Upstream patch for CVE-2013-6629 and CVE-2013-6630.

Package-Manager: portage-2.2.7/cvs/Linux x86_64 Manifest-Sign-Key: 0x4868F14D
author: Samuli Suominen <ssuominen@gentoo.org> 2013-12-14 15:33:35 +0000
committer: Samuli Suominen <ssuominen@gentoo.org> 2013-12-14 15:33:35 +0000
commit: 6495aeaa029b5709e9daada4534719f1c4943464 (patch)
tree: 34dd70778510c9b591f0716ddf33c4aa64d1b833 /media-libs/libjpeg-turbo
parent: Test fixes in live ebuild; proxied commit for Nikoli, fixes bug #494242. (diff)
download: historical-6495aeaa029b5709e9daada4534719f1c4943464.tar.gz
historical-6495aeaa029b5709e9daada4534719f1c4943464.tar.bz2
historical-6495aeaa029b5709e9daada4534719f1c4943464.zip
4 files changed, 180 insertions, 17 deletions
diff --git a/media-libs/libjpeg-turbo/ChangeLog b/media-libs/libjpeg-turbo/ChangeLog
index 6b7ef1a1947b..a4e25144919e 100644
--- a/media-libs/libjpeg-turbo/ChangeLog
+++ b/media-libs/libjpeg-turbo/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for media-libs/libjpeg-turbo
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/libjpeg-turbo/ChangeLog,v 1.79 2013/08/18 13:28:24 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libjpeg-turbo/ChangeLog,v 1.80 2013/12/14 15:33:31 ssuominen Exp $
+
+*libjpeg-turbo-1.3.0-r3 (14 Dec 2013)
+
+  14 Dec 2013; Samuli Suominen <ssuominen@gentoo.org>
+  +files/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch,
+  +libjpeg-turbo-1.3.0-r3.ebuild:
+  Upstream patch for CVE-2013-6629 and CVE-2013-6630.
 
   18 Aug 2013; Agostino Sarubbo <ago@gentoo.org> libjpeg-turbo-1.3.0.ebuild:
   Stable for x86, wrt bug #479078
diff --git a/media-libs/libjpeg-turbo/Manifest b/media-libs/libjpeg-turbo/Manifest
index b568c2c43645..9d39ed892152 100644
--- a/media-libs/libjpeg-turbo/Manifest
+++ b/media-libs/libjpeg-turbo/Manifest
@@ -1,29 +1,25 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA512
+Hash: SHA256
 
 AUX libjpeg-turbo-1.2.0-x32.patch 1240 SHA256 b12ab8fbef2cd8ceafd2e26e8fca375894275b7a60216fabf23f4f1342e73347 SHA512 0aa26467b7c0f583d945619f9b1ad9f200d6ae6cb5c904873a047d955de43c0bfefbf0d9f83cf26b3758f780b530cc35825b57a98856138642dcd29d73e24e91 WHIRLPOOL 67c84aec436f41f318149b264e5a198ad8b4d4bd19483f404dce60a59b237715a38fd5e6108d0c745ab90b6ca3688d2d75d7d23aecff06a649db34bff4d1be2d
+AUX libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch 1017 SHA256 7fe595af3a0518376e0a209c4732a8e2832c0caa4a937741300b3440575f66ab SHA512 ca01e4680267cfc79b8517c1ac55f15ef52b82299dad70b31eb18393be800fb524a12fe04048a63ad0f9881eaa7cefc879ad7f6bce04bb213ed0c4bfa6dd7040 WHIRLPOOL 3d7b95a7d0ed5cb263642e5e4cedfdaf0b74a516eae29b745e37763bd47b01ed2aac16d2ef6f9cd4d12fdb4691aea2afd3adb303024413ee2eec26df6ec5a3ed
