added patch against integer overflow (see bug #202351).

Package-Manager: portage-2.1.4_rc9
author: Stefan Briesenick <sbriesen@gentoo.org> 2007-12-16 01:20:14 +0000
committer: Stefan Briesenick <sbriesen@gentoo.org> 2007-12-16 01:20:14 +0000
commit: e043aee75fc640f49ddba6d647108a3b00ed0ecd (patch)
tree: fa8c3cbe8a197e85ede9498a786c42f2f27d03d7 /media-gfx/exiv2
parent: removed old version (diff)
download: historical-e043aee75fc640f49ddba6d647108a3b00ed0ecd.tar.gz
historical-e043aee75fc640f49ddba6d647108a3b00ed0ecd.tar.bz2
historical-e043aee75fc640f49ddba6d647108a3b00ed0ecd.zip
7 files changed, 260 insertions, 5 deletions
diff --git a/media-gfx/exiv2/ChangeLog b/media-gfx/exiv2/ChangeLog
index fd0ec47781b4..f7a484055939 100644
--- a/media-gfx/exiv2/ChangeLog
+++ b/media-gfx/exiv2/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for media-gfx/exiv2
 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-gfx/exiv2/ChangeLog,v 1.30 2007/12/16 01:04:50 sbriesen Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/exiv2/ChangeLog,v 1.31 2007/12/16 01:20:13 sbriesen Exp $
+
+*exiv2-0.15-r1 (16 Dec 2007)
+*exiv2-0.13-r1 (16 Dec 2007)
+
+  16 Dec 2007; Stefan Briesenick <sbriesen@gentoo.org>
+  +files/CVE-2007-6353.diff, +exiv2-0.13-r1.ebuild, +exiv2-0.15-r1.ebuild:
+  added patch against integer overflow (see bug #202351).
 
   16 Dec 2007; Stefan Briesenick <sbriesen@gentoo.org> -exiv2-0.14.ebuild:
   removed old version
diff --git a/media-gfx/exiv2/Manifest b/media-gfx/exiv2/Manifest
index 5ca19f992271..90d36d3b8f6b 100644
--- a/media-gfx/exiv2/Manifest
+++ b/media-gfx/exiv2/Manifest
@@ -1,17 +1,29 @@
+AUX CVE-2007-6353.diff 3735 RMD160 fb914dea4d60071a60c10839d1f86b3b17aecd68 SHA1 6db8d981bd1f504110387cd3478fe47b4a305fbf SHA256 db0fe8f38eab154ab442f684992cdbf16e88d8f3850b83a94122617edfde6749
+MD5 9451613668885e6f3a0b405c2df37152 files/CVE-2007-6353.diff 3735
+RMD160 fb914dea4d60071a60c10839d1f86b3b17aecd68 files/CVE-2007-6353.diff 3735
+SHA256 db0fe8f38eab154ab442f684992cdbf16e88d8f3850b83a94122617edfde6749 files/CVE-2007-6353.diff 3735
 DIST exiv2-0.13.tar.gz 2841724 RMD160 e06de2dfeb6941b1fd501bff258763f2f13f98b9 SHA1 3abf440af8d3df0025bc767fc7e6cc170adc50e6 SHA256 f1d38ed31bdb54f6c5c80f7cd6765025cac535883b24e630f5bbe5c63e5cff75
 DIST exiv2-0.15.tar.gz 1133249 RMD160 b879bcbe8255ae83af7d1cfadb84b01dbc5e97f2 SHA1 db5b0da39c5d2a736cecf4800f83639f841af5cc SHA256 b72d82e9117308063471993f3832e58064c0599dec3df2bf2a7ce54450984a3e
+EBUILD exiv2-0.13-r1.ebuild 1657 RMD160 2c269c13f2be30a2bcd8794c8e22e485e40a5985 SHA1 7b516cf5bbd2c4b32f8f66c64115ca96280d9e0f SHA256 577e6bab389e6ea5cd49f23d742d1f1e0dcf224092d23ca8a297e8b4869d7dd1
+MD5 b948d67f126bfb852fa02b3efccf88e9 exiv2-0.13-r1.ebuild 1657
