[gentoo-commits] repo/gentoo:master commit in: media-gfx/autotrace/, media-gfx/autotrace/files/

[gentoo-commits] repo/gentoo:master commit in: media-gfx/autotrace/, media-gfx/autotrace/files/

[Agostino Sarubbo]

commit:     2fcc7c830301a4ae876393e6ca0e1f74b7deca9f
Author:     Agostino Sarubbo <ago <AT> gentoo <DOT> org>
AuthorDate: Tue Apr  4 07:24:52 2017 +0000
Commit:     Agostino Sarubbo <ago <AT> gentoo <DOT> org>
CommitDate: Tue Apr  4 07:24:52 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fcc7c83

media-gfx/autotrace: add a patch to fix CVE-2016-7392, wrt bug #613992

Package-Manager: Portage-2.3.3, Repoman-2.3.1
Signed-off-by: Agostino Sarubbo <ago <AT> gentoo.org>

 media-gfx/autotrace/autotrace-0.31.1-r8.ebuild     | 63 ++++++++++++++++++++++
 .../files/autotrace-0.31.1-CVE-2016-7392.patch     | 15 ++++++
 2 files changed, 78 insertions(+)

diff --git a/media-gfx/autotrace/autotrace-0.31.1-r8.ebuild b/media-gfx/autotrace/autotrace-0.31.1-r8.ebuild
new file mode 100644
index 00000000000..685183f2c27
--- /dev/null
+++ b/media-gfx/autotrace/autotrace-0.31.1-r8.ebuild
@@ -0,0 +1,63 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+inherit autotools eutils
+
+_dpatch=15
+
+DESCRIPTION="A program for converting bitmaps to vector graphics"
+HOMEPAGE="http://packages.qa.debian.org/a/autotrace.html http://autotrace.sourceforge.net/"
+SRC_URI="mirror://debian/pool/main/a/${PN}/${PN}_${PV}.orig.tar.gz
+	mirror://debian/pool/main/a/${PN}/${PN}_${PV}-${_dpatch}.diff.gz"
+
+LICENSE="GPL-2 LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd"
+IUSE="+imagemagick static-libs"
+
+RDEPEND="media-libs/libexif:=
+	media-libs/libpng:0=
+	>=media-libs/ming-0.4.2:=
+	>=media-gfx/pstoedit-3.50:=
+	imagemagick? ( >=media-gfx/imagemagick-6.6.2.5 )"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+DOCS=( AUTHORS ChangeLog NEWS README )
+
+src_prepare() {
+	epatch "${WORKDIR}"/${PN}_${PV}-${_dpatch}.diff
+
+	epatch \
+		"${FILESDIR}"/${P}-{m4,libpng14,pkgconfig}.patch \
+		"${FILESDIR}"/${P}-swf-output.patch \
+		"${FILESDIR}"/${P}-GetOnePixel.patch \
+		"${FILESDIR}"/${P}-libpng-1.5.patch
+
+	# Fix building on PowerPC with Altivec
+	epatch "${FILESDIR}"/${P}-bool.patch
+
+	# Addresses bug #466078
+	epatch "${FILESDIR}"/${P}-CVE-2013-1953.patch
+
+	# bug #613992
+	epatch "${FILESDIR}"/${P}-CVE-2016-7392.patch
+
+	sed -i -e 's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:' configure.in || die #468496
+
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		$(use_enable static-libs static) \
+		$(use_with imagemagick magick) \
+		--with-ming \
+		--with-pstoedit
+}
+
+src_install() {
+	default
+	prune_libtool_files --all
+}

diff --git a/media-gfx/autotrace/files/autotrace-0.31.1-CVE-2016-7392.patch b/media-gfx/autotrace/files/autotrace-0.31.1-CVE-2016-7392.patch
new file mode 100644
index 00000000000..e3bb0303cb8
--- /dev/null
+++ b/media-gfx/autotrace/files/autotrace-0.31.1-CVE-2016-7392.patch
@@ -0,0 +1,15 @@
+Patch from debian to fix CVE-2016-7392
+https://blogs.gentoo.org/ago/2016/09/10/autotrace-heap-based-buffer-overflow-in-pstoedit_suffix_table_init-output-pstoedit-c/
+
+--- a/output-pstoedit.c
++++ b/output-pstoedit.c
+@@ -84,7 +84,7 @@
+       dd_tmp   = dd_start;
+       while (dd_tmp->symbolicname)
+ 	dd_tmp++;
+-      XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1);
++      XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1));
+ 
+ #if defined (OUTPUT_PSTOEDIT_DEBUG) && defined(__GNUC__)
+   fprintf(stderr, "OUTPUT PSTOEDIT BACKEND DEBUG(%s)\n", __FUNCTION__);
+