 DIST libjpeg-turbo-1.2.1.tar.gz 1755264 SHA256 cb3323f054a02cedad193bd0ca418d46934447f995d19e678ea64f78e4903770 SHA512 1ea3d2cfcc24ebe83b669417b86c59563781e74ef5358bf44fc380d4379bd200965aed7390cbfd269cac9f6abd21b3bcb156cb7f3deb5d0e9bfe0a07347d45f6 WHIRLPOOL 70e19e40c218e6ed9583ea5903a130db2fb18491c1c08da8a8989d6fcdf19bf846737ea1660d45107c03ee0a2b7406cefd5ee22533a839c49c2526acc4578d10
 DIST libjpeg-turbo-1.3.0.tar.gz 1361603 SHA256 2657008cfc08aadbaca065bd9f8964b8a2c0abd03e73da5b5f09c1216be31234 SHA512 4d34c3c5f2cdd70b2a3d1b55eeb4ce59cb3d4b8d22bb6d43c2ec844b7eb5685b55a9b1b46ad2bc5f2756b5f5535ccad032791c3b932af9c1efc502aa5e701053 WHIRLPOOL 13c1366b9bef87cab42c88f75d1ff7eddb4ea745e0056154f1f3fb27deedee077d662395bada3bd5c18d6f8bf744d0b1f3d465967d33b453ea2acc327a6f166f
 DIST libjpeg8_8d-1.debian.tar.gz 13676 SHA256 70ec6689b0ad85739802cf3ebbdcc12ea01e21edd8f931c614b25b44cf199057 SHA512 7def4f13524f0af3b9adf35a370027a18f43b9a635f56a17d5bb7883370db8b18b8a12737d0f0cb4b0287ccf8fb474eb5f754de6b398ffe7d522c54e5bf68040 WHIRLPOOL 94526c31d401eb14c9bf0f7115e13a27886ad58863e25d6653eba2b2f5ef260ec272368d2b9d9934bd75b1e5b5f1afc97230e540248efc24d6e85e5680399d27
 EBUILD libjpeg-turbo-1.2.1.ebuild 2889 SHA256 298967f7a84c7426d48e6ae9a4c1455c5d7f83a0119a74a21c0ce189593daa17 SHA512 840fb7c42ce77f77074571b5b999bc328ec0957680b1528d8177dee72ad33cdcd12087093f2b4d1e204f3cf5896706b43e906d70f71477659b5a4a42fe74e309 WHIRLPOOL a9b0908eaa1d63c077d2dca8a5116a1d9c7e5baf91edccdcd3fc88d3d8458b62f765a48ee4936708c3cf3b6e801cc09aedc50cfa0aa27bb952c2b27f32ce0e40
 EBUILD libjpeg-turbo-1.3.0-r2.ebuild 3124 SHA256 3c7be7d7f32ce5eb6999b39d5d109a587a758edcbc04fea6105c510178cb08f3 SHA512 57960019ebe9b87c3702b48903938db63481a1372ab15be8b52936f19c9ad0ee8258337f94539534626c1a6f1dd07d4c3ba57053770a0fa211d51f262cffed88 WHIRLPOOL cec6c5ce9ea6144fc287b9758af3d6101963b96b4dd234e567ecbef0ece122a4f1db02eea3201880d391fe9623a3232356196f33bebfb55e99c6fe9fd5a58154
+EBUILD libjpeg-turbo-1.3.0-r3.ebuild 3180 SHA256 26648f8d259695bae16f754c50bce60f20dd562c251c19e6676ede91f3243022 SHA512 040f89a94172626cadcb5d9e165bee280b66b17ca0267b8e6f2790251dc0355666eb095e239adf69d36697d4fa958333970dbf4d990e0d4466e3a53894bd83eb WHIRLPOOL f8ff83b693006591393ecbd77b489c9219b0919404ba13c0f9f938121bdee2e855e51d3b83a645fcf8e9d2dd83cb4d8c2dcd82ca381ec046d942683d101247d0