+RMD160 2c269c13f2be30a2bcd8794c8e22e485e40a5985 exiv2-0.13-r1.ebuild 1657
+SHA256 577e6bab389e6ea5cd49f23d742d1f1e0dcf224092d23ca8a297e8b4869d7dd1 exiv2-0.13-r1.ebuild 1657
 EBUILD exiv2-0.13.ebuild 1586 RMD160 04ed95f8c4a9186cf7cd48d551367e5a52172e6c SHA1 19aa4ab5ff4c3cbf487598480c86fee69686e557 SHA256 c503d6bf9f33db4f5f6ff6ad5a6cf8fd9f01bb1e33bf23cd4fe9a87b1305b759
 MD5 b435653f5475213fbf0b31887b8827ce exiv2-0.13.ebuild 1586
 RMD160 04ed95f8c4a9186cf7cd48d551367e5a52172e6c exiv2-0.13.ebuild 1586
 SHA256 c503d6bf9f33db4f5f6ff6ad5a6cf8fd9f01bb1e33bf23cd4fe9a87b1305b759 exiv2-0.13.ebuild 1586
+EBUILD exiv2-0.15-r1.ebuild 1855 RMD160 619e4ff3bdce46e73789668581cb5183bd7a2a73 SHA1 bde3a49f1bbc6516e13ffd50389073f3e8e01f6c SHA256 4d9beef9d8f4e94caa553907312007eec6bf086e4e5893e7f4dae8fcb72fde0e
+MD5 a406f6709600e5884489cb39265c07e4 exiv2-0.15-r1.ebuild 1855
+RMD160 619e4ff3bdce46e73789668581cb5183bd7a2a73 exiv2-0.15-r1.ebuild 1855
+SHA256 4d9beef9d8f4e94caa553907312007eec6bf086e4e5893e7f4dae8fcb72fde0e exiv2-0.15-r1.ebuild 1855
 EBUILD exiv2-0.15.ebuild 1791 RMD160 810fff3a31f44ac5bf5a1ebb00b25f94b4fa8e92 SHA1 b65d428ffd5b02535693191a61ff76869dda445a SHA256 9340f70b613d18946b74a15bd45e229ccd6b4bd3080fa7f07e94ddc0cbaec032
 MD5 b7d4fdc0baa2d04c558f6e03571a3ec7 exiv2-0.15.ebuild 1791
 RMD160 810fff3a31f44ac5bf5a1ebb00b25f94b4fa8e92 exiv2-0.15.ebuild 1791
 SHA256 9340f70b613d18946b74a15bd45e229ccd6b4bd3080fa7f07e94ddc0cbaec032 exiv2-0.15.ebuild 1791
-MISC ChangeLog 3789 RMD160 34ae8360ae1e0bc76fb7ef13a7870b5927f3438a SHA1 41617f087f9e977138115f17c03c3ca8895d8250 SHA256 999e14ffe9ec87ebbfe19c6546de8b373c6f965595ded9c840ab1394565832e0
-MD5 ec86e347fc87f67a3a307c6e8639e2ec ChangeLog 3789
-RMD160 34ae8360ae1e0bc76fb7ef13a7870b5927f3438a ChangeLog 3789
-SHA256 999e14ffe9ec87ebbfe19c6546de8b373c6f965595ded9c840ab1394565832e0 ChangeLog 3789
+MISC ChangeLog 4037 RMD160 5de8429173d711980f688354ca49aabf770a4275 SHA1 553a82fdf4e9d9a3a44b89427c1f6bc13fce9b02 SHA256 d87f3198ea627d789f640f820642d65f9b51eaaab759e42d95bb3d68f6eaed8e
+MD5 5d0aabe8628d0a7fc483f1f23092e41c ChangeLog 4037
+RMD160 5de8429173d711980f688354ca49aabf770a4275 ChangeLog 4037
+SHA256 d87f3198ea627d789f640f820642d65f9b51eaaab759e42d95bb3d68f6eaed8e ChangeLog 4037
 MISC metadata.xml 411 RMD160 ab7786ee2861ee2755a46d5b9d61c05aac3bdcde SHA1 89236e5947f0926012908a274251edc319d4ac3d SHA256 69be80b32baabd40e8ae03cc8a4b8403fc00200f64005c5e11fea69d7fd4cee5
 MD5 f97da2252ba751ad4edcd1d760c6b28e metadata.xml 411
 RMD160 ab7786ee2861ee2755a46d5b9d61c05aac3bdcde metadata.xml 411
@@ -19,6 +31,12 @@ SHA256 69be80b32baabd40e8ae03cc8a4b8403fc00200f64005c5e11fea69d7fd4cee5 metadata
 MD5 b6a30e249d7231b82fd63c28f89d7f55 files/digest-exiv2-0.13 235
