From b854481c8fcbaab5f7a8d4c698ad673b3239da15 Mon Sep 17 00:00:00 2001 From: Tim Yamin Date: Thu, 5 Aug 2004 10:02:19 +0000 Subject: Security bump for bug #59424. --- media-libs/libpng/ChangeLog | 8 +- media-libs/libpng/Manifest | 11 +- media-libs/libpng/files/digest-libpng-1.2.5-r8 | 1 + media-libs/libpng/files/libpng-1.2.5-security.diff | 269 +++++++++++++++++++++ media-libs/libpng/libpng-1.2.5-r8.ebuild | 64 +++++ 5 files changed, 348 insertions(+), 5 deletions(-) create mode 100644 media-libs/libpng/files/digest-libpng-1.2.5-r8 create mode 100644 media-libs/libpng/files/libpng-1.2.5-security.diff create mode 100644 media-libs/libpng/libpng-1.2.5-r8.ebuild (limited to 'media-libs/libpng') diff --git a/media-libs/libpng/ChangeLog b/media-libs/libpng/ChangeLog index 9c5612e013ed..4a3274426771 100644 --- a/media-libs/libpng/ChangeLog +++ b/media-libs/libpng/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for media-libs/libpng # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/media-libs/libpng/ChangeLog,v 1.42 2004/07/07 14:37:03 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/media-libs/libpng/ChangeLog,v 1.43 2004/08/05 10:02:19 plasmaroo Exp $ + +*libpng-1.2.5-r8 (05 Aug 2004) + + 05 Aug 2004; +libpng-1.2.5-r8.ebuild, + +files/libpng-1.2.5-security.diff: + Security bump for bug #59424. *libpng-1.2.5-r7 (07 Jul 2004) diff --git a/media-libs/libpng/Manifest b/media-libs/libpng/Manifest index 46de76c331fe..9f27f90be940 100644 --- a/media-libs/libpng/Manifest +++ b/media-libs/libpng/Manifest @@ -1,8 +1,11 @@ -MD5 e66ae1d0c3cd402badd8e16ae2f1e5e0 ChangeLog 7912 -MD5 d1beee5aaa5daf6100554a7afee08ed9 libpng-1.2.5-r7.ebuild 1813 +MD5 07e5f3118c5c8fce92cbdb2d284f23c2 ChangeLog 8080 MD5 c3f6e4decd490e5d6e65ab197228ec66 libpng-1.0.15-r2.ebuild 1845 +MD5 bbc69af4c7bb4f0924abf23a6c977b21 libpng-1.2.5-r8.ebuild 1792 +MD5 d1beee5aaa5daf6100554a7afee08ed9 libpng-1.2.5-r7.ebuild 1813 MD5 82c75412d0c6a4a86704a7a4545ee502 files/digest-libpng-1.2.5-r7 65 -MD5 7443cfcd027ad293e56ec7bed76ee21c files/macos.patch 589 +MD5 82c75412d0c6a4a86704a7a4545ee502 files/digest-libpng-1.2.5-r8 65 +MD5 0f74a3acf75488cf44f857e870379d0d files/digest-libpng-1.0.15-r2 66 MD5 41148c3ecb7b1ff7b2e1e57f4663db1a files/libpng-1.0.15-gentoo.diff 2413 +MD5 d1cb64b64c0652863c89a3eb1f7c5f66 files/libpng-1.2.5-security.diff 10114 MD5 b664d38f024a7b21f299727e4aa76d2e files/libpng-1.2.5-gentoo.diff 3470 -MD5 0f74a3acf75488cf44f857e870379d0d files/digest-libpng-1.0.15-r2 66 +MD5 7443cfcd027ad293e56ec7bed76ee21c files/macos.patch 589 diff --git a/media-libs/libpng/files/digest-libpng-1.2.5-r8 b/media-libs/libpng/files/digest-libpng-1.2.5-r8 new file mode 100644 index 000000000000..794c1d47d26f --- /dev/null +++ b/media-libs/libpng/files/digest-libpng-1.2.5-r8 @@ -0,0 +1 @@ +MD5 3fc28af730f12ace49b14568de4ad934 libpng-1.2.5.tar.bz2 378030 diff --git a/media-libs/libpng/files/libpng-1.2.5-security.diff b/media-libs/libpng/files/libpng-1.2.5-security.diff new file mode 100644 index 000000000000..3cc329bc8cfa --- /dev/null +++ b/media-libs/libpng/files/libpng-1.2.5-security.diff @@ -0,0 +1,269 @@ +diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5p/png.h +--- libpng-1.2.5/png.h Thu Oct 3 06:32:26 2002 ++++ libpng-1.2.5p/png.h Tue Aug 3 21:45:21 2004 +@@ -833,7 +833,11 @@ + typedef png_info FAR * FAR * png_infopp; + + /* Maximum positive integer used in PNG is (2^31)-1 */ +-#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL) ++#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL) ++#define PNG_UINT_32_MAX (~((png_uint_32)0)) ++#define PNG_SIZE_MAX (~((png_size_t)0)) ++/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */ ++#define PNG_MAX_UINT PNG_UINT_31_MAX + + /* These describe the color_type field in png_info. */ + /* color type masks */ +@@ -2655,6 +2659,8 @@ + PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf)); + PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf)); + #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */ ++PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr, ++ png_bytep buf)); + + /* Initialize png_ptr struct for reading, and allocate any other memory. + * (old interface - DEPRECATED - use png_create_read_struct instead). +diff -r -U 3 libpng-1.2.5/pngconf.h libpng-1.2.5p/pngconf.h +--- libpng-1.2.5/pngconf.h Thu Oct 3 06:32:27 2002 ++++ libpng-1.2.5p/pngconf.h Tue Aug 3 21:45:29 2004 +@@ -663,6 +663,13 @@ + #endif + #endif /* PNG_1_0_X */ + ++#ifndef PNG_USER_WIDTH_MAX ++# define PNG_USER_WIDTH_MAX 1000000L ++#endif ++#ifndef PNG_USER_HEIGHT_MAX ++# define PNG_USER_HEIGHT_MAX 1000000L ++#endif ++ + /* These are currently experimental features, define them if you want */ + + /* very little testing */ +@@ -1280,6 +1287,7 @@ + # define CVT_PTR(ptr) (png_far_to_near(png_ptr,ptr,CHECK)) + # define CVT_PTR_NOCHECK(ptr) (png_far_to_near(png_ptr,ptr,NOCHECK)) + # define png_strcpy _fstrcpy ++# define png_strncpy _fstrncpy /* Added to v 1.2.6 */ + # define png_strlen _fstrlen + # define png_memcmp _fmemcmp /* SJT: added */ + # define png_memcpy _fmemcpy +@@ -1288,6 +1296,7 @@ + # define CVT_PTR(ptr) (ptr) + # define CVT_PTR_NOCHECK(ptr) (ptr) + # define png_strcpy strcpy ++# define png_strncpy strncpy /* Added to v 1.2.6 */ + # define png_strlen strlen + # define png_memcmp memcmp /* SJT: added */ + # define png_memcpy memcpy +diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5p/pngpread.c +--- libpng-1.2.5/pngpread.c Thu Oct 3 06:32:28 2002 ++++ libpng-1.2.5p/pngpread.c Tue Aug 3 21:45:22 2004 +@@ -208,7 +208,7 @@ + } + + png_push_fill_buffer(png_ptr, chunk_length, 4); +- png_ptr->push_length = png_get_uint_32(chunk_length); ++ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); + png_reset_crc(png_ptr); + png_crc_read(png_ptr, png_ptr->chunk_name, 4); + png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; +@@ -591,6 +591,11 @@ + png_size_t new_max; + png_bytep old_buffer; + ++ if (png_ptr->save_buffer_size > PNG_SIZE_MAX - ++ (png_ptr->current_buffer_size + 256)) ++ { ++ png_error(png_ptr, "Potential overflow of save_buffer"); ++ } + new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; + old_buffer = png_ptr->save_buffer; + png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, +@@ -637,8 +642,7 @@ + } + + png_push_fill_buffer(png_ptr, chunk_length, 4); +- png_ptr->push_length = png_get_uint_32(chunk_length); +- ++ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); + png_reset_crc(png_ptr); + png_crc_read(png_ptr, png_ptr->chunk_name, 4); + png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; +diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5p/pngread.c +--- libpng-1.2.5/pngread.c Thu Oct 3 06:32:29 2002 ++++ libpng-1.2.5p/pngread.c Tue Aug 3 21:45:22 2004 +@@ -384,7 +384,7 @@ + png_uint_32 length; + + png_read_data(png_ptr, chunk_length, 4); +- length = png_get_uint_32(chunk_length); ++ length = png_get_uint_31(png_ptr,chunk_length); + + png_reset_crc(png_ptr); + png_crc_read(png_ptr, png_ptr->chunk_name, 4); +@@ -392,9 +392,6 @@ + png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name, + length); + +- if (length > PNG_MAX_UINT) +- png_error(png_ptr, "Invalid chunk length."); +- + /* This should be a binary subdivision search or a hash for + * matching the chunk name rather than a linear search. + */ +@@ -673,10 +670,7 @@ + png_crc_finish(png_ptr, 