 EBUILD libjpeg-turbo-1.3.0.ebuild 2888 SHA256 56a0e6dd1f2ef02fecab64616ac2b1629000145a06e008eb1c90fd4154eaf9fa SHA512 a2dd9706c96a0c1a842b2488886c9a8083d94d41fddb6ea022aacfb04d8eb8de6628529081f615ffa65d5bb0172a21d630f1a30f15f5e7ff6bbc73be7e26e568 WHIRLPOOL 4c143b3669f4f7bcab3ff3e9af26783c7ff798d853da1f0512791cb6f31317c3ade98263c475947c35509378ac1d555ef2595e5e9d8fdd635b0f7a3d3fecb2d9
-MISC ChangeLog 11648 SHA256 c7e387cae7bb04931e061d9d5f564215e62e40225dd19bd602e0e15f58657b9d SHA512 d0f140aa4711054693473582c6e13a13849aa83274c421e4a77fca2eea148ed9117d366e1ee31a9c9d8a685481b619f3d5283bfff735fe7f25f600688768c7e3 WHIRLPOOL 720dea3a2ac85d915b286f80f6c3fb6bc3df7c81dfcbb9a4f8a8c1a13374c6b31633b44b74d01401c1572b3f4a1b9db93b3d5699bd54e0fd8b3d5f5cc97beede
+MISC ChangeLog 11895 SHA256 74ec14115d5ace20bcaa416d3babd88ad42c25ed68cec8396f496dc6d95fd52e SHA512 d30b28c0d58ec344502b97c02b0dbe59245d905d730abd2719f6ee0192306b515867443bddd2a283db8902182f8db0d47275d6900e9a5f8bd9aba6cd60ef3d88 WHIRLPOOL 0c3f0219489adabb7efe7d00bb0199725bac6922d6930c3619970b18ba9f40084a2d24a0cb86cbcd56265a2d267c31426d8069cf59dd1b8db67979c552dae482
 MISC metadata.xml 367 SHA256 6b8c81649360de8af20a434749d90a9ee689026f959c814e22dac83513c5b0d4 SHA512 0dc1a5f70e560471119207724bc0015d1ae6b80c7da5d2305479b681ae9dca487dc0a58b5db45cc033d3c12ec997902b1c42c664efbfdff8cf3e1570259d0835 WHIRLPOOL 5686f917bfedc7f73923a18e99e8fa64eadda2cbe476d8b6c527be83f283acad01e0fedb5d4c9deb1dbf4f21538b69b3446db3304af782fb76e4b009c6bd3822
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.20 (GNU/Linux)
+Version: GnuPG v2.0.22 (GNU/Linux)
 
-iQIcBAEBCgAGBQJSEMvzAAoJELp701BxlEWfVF8QAJ5R+Oyx3ABreCCoqXqvcehI
-pXnYsUOxNWPQFZexDjWj0kIfQwPPRAbPPFwQT1dVKbxas5rfWfp5h/gbS74mIsIX
-MYIl4w7NE6poQagocd3T6R0Z+aiyIT2ukc+RCFXIIPMptjE/N8/ezYpdUea5ug68
-FZMDMYh+hg42XFDRXwL95RgFc4BXG6uV1fLzLxsuv423cS1TWedwYxUM1FKdGJj4
-PlihrPKNOmaTryMzA313p8RchuSqcBluCgZSkCyPLTme6nc04BdyeEtDjhR7o6S2
-8MAwyahrgQKvU0znJDCXPvC4+WlkSSmKO2z3sT8t3FLG7Z5ZvcApO36F9wr4ROst
-PtaOg9k7gTWNhvKKugFxYV9z1m+aQqPBdZFbLvB3yy5emnpe1lXbRwwezQeJzUVW
-i9pwwGSiQ/EasM0fHAdEHBYlrS6UBxzolbU5IT3NxxiSEwoq4L5ElhCIk8xjE6Wu
-3YfsZtV3K5a7az3LvoxOSW6RxSnrZ6CT5d4eyWf4NNElfUtqRv7i81k946rnQcnn
-pDwXqx8DV9bibRyiQPjMbr2aMdS4+0jnMKAL5ab+j5OOPc9iIhgn7uGqfTyf9hZl
-D7Y5fqAWmRaZ++p4enHMAcMmptIyz8lksJL2mBgP4sAVig+uNUmMhBs+weMSwN+U
-SBD3ENGcMm4rU1pRldvd
-=i/m1
+iQEcBAEBCAAGBQJSrHpFAAoJEEdUh39IaPFNrRIIAKGMqymU20YorG6S7nGipZHP
+elHjGAW5eRtQy/FBY2O4Kc+kJFroFerW0w2d5O7uQkOCG+s/NFKJUeIPoepw8Ih8
+YN0H0yw5bAJ71xpJnRSESLKKUscTyH2mnMWT0TiuAoSJcb6szVqUXzBK+ZO+WKpX
+EVOOL9MuoJWyHKIWQlPBdMLxLW/69bdCKaPQgdrcxzoxS4S3oc7eGau9LeX+X/F9
+lH0IHro17Y3S3fY+O/2Tk/8/BpHsjDVIk1xRb9VguGxuI7jXm1+i7GX4oIJs7kOT
+8L0XMUEh7IvTXWNIKFJqZ0YLbt8MQ1MhAYOjHOhIP8x16qvXltd3QGccLK0kPuE=
+=nL+Q
 -----END PGP SIGNATURE-----