 RMD160 c65604350f0b54a83295f1dd2235d8da9bb7ea3c files/digest-exiv2-0.13 235
 SHA256 db5b1482bb243bc8be94cce02d19d3e7014e68e303808aec9fede39baa045b16 files/digest-exiv2-0.13 235
+MD5 b6a30e249d7231b82fd63c28f89d7f55 files/digest-exiv2-0.13-r1 235
+RMD160 c65604350f0b54a83295f1dd2235d8da9bb7ea3c files/digest-exiv2-0.13-r1 235
+SHA256 db5b1482bb243bc8be94cce02d19d3e7014e68e303808aec9fede39baa045b16 files/digest-exiv2-0.13-r1 235
 MD5 f8e7e8ff866c95118270063f3d64d2b7 files/digest-exiv2-0.15 235
 RMD160 190c71a36a1b5d4d7126d4a2cba6be010c6a0377 files/digest-exiv2-0.15 235
 SHA256 42cfe239b7eedf478f8014e5cb9a2132901e9a11bcd62b635bc8949f41641f5b files/digest-exiv2-0.15 235
+MD5 f8e7e8ff866c95118270063f3d64d2b7 files/digest-exiv2-0.15-r1 235
+RMD160 190c71a36a1b5d4d7126d4a2cba6be010c6a0377 files/digest-exiv2-0.15-r1 235
+SHA256 42cfe239b7eedf478f8014e5cb9a2132901e9a11bcd62b635bc8949f41641f5b files/digest-exiv2-0.15-r1 235
diff --git a/media-gfx/exiv2/exiv2-0.13-r1.ebuild b/media-gfx/exiv2/exiv2-0.13-r1.ebuild
new file mode 100644
index 000000000000..c8781c00b54f
--- /dev/null
+++ b/media-gfx/exiv2/exiv2-0.13-r1.ebuild
@@ -0,0 +1,63 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/exiv2/exiv2-0.13-r1.ebuild,v 1.1 2007/12/16 01:20:13 sbriesen Exp $
+
+inherit eutils
+
+DESCRIPTION="EXIF and IPTC metadata C++ library and command line utility"
+HOMEPAGE="http://www.exiv2.org/"
+SRC_URI="http://www.exiv2.org/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~sparc ~x86 ~x86-fbsd"
+
+IUSE="doc nls zlib unicode"
+IUSE_LINGUAS="de es fi fr pl ru"
+
+for X in ${IUSE_LINGUAS}; do IUSE="${IUSE} linguas_${X}"; done
+
+RDEPEND="zlib? ( sys-libs/zlib )
+	nls? ( virtual/libintl )
+	virtual/libiconv"
+
+DEPEND="${RDEPEND}
+	nls? ( sys-devel/gettext )"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	# see bug #202351
+	epatch "${FILESDIR}/CVE-2007-6353.diff"
+
+	if use unicode; then
+		einfo "Converting docs to UTF-8"
+		for i in doc/cmd.txt; do
+			iconv -f LATIN1 -t UTF-8 "${i}" > "${i}~" && mv -f "${i}~" "${i}" || rm -f "${i}~"
+		done
+	fi
+}
+
+src_compile() {
+	local myconf="$(use_enable nls)"
+	use zlib || myconf="${myconf} --without-zlib"  # plain 'use_with' fails
+	econf ${myconf} || die "econf failed"
+	emake || die "emake failed"
+}
+
+src_install() {
+	make DESTDIR="${D}" install || die "make install failed"
+	dodoc README doc/{ChangeLog,cmd.txt}
+	use doc && dohtml doc/html/*
+}
+
+pkg_postinst() {
+	ewarn
+	ewarn "PLEASE PLEASE take note of this:"
+	ewarn "Please make *sure* to run revdep-rebuild now"
+	ewarn "Certain things on your system may have linked against a"
+	ewarn "different version of exiv2 -- those things need to be"
+	ewarn "recompiled. Sorry for the inconvenience!"