0); + + png_read_data(png_ptr, chunk_length, 4); +- png_ptr->idat_size = png_get_uint_32(chunk_length); +- +- if (png_ptr->idat_size > PNG_MAX_UINT) +- png_error(png_ptr, "Invalid chunk length."); ++ png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length); + + png_reset_crc(png_ptr); + png_crc_read(png_ptr, png_ptr->chunk_name, 4); +@@ -946,16 +940,13 @@ + #endif /* PNG_GLOBAL_ARRAYS */ + + png_read_data(png_ptr, chunk_length, 4); +- length = png_get_uint_32(chunk_length); ++ length = png_get_uint_31(png_ptr,chunk_length); + + png_reset_crc(png_ptr); + png_crc_read(png_ptr, png_ptr->chunk_name, 4); + + png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name); + +- if (length > PNG_MAX_UINT) +- png_error(png_ptr, "Invalid chunk length."); +- + if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) + png_handle_IHDR(png_ptr, info_ptr, length); + else if (!png_memcmp(png_ptr->chunk_name, png_IEND, 4)) +@@ -1298,6 +1289,9 @@ + * PNG file before the first IDAT (image data chunk). + */ + png_read_info(png_ptr, info_ptr); ++ ++ if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep)) ++ png_error(png_ptr,"Image is too high to process with png_read_png()"); + + /* -------------- image transformations start here ------------------- */ + +diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5p/pngrutil.c +--- libpng-1.2.5/pngrutil.c Thu Oct 3 06:32:30 2002 ++++ libpng-1.2.5p/pngrutil.c Tue Aug 3 21:45:22 2004 +@@ -38,6 +38,14 @@ + # endif + #endif + ++png_uint_32 /* PRIVATE */ ++png_get_uint_31(png_structp png_ptr, png_bytep buf) ++{ ++ png_uint_32 i = png_get_uint_32(buf); ++ if (i > PNG_UINT_31_MAX) ++ png_error(png_ptr, "PNG unsigned integer out of range.\n"); ++ return (i); ++} + #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED + /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ + png_uint_32 /* PRIVATE */ +@@ -579,7 +587,7 @@ + /* Should be an error, but we can cope with it */ + png_warning(png_ptr, "Out of place gAMA chunk"); + +- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) ++ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + #if defined(PNG_READ_sRGB_SUPPORTED) + && !(info_ptr->valid & PNG_INFO_sRGB) + #endif +@@ -660,7 +668,7 @@ + /* Should be an error, but we can cope with it */ + png_warning(png_ptr, "Out of place sBIT chunk"); + } +- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) ++ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + { + png_warning(png_ptr, "Duplicate sBIT chunk"); + png_crc_finish(png_ptr, length); +@@ -729,7 +737,7 @@ + /* Should be an error, but we can cope with it */ + png_warning(png_ptr, "Missing PLTE before cHRM"); + +- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) ++ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + #if defined(PNG_READ_sRGB_SUPPORTED) + && !(info_ptr->valid & PNG_INFO_sRGB) + #endif +@@ -891,7 +899,7 @@ + /* Should be an error, but we can cope with it */ + png_warning(png_ptr, "Out of place sRGB chunk"); + +- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) ++ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + { + png_warning(png_ptr, "Duplicate sRGB chunk"); + png_crc_finish(png_ptr, length); +@@ -977,8 +985,7 @@ + png_bytep pC; + png_charp profile; + png_uint_32 skip = 0; +- png_uint_32 profile_size = 0; +- png_uint_32 profile_length = 0; ++ png_uint_32 profile_size, profile_length; + png_size_t slength, prefix_length, data_length; + + png_debug(1, "in png_handle_iCCP\n"); +@@ -995,7 +1002,7 @@ + /* Should be an error, but we can cope with it */ + png_warning(png_ptr, "Out of place iCCP chunk"); + +- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) ++ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + { + png_warning(png_ptr, "Duplicate iCCP chunk"); + png_crc_finish(png_ptr, length); +@@ -1154,8 +1161,18 @@ + } + + new_palette.nentries = data_length / entry_size; +- new_palette.entries = (png_sPLT_entryp)png_malloc( ++ if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry)) ++ { ++ png_warning(png_ptr, "sPLT chunk too long"); ++ return; ++ } ++ new_palette.entries = (png_sPLT_entryp)png_malloc_warn( + png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); ++ if (new_palette.entries == NULL) ++ { ++ png_warning(png_ptr, "sPLT chunk requires too much memory"); ++ return; ++ } + + #ifndef PNG_NO_POINTER_INDEXING + for (i = 0; i < new_palette.nentries; i++) +@@ -1241,7 +1258,8 @@ + /* Should be an error, but we can cope with it */ + png_warning(png_ptr, "Missing PLTE before tRNS"); + } +- else if (length > (png_uint_32)png_ptr->num_palette) ++ if (length > (png_uint_32)png_ptr->num_palette || ++ length > PNG_MAX_PALETTE_LENGTH) + { + png_warning(png_ptr, "Incorrect tRNS chunk length"); + png_crc_finish(png_ptr, length); +diff -r -U 3 libpng-1.2.5/pngset.c libpng-1.2.5p/pngset.c +--- libpng-1.2.5/pngset.c Thu Oct 3 06:32:30 2002 ++++ libpng-1.2.5p/pngset.c Tue Aug 3 21:45:29 2004 +@@ -253,6 +253,8 @@ + png_error(png_ptr, "Image width or height is zero in IHDR"); + if (width > PNG_MAX_UINT || height > PNG_MAX_UINT) + png_error(png_ptr, "Invalid image size in IHDR"); ++ if (width > PNG_USER_WIDTH_MAX || height > PNG_USER_HEIGHT_MAX) ++ png_error(png_ptr, "image size exceeds user limits in IHDR"); + + /* check other values */ + if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && diff --git a/media-libs/libpng/libpng-1.2.5-r8.ebuild b/media-libs/libpng/libpng-1.2.5-r8.ebuild new file mode 100644 index 000000000000..0b726de920c2 --- /dev/null +++ b/media-libs/libpng/libpng-1.2.5-r8.ebuild @@ -0,0 +1,64 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/media-libs/libpng/libpng-1.2.5-r8.ebuild,v 1.1 2004/08/05 10:02:19 plasmaroo Exp $ + +inherit flag-o-matic eutils gcc + +DESCRIPTION="Portable Network Graphics library" +HOMEPAGE="http://www.libpng.org/" +SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2" + +LICENSE="as-is" +SLOT="1.2" +KEYWORDS="x86" +IUSE="" + +DEPEND="sys-libs/zlib" + +src_unpack() { + unpack ${A} + cd ${S} + + epatch ${FILESDIR}/${P}-gentoo.diff + epatch ${FILESDIR}/${P}-security.diff + use macos && epatch ${FILESDIR}/macos.patch # implements strnlen + + [ "`gcc-version`" == "3.2" ] && replace-cpu-flags i586 k6 k6-2 k6-3 + [ "`gcc-version`" == "3.3" ] && replace-cpu-flags i586 k6 k6-2 k6-3 + + sed \ + -e "s:ZLIBLIB=.*:ZLIBLIB=/usr/lib:" \ + -e "s:ZLIBINC=.*:ZLIBINC=/usr/include:" \ + -e "s:-O3:${CFLAGS}:" \ + -e "s:prefix=/usr/local:prefix=/usr:" \ + -e "s:OBJSDLL = :OBJSDLL = -lz -lm :" \ + scripts/makefile.linux > Makefile + + if use macos; then + einfo "Patching the source for Mac OS X / Darwin compatibility" + sed \ + -e "s:ZLIBLIB=.*:ZLIBLIB=/usr/lib:" \ + -e "s:ZLIBINC=.*:ZLIBINC=/usr/include:" \ + -e "s:-O3:${CFLAGS}:" \ + -e "s:prefix=/usr/local:prefix=/usr:" \ + scripts/makefile.darwin > Makefile + fi +} + +src_compile() { + emake CC="$(gcc-getCC)" CXX="$(gcc-getCXX)" || die "Make failed" +} + +src_install() { + dodir /usr/{include,lib} + dodir /usr/share/man + einstall MANPATH=${D}/usr/share/man || die "Failed to install" + + doman libpng.3 libpngpf.3 png.5 + dodoc ANNOUNCE CHANGES KNOWNBUG README TODO Y2KINFO +} + +pkg_postinst() { + # the libpng authors really screwed around between 1.2.1 and 1.2.3 + [ -f ${ROOT}/usr/lib/libpng.so.3.1.2.1 ] && rm ${ROOT}/usr/lib/libpng.so.3.1.2.1 +} -- cgit v1.2.3-65-gdbad