diff --git a/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch
new file mode 100644
index 000000000000..46eefad1604f
--- /dev/null
+++ b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch
@@ -0,0 +1,38 @@
+http://bugzilla.redhat.com/show_bug.cgi?id=1031734
+http://bugzilla.redhat.com/show_bug.cgi?id=1031749
+http://sourceforge.net/p/libjpeg-turbo/code/1090/
+
+--- jdmarker.c
++++ jdmarker.c
+@@ -304,7 +304,7 @@
+ /* Process a SOS marker */
+ {
+   INT32 length;
+-  int i, ci, n, c, cc;
++  int i, ci, n, c, cc, pi;
+   jpeg_component_info * compptr;
+   INPUT_VARS(cinfo);
+ 
+@@ -348,6 +348,13 @@
+     
+     TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc,
+ 	     compptr->dc_tbl_no, compptr->ac_tbl_no);
++
++    /* This CSi (cc) should differ from the previous CSi */
++    for (pi = 0; pi < i; pi++) {
++      if (cinfo->cur_comp_info[pi] == compptr) {
++        ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
++      }
++    }
+   }
+ 
+   /* Collect the additional scan parameters Ss, Se, Ah/Al. */
+@@ -465,6 +472,8 @@
+     for (i = 0; i < count; i++)
+       INPUT_BYTE(cinfo, huffval[i], return FALSE);
+ 
++    MEMZERO(&huffval[count], (256 - count) * SIZEOF(UINT8));
++
+     length -= count;
+ 
+     if (index & 0x10) {		/* AC table definition */
diff --git a/media-libs/libjpeg-turbo/libjpeg-turbo-1.3.0-r3.ebuild b/media-libs/libjpeg-turbo/libjpeg-turbo-1.3.0-r3.ebuild
new file mode 100644
index 000000000000..b8d065be90ae
--- /dev/null
+++ b/media-libs/libjpeg-turbo/libjpeg-turbo-1.3.0-r3.ebuild
@@ -0,0 +1,122 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libjpeg-turbo/libjpeg-turbo-1.3.0-r3.ebuild,v 1.1 2013/12/14 15:33:31 ssuominen Exp $
+
+EAPI=5
+
+inherit autotools eutils java-pkg-opt-2 libtool toolchain-funcs multilib-minimal
+
+DESCRIPTION="MMX, SSE, and SSE2 SIMD accelerated JPEG library"
+HOMEPAGE="http://libjpeg-turbo.virtualgl.org/ http://sourceforge.net/projects/libjpeg-turbo/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz
+	mirror://debian/pool/main/libj/libjpeg8/libjpeg8_8d-1.debian.tar.gz"
+
+LICENSE="BSD IJG"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~x64-macos ~x86-macos"
+IUSE="java static-libs"
+
+ASM_DEPEND="|| ( dev-lang/nasm dev-lang/yasm )"
+COMMON_DEPEND="!media-libs/jpeg:0
+	!media-libs/jpeg:62
+	abi_x86_32? ( !<=app-emulation/emul-linux-x86-baselibs-20130224-r5
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] )"
+RDEPEND="${COMMON_DEPEND}
+	java? ( >=virtual/jre-1.5 )"
+DEPEND="${COMMON_DEPEND}
+	amd64? ( ${ASM_DEPEND} )
+	x86? ( ${ASM_DEPEND} )
+	amd64-fbsd? ( ${ASM_DEPEND} )