+	ewarn
+}
diff --git a/media-gfx/exiv2/exiv2-0.15-r1.ebuild b/media-gfx/exiv2/exiv2-0.15-r1.ebuild
new file mode 100644
index 000000000000..a035fb00d814
--- /dev/null
+++ b/media-gfx/exiv2/exiv2-0.15-r1.ebuild
@@ -0,0 +1,72 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/exiv2/exiv2-0.15-r1.ebuild,v 1.1 2007/12/16 01:20:13 sbriesen Exp $
+
+inherit eutils
+
+DESCRIPTION="EXIF and IPTC metadata C++ library and command line utility"
+HOMEPAGE="http://www.exiv2.org/"
+SRC_URI="http://www.exiv2.org/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~ia64 ~ppc ~sparc ~x86 ~x86-fbsd"
+
+IUSE="doc nls zlib unicode"
+IUSE_LINGUAS="de es fi fr pl ru"
+
+for X in ${IUSE_LINGUAS}; do IUSE="${IUSE} linguas_${X}"; done
+
+RDEPEND="zlib? ( sys-libs/zlib )
+	nls? ( virtual/libintl )
+	virtual/libiconv"
+
+DEPEND="${RDEPEND}
+	doc? ( app-doc/doxygen )
+	nls? ( sys-devel/gettext )"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	# see bug #202351
+	epatch "${FILESDIR}/CVE-2007-6353.diff"
+
+	if use unicode; then
+		for i in doc/cmd.txt; do
+			echo ">>> Converting "${i}" to UTF-8"
+			iconv -f LATIN1 -t UTF-8 "${i}" > "${i}~" && mv -f "${i}~" "${i}" || rm -f "${i}~"
+		done
+	fi
+
+	if use doc; then
+		echo ">>> Updating doxygen config"
+		doxygen &>/dev/null -u config/Doxyfile
+	fi
+}
+
+src_compile() {
+	local myconf="$(use_enable nls)"
+	use zlib || myconf="${myconf} --without-zlib"  # plain 'use_with' fails
+	econf ${myconf} || die "econf failed"
+	emake || die "emake failed"
+	if use doc; then
+		emake doc || die "emake doc failed"
+	fi
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die "emake install failed"
+	dodoc README doc/{ChangeLog,cmd.txt}
+	use doc && dohtml -r doc/html/.
+}
+
+pkg_postinst() {
+	ewarn
+	ewarn "PLEASE PLEASE take note of this:"
+	ewarn "Please make *sure* to run revdep-rebuild now"
+	ewarn "Certain things on your system may have linked against a"
+	ewarn "different version of exiv2 -- those things need to be"
+	ewarn "recompiled. Sorry for the inconvenience!"
+	ewarn
+}
diff --git a/media-gfx/exiv2/files/CVE-2007-6353.diff b/media-gfx/exiv2/files/CVE-2007-6353.diff
new file mode 100644
index 000000000000..13b7fe9ac312
--- /dev/null
+++ b/media-gfx/exiv2/files/CVE-2007-6353.diff
@@ -0,0 +1,89 @@
+Index: exiv2-0.13/src/exif.cpp
+===================================================================
+--- exiv2-0.13.orig/src/exif.cpp
++++ exiv2-0.13/src/exif.cpp
+@@ -215,10 +215,12 @@ namespace Exiv2 {
+         ExifData::const_iterator sizes;
+         ExifKey key("Exif.Thumbnail.StripByteCounts");
+         sizes = exifData.findKey(key);
+-        if (sizes == exifData.end()) return 2;
++        if (sizes == exifData.end()) return 1;
+ 
+-        long totalSize = 0;
++        uint32_t totalSize = 0;
+         for (long i = 0; i < sizes->count(); ++i) {
++            uint32_t size = sizes->toLong(i);
++            if (size > 0xffffffff - totalSize) return 1;
+             totalSize += sizes->toLong(i);
+         }
+         DataBuf stripsBuf(totalSize);
+@@ -228,21 +230,23 @@ namespace Exiv2 {
+         ExifData::iterator stripOffsets;
+         key = ExifKey("Exif.Thumbnail.StripOffsets");
+         stripOffsets = exifData.findKey(key);
+-        if (stripOffsets == exifData.end()) return 2;
+-        if (stripOffsets->count() != sizes->count()) return 2;
++        if (stripOffsets == exifData.end()) return 1;
++        if (stripOffsets->count() != sizes->count()) return 1;
+ 
+         std::ostringstream os; // for the strip offsets
+-        long currentOffset = 0;
+-        long firstOffset = stripOffsets->toLong(0);
+-        long lastOffset = 0;
+-        long lastSize = 0;
++        uint32_t currentOffset = 0;
++        uint32_t firstOffset = stripOffsets->toLong(0);
