 +1112,7 @@ rsvg_handle_write_impl (RsvgHandle * handle, const guchar * buf, gsize count, GE + if (handle->priv->ctxt == NULL) { + handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0, + rsvg_handle_get_base_uri (handle)); ++ handle->priv->ctxt->options |= XML_PARSE_NONET; + + /* if false, external entities work, but internal ones don't. if true, internal entities + work, but external ones don't. favor internal entities, in order to not cause a +@@ -1767,6 +1769,7 @@ rsvg_handle_read_stream_sync (RsvgHandle *handle, + if (priv->ctxt == NULL) { + priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0, + rsvg_handle_get_base_uri (handle)); ++ priv->ctxt->options |= XML_PARSE_NONET; + + /* if false, external entities work, but internal ones don't. if true, internal entities + work, but external ones don't. favor internal entities, in order to not cause a +diff --git a/rsvg-css.c b/rsvg-css.c +index 7813098..3f703cc 100644 +--- a/rsvg-css.c ++++ b/rsvg-css.c +@@ -836,6 +836,8 @@ rsvg_css_parse_xml_attribute_string (const char *attribute_string) + xmlSAX2InitDefaultSAXHandler (&handler, 0); + handler.serror = rsvg_xml_noerror; + parser = xmlCreatePushParserCtxt (&handler, NULL, tag, strlen (tag) + 1, NULL); ++ parser->options |= XML_PARSE_NONET; ++ + if (xmlParseDocument (parser) != 0) + goto done; + +-- +1.8.3.2 + diff --git a/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch new file mode 100644 index 000000000000..cb3b46f1c054 --- /dev/null +++ b/gnome-base/librsvg/files/librsvg-2.36.4-resource-uri-3.patch @@ -0,0 +1,173 @@ +From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001 +From: Christian Persch <chpe@gnome.org> +Date: Mon, 11 Feb 2013 22:36:58 +0100 +Subject: [PATCH 3/3] io: Implement strict load policy + +Allow any file to load from data:, and any resource to load from other +resources. Only allow file: to load other file: URIs from below the path +of the base file. Any other loads are denied. + +Bug #691708. +--- + rsvg-base.c | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++------ + rsvg-io.c | 2 +- + rsvg-private.h | 4 +-- + 3 files changed, 84 insertions(+), 11 deletions(-) + +diff --git a/rsvg-base.c b/rsvg-base.c +index 1f88479..9d7c1ea 100644 +--- a/rsvg-base.c ++++ b/rsvg-base.c +@@ -25,6 +25,7 @@ + */ + + #include "config.h" ++#define _GNU_SOURCE 1 + + #include "rsvg.h" + #include "rsvg-private.h" +@@ -1002,6 +1003,7 @@ void + rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri) + { + gchar *uri; ++ GFile *file; + + g_return_if_fail (handle != NULL); + +@@ -1013,11 +1015,10 @@ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri) + else + uri = rsvg_get_base_uri_from_filename (base_uri); + +- if (uri) { +- if (handle->priv->base_uri) +- g_free (handle->priv->base_uri); +- handle->priv->base_uri = uri; +- } ++ file = g_file_new_for_uri (uri ? uri : "data:"); ++ rsvg_handle_set_base_gfile (handle, file); ++ g_object_unref (file); ++ g_free (uri); + } + + /** +@@ -2149,12 +2150,84 @@ _rsvg_handle_allow_load (RsvgHandle *handle, + const char *uri, + GError **error) + { +- RsvgLoadPolicy policy = handle->priv->load_policy; ++ RsvgHandlePrivate *priv = handle->priv; ++ GFile *base; ++ char *path, *dir; ++ char *scheme = NULL, *cpath = NULL, *cdir = NULL; + +- if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE) +- return TRUE; ++ g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT); ++ ++ scheme = g_uri_parse_scheme (uri); ++ ++ /* Not a valid URI */ ++ if (scheme == NULL) ++ goto deny; ++ ++ /* Allow loads of data: from any location */ ++ if (g_str_equal (scheme, "data")) ++ goto allow; ++ ++ /* No base to compare to? */ ++ if (priv->base_gfile == NULL) ++ goto deny; ++ ++ /* Deny loads from differing URI schemes */ ++ if (!g_file_has_uri_scheme (priv->base_gfile, scheme)) ++ goto deny; ++ ++ /* resource: is allowed to load anything from other resources */ ++ if (g_str_equal (scheme, "resource")) ++ goto allow; ++ ++ /* Non-file: isn't allowed to load