+	x86-fbsd? ( ${ASM_DEPEND} )
+	amd64-linux? ( ${ASM_DEPEND} )
+	x86-linux? ( ${ASM_DEPEND} )
+	x64-macos? ( ${ASM_DEPEND} )
+	java? ( >=virtual/jdk-1.5 )"
+
+MULTILIB_WRAPPED_HEADERS=( /usr/include/jconfig.h )
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-1.2.0-x32.patch #420239
+	epatch "${FILESDIR}"/${P}-CVE-2013-6629-and-6630.patch
+
+	if [[ -x ./configure ]]; then
+		elibtoolize
+	else
+		eautoreconf
+	fi
+
+	epunt_cxx #424689
+
+	java-pkg-opt-2_src_prepare
+}
+
+multilib_src_configure() {
+	local myconf=()
+	if multilib_is_native_abi; then
+		myconf+=( $(use_with java) )
+		if use java; then
+			export JAVACFLAGS="$(java-pkg_javac-args)"
+			export JNI_CFLAGS="$(java-pkg_get-jni-cflags)"
+		fi
+	else
+		myconf+=( --without-java )
+	fi
+	[[ ${ABI} == "x32" ]] && myconf+=( --without-simd ) #420239
+
+	ECONF_SOURCE=${S} \
+	econf \
+		$(use_enable static-libs static) \
+		--with-mem-srcdst \
+		"${myconf[@]}"
+}
+
+multilib_src_compile() {
+	local _java_makeopts
+	use java && _java_makeopts="-j1"
+	emake ${_java_makeopts}
+
+	if multilib_is_native_abi; then
+		pushd ../debian/extra >/dev/null
+		emake CC="$(tc-getCC)" CFLAGS="${LDFLAGS} ${CFLAGS}"
+		popd >/dev/null
+	fi
+}
+
+multilib_src_test() {
+	emake test
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		docdir="${EPREFIX}"/usr/share/doc/${PF} \
+		exampledir="${EPREFIX}"/usr/share/doc/${PF} \
+		install
+
+	if multilib_is_native_abi; then
+		pushd "${WORKDIR}"/debian/extra >/dev/null
+		emake \
+			DESTDIR="${D}" prefix="${EPREFIX}"/usr \
+			INSTALL="install -m755" INSTALLDIR="install -d -m755" \
+			install
+		popd >/dev/null
+
+		if use java; then
+			rm -rf "${ED}"/usr/classes
+			java-pkg_dojar java/turbojpeg.jar
+		fi
+	fi
+}
+
+multilib_src_install_all() {
+	prune_libtool_files
+
+	insinto /usr/share/doc/${PF}/html
+	doins -r "${S}"/doc/html/*
+	newdoc "${WORKDIR}"/debian/changelog changelog.debian
+	if use java; then
+		insinto /usr/share/doc/${PF}/html/java
+		doins -r "${S}"/java/doc/*
+		newdoc "${S}"/java/README README.java
+	fi
+}
author	Samuli Suominen <ssuominen@gentoo.org>	2013-12-14 15:33:35 +0000
committer	Samuli Suominen <ssuominen@gentoo.org>	2013-12-14 15:33:35 +0000
commit	6495aeaa029b5709e9daada4534719f1c4943464 (patch)
tree	34dd70778510c9b591f0716ddf33c4aa64d1b833 /media-libs/libjpeg-turbo
parent	Test fixes in live ebuild; proxied commit for Nikoli, fixes bug #494242. (diff)
download	historical-6495aeaa029b5709e9daada4534719f1c4943464.tar.gz historical-6495aeaa029b5709e9daada4534719f1c4943464.tar.bz2 historical-6495aeaa029b5709e9daada4534719f1c4943464.zip