++        uint32_t lastOffset = 0;
++        uint32_t lastSize = 0;
+         for (long i = 0; i < stripOffsets->count(); ++i) {
+-            long offset = stripOffsets->toLong(i);
++            uint32_t offset = stripOffsets->toLong(i);
+             lastOffset = offset;
+-            long size = sizes->toLong(i);
++            uint32_t size = sizes->toLong(i);
+             lastSize = size;
+-            if (len < offset + size) return 1;
+-
++            if (   size > 0xffffffff - offset
++                || static_cast<uint32_t>(len) < offset + size) {
++                return 2;
++            }
+             memcpy(stripsBuf.pData_ + currentOffset, buf + offset, size);
+             os << currentOffset << " ";
+             currentOffset += size;
+@@ -303,12 +307,15 @@ namespace Exiv2 {
+         ExifKey key("Exif.Thumbnail.JPEGInterchangeFormat");
+         ExifData::iterator format = exifData.findKey(key);
+         if (format == exifData.end()) return 1;
+-        long offset = format->toLong();
++        uint32_t offset = format->toLong();
+         key = ExifKey("Exif.Thumbnail.JPEGInterchangeFormatLength");
+         ExifData::const_iterator length = exifData.findKey(key);
+         if (length == exifData.end()) return 1;
+-        long size = length->toLong();
+-        if (len < offset + size) return 2;
++        uint32_t size = length->toLong();
++        if (   size > 0xffffffff - offset
++            || static_cast<uint32_t>(len) < offset + size) {
++            return 2;
++        }
+         format->setDataArea(buf + offset, size);
+         format->setValue("0");
+         if (pIfd1) {
+@@ -595,8 +602,14 @@ namespace Exiv2 {
+         if (pIopIfd_) add(pIopIfd_->begin(), pIopIfd_->end(), byteOrder());
+         if (pGpsIfd_) add(pGpsIfd_->begin(), pGpsIfd_->end(), byteOrder());
+         if (pIfd1_)   add(pIfd1_->begin(),   pIfd1_->end(),   byteOrder());
+-        // Read the thumbnail (but don't worry whether it was successful or not)
+-        readThumbnail();
++        // Finally, read the thumbnail
++        rc = readThumbnail();
++        if (0 < rc) {
++#ifndef SUPPRESS_WARNINGS
++            std::cerr << "Warning: Failed to read thumbnail, rc = "
++                      << rc << "\n";
++#endif
++        }
+ 
+         return 0;
+     } // ExifData::load
diff --git a/media-gfx/exiv2/files/digest-exiv2-0.13-r1 b/media-gfx/exiv2/files/digest-exiv2-0.13-r1
new file mode 100644
index 000000000000..d722949efd95
--- /dev/null
+++ b/media-gfx/exiv2/files/digest-exiv2-0.13-r1
@@ -0,0 +1,3 @@
+MD5 492d476e3130ac27983d93e5595d81e8 exiv2-0.13.tar.gz 2841724
+RMD160 e06de2dfeb6941b1fd501bff258763f2f13f98b9 exiv2-0.13.tar.gz 2841724
+SHA256 f1d38ed31bdb54f6c5c80f7cd6765025cac535883b24e630f5bbe5c63e5cff75 exiv2-0.13.tar.gz 2841724
diff --git a/media-gfx/exiv2/files/digest-exiv2-0.15-r1 b/media-gfx/exiv2/files/digest-exiv2-0.15-r1
new file mode 100644
index 000000000000..fbd92cb1983e
--- /dev/null
+++ b/media-gfx/exiv2/files/digest-exiv2-0.15-r1
@@ -0,0 +1,3 @@
+MD5 bb18d19e1d6fb255dadda456cadec00e exiv2-0.15.tar.gz 1133249
+RMD160 b879bcbe8255ae83af7d1cfadb84b01dbc5e97f2 exiv2-0.15.tar.gz 1133249
+SHA256 b72d82e9117308063471993f3832e58064c0599dec3df2bf2a7ce54450984a3e exiv2-0.15.tar.gz 1133249
author	Stefan Briesenick <sbriesen@gentoo.org>	2007-12-16 01:20:14 +0000
committer	Stefan Briesenick <sbriesen@gentoo.org>	2007-12-16 01:20:14 +0000
commit	e043aee75fc640f49ddba6d647108a3b00ed0ecd (patch)
tree	fa8c3cbe8a197e85ede9498a786c42f2f27d03d7 /media-gfx/exiv2
parent	removed old version (diff)
download	historical-e043aee75fc640f49ddba6d647108a3b00ed0ecd.tar.gz historical-e043aee75fc640f49ddba6d647108a3b00ed0ecd.tar.bz2 historical-e043aee75fc640f49ddba6d647108a3b00ed0ecd.zip