anything */ ++ if (!g_str_equal (scheme, "file")) ++ goto deny; ++ ++ base = g_file_get_parent (priv->base_gfile); ++ if (base == NULL) ++ goto deny; + ++ dir = g_file_get_path (base); ++ g_object_unref (base); ++ ++ /* FIXME portability */ ++ cdir = canonicalize_file_name (dir); ++ g_free (dir); ++ if (cdir == NULL) ++ goto deny; ++ ++ path = g_filename_from_uri (uri, NULL, NULL); ++ if (path == NULL) ++ goto deny; ++ ++ /* FIXME portability */ ++ cpath = canonicalize_file_name (path); ++ g_free (path); ++ ++ if (cpath == NULL) ++ goto deny; ++ ++ /* Now check that @cpath is below @cdir */ ++ if (!g_str_has_prefix (cpath, cdir) || ++ cpath[strlen (cdir)] != G_DIR_SEPARATOR) ++ goto deny; ++ ++ /* Allow load! */ ++ ++ allow: ++ g_free (scheme); ++ free (cpath); ++ free (cdir); + return TRUE; ++ ++ deny: ++ g_free (scheme); ++ free (cpath); ++ free (cdir); ++ ++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, ++ "File may not link to URI \"%s\"", uri); ++ return FALSE; + } + + static char * +diff --git a/rsvg-io.c b/rsvg-io.c +index 3d6c8b5..818d2ec 100644 +--- a/rsvg-io.c ++++ b/rsvg-io.c +@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri, + gboolean base64 = FALSE; + + g_assert (out_len != NULL); +- g_assert (g_str_has_prefix (uri, "data:")); ++ g_assert (strncmp (uri, "data:", 5) == 0); + + mime_type = NULL; + start = uri + 5; +diff --git a/rsvg-private.h b/rsvg-private.h +index 25283d4..1961eaf 100644 +--- a/rsvg-private.h ++++ b/rsvg-private.h +@@ -123,10 +123,10 @@ struct RsvgSaxHandler { + }; + + typedef enum { +- RSVG_LOAD_POLICY_ALL_PERMISSIVE ++ RSVG_LOAD_POLICY_STRICT + } RsvgLoadPolicy; + +-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE) ++#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT) + + struct RsvgHandlePrivate { + RsvgHandleFlags flags; +-- +1.8.3.2 + diff --git a/gnome-base/librsvg/librsvg-2.37.0.ebuild b/gnome-base/librsvg/librsvg-2.36.4-r1.ebuild index b7baebc53ab8..47e8df5071fd 100644 --- a/gnome-base/librsvg/librsvg-2.37.0.ebuild +++ b/gnome-base/librsvg/librsvg-2.36.4-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/gnome-base/librsvg/librsvg-2.37.0.ebuild,v 1.4 2013/09/03 22:10:11 eva Exp $ +# $Header: /var/cvsroot/gentoo-x86/gnome-base/librsvg/librsvg-2.36.4-r1.ebuild,v 1.1 2013/10/01 17:57:25 tetromino Exp $ EAPI="5" GCONF_DEBUG="no" @@ -15,16 +15,13 @@ HOMEPAGE="https://live.gnome.org/LibRsvg" LICENSE="LGPL-2" SLOT="2" -KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~x64-macos ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" IUSE="+gtk +introspection tools vala" -REQUIRED_USE=" - vala? ( introspection ) - tools? ( gtk )" +REQUIRED_USE="vala? ( introspection )" -RDEPEND=" - >=dev-libs/glib-2.24:2 +RDEPEND=">=dev-libs/glib-2.24:2 >=x11-libs/cairo-1.2 - >=x11-libs/pango-1.32.6 + >=x11-libs/pango-1.16 >=dev-libs/libxml2-2.7:2 >=dev-libs/libcroco-0.6.1 x11-libs/gdk-pixbuf:2[introspection?] @@ -43,9 +40,12 @@ DEPEND="${RDEPEND} # >=gtk-doc-am-1.13, gobject-introspection-common, vala-common needed by eautoreconf src_prepare() { - # Make rsvg-view non-automagic + # Make rsvg-view non-automagic, upstream bug #653323 epatch "${FILESDIR}/${PN}-2.36.0-rsvg-view-automagic.patch" + # Information disclosure, CVE-2013-1881, bug #486600; fixed in 2.39.0 + epatch "${FILESDIR}/${P}-resource-uri"-{1,2,3}.patch + use vala && vala_src_prepare eautoreconf @@ -53,10 +53,13 @@ src_prepare() { } src_configure() { - DOCS="AUTHORS ChangeLog README NEWS TODO" - local myconf="" + if use gtk && use tools; then + myconf="${myconf} --enable-rsvg-view" + else + myconf="${myconf} --disable-rsvg-view" + fi # -Bsymbolic is not supported by the Darwin toolchain if [[ ${CHOST} == *-darwin* ]]; then myconf="${myconf} --disable-Bsymbolic" @@ -64,8 +67,7 @@ src_configure() { gnome2_src_configure \ --disable-static \ - --disable-tools \ - $(use_enable tools rsvg-view) \ + $(use_enable tools) \ $(use_enable gtk gtk-theme) \ $(use_enable introspection) \ $(use_enable vala) \ |