[gentoo-commits] repo/gentoo:master commit in: media-libs/libextractor/, media-libs/libextractor/files/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Andreas Sturmlechner" <asturm@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: media-libs/libextractor/, media-libs/libextractor/files/
Date: Sat, 29 Dec 2018 22:02:24 +0000 (UTC)	[thread overview]
Message-ID: <1546120921.10ca5198d87e67194880e4421dc4a3d348211008.asturm@gentoo> (raw)

commit:     10ca5198d87e67194880e4421dc4a3d348211008
Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Sat Dec 29 20:21:07 2018 +0000
Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Sat Dec 29 22:02:01 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10ca5198

media-libs/libextractor: Fix CVE-2018-20430, CVE-2018-20431

Bug: https://bugs.gentoo.org/673742
Package-Manager: Portage-2.3.52, Repoman-2.3.12
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>

 .../files/libextractor-1.8-CVE-2018-20430.patch    |  49 +++++++++
 .../files/libextractor-1.8-CVE-2018-20431.patch    |  39 +++++++
 media-libs/libextractor/libextractor-1.8-r1.ebuild | 117 +++++++++++++++++++++
 3 files changed, 205 insertions(+)

diff --git a/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20430.patch b/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20430.patch
new file mode 100644
index 00000000000..d0b5968606b
--- /dev/null
+++ b/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20430.patch
@@ -0,0 +1,49 @@
+From b405d707b36e0654900cba78e89f49779efea110 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 22:47:53 +0100
+Subject: fix #5493 (out of bounds read)
+
+---
+ src/common/convert.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/common/convert.c b/src/common/convert.c
+index c0edf21..2be2108 100644
+--- a/src/common/convert.c
++++ b/src/common/convert.c
+@@ -36,8 +36,8 @@
+  *  string is returned.
+  */
+ char *
+-EXTRACTOR_common_convert_to_utf8 (const char *input, 
+-				  size_t len, 
++EXTRACTOR_common_convert_to_utf8 (const char *input,
++				  size_t len,
+ 				  const char *charset)
+ {
+ #if HAVE_ICONV
+@@ -52,7 +52,7 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+   i = input;
+   cd = iconv_open ("UTF-8", charset);
+   if (cd == (iconv_t) - 1)
+-    return strdup (i);
++    return strndup (i, len);
+   if (len > 1024 * 1024)
+     {
+       iconv_close (cd);
+@@ -67,11 +67,11 @@ EXTRACTOR_common_convert_to_utf8 (const char *input,
+     }
+   itmp = tmp;
+   finSize = tmpSize;
+-  if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == SIZE_MAX)
++  if (iconv (cd, (char **) &input, &len, &itmp, &finSize) == ((size_t) -1))
+     {
+       iconv_close (cd);
+       free (tmp);
+-      return strdup (i);
++      return strndup (i, len);
+     }
+   ret = malloc (tmpSize - finSize + 1);
+   if (ret == NULL)
+-- 
+cgit v1.1

diff --git a/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20431.patch b/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20431.patch
new file mode 100644
index 00000000000..2cd0448ba89
--- /dev/null
+++ b/media-libs/libextractor/files/libextractor-1.8-CVE-2018-20431.patch
@@ -0,0 +1,39 @@
+From 489c4a540bb2c4744471441425b8932b97a153e7 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christian@grothoff.org>
+Date: Thu, 20 Dec 2018 23:02:28 +0100
+Subject: fix #5494
+
+---
+ ChangeLog                    | 3 ++-
+ src/plugins/ole2_extractor.c | 9 +++++++--
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/ole2_extractor.c b/src/plugins/ole2_extractor.c
+index 53fa1b9..a48b726 100644
+--- a/src/plugins/ole2_extractor.c
++++ b/src/plugins/ole2_extractor.c
+@@ -173,7 +173,7 @@ struct ProcContext
+   EXTRACTOR_MetaDataProcessor proc;
+ 
+   /**
+-   * Closure for 'proc'.
++   * Closure for @e proc.
+    */
+   void *proc_cls;
+ 
+@@ -213,7 +213,12 @@ process_metadata (gpointer key,
+ 
+   if (G_VALUE_TYPE(gval) == G_TYPE_STRING)
+     {
+-      contents = strdup (g_value_get_string (gval));
++      const char *gvals;
++
++      gvals = g_value_get_string (gval);
++      if (NULL == gvals)
++        return;
++      contents = strdup (gvals);
+     }
+   else
+     {
+-- 
+cgit v1.1

diff --git a/media-libs/libextractor/libextractor-1.8-r1.ebuild b/media-libs/libextractor/libextractor-1.8-r1.ebuild
new file mode 100644
index 00000000000..45171230791
--- /dev/null
+++ b/media-libs/libextractor/libextractor-1.8-r1.ebuild
@@ -0,0 +1,117 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+DESCRIPTION="Library to extract metadata from files of arbitrary type"
+HOMEPAGE="https://www.gnu.org/software/libextractor/"
+SRC_URI="mirror://gnu/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86"
+IUSE="apparmor +archive +bzip2 ffmpeg flac gif gsf gstreamer gtk jpeg +magic midi mp4 mpeg tidy tiff vorbis +zlib" # test
+
+RESTRICT="test"
+
+DEPEND="
+	app-text/iso-codes
+	dev-libs/glib:2
+	<media-gfx/exiv2-0.27:=
+	sys-devel/libtool
+	virtual/libiconv
+	virtual/libintl
+	apparmor? ( sys-libs/libapparmor )
+	archive? ( app-arch/libarchive:= )
+	bzip2? ( app-arch/bzip2 )
+	ffmpeg? ( virtual/ffmpeg )
+	flac? (
+		media-libs/flac
+		media-libs/libogg
+	)
+	gif? ( media-libs/giflib:= )
+	gsf? ( gnome-extra/libgsf:= )
+	gstreamer? (
+		media-libs/gstreamer:1.0
+		media-libs/gst-plugins-base:1.0
+	)
+	gtk? ( x11-libs/gtk+:3 )
+	jpeg? ( virtual/jpeg:0 )
+	magic? ( sys-apps/file )
+	midi? ( media-libs/libsmf )
+	mp4? ( media-libs/libmp4v2:0 )
+	mpeg? ( media-libs/libmpeg2 )
+	tidy? ( app-text/tidy-html5 )
+	tiff? ( media-libs/tiff:0 )
+	vorbis? (
+		media-libs/libogg
+		media-libs/libvorbis
+	)
+	zlib? ( sys-libs/zlib )
+"
+BDEPEND="
+	sys-devel/gettext
+	virtual/pkgconfig
+"
+# test? ( app-forensics/zzuf )
+RDEPEND="${DEPEND}
+	!sci-biology/glimmer
+"
+
+PATCHES=( "${FILESDIR}"/${P}-CVE-2018-2043{0,1}.patch )
+
+src_prepare() {
+	default
+
+	# m4/ax_create_pkgconfig_info.m4 is passing environment LDFLAGS to Libs:
+	sed -i \
+		-e '/^ax_create_pkgconfig_ldflags=/s:$LDFLAGS ::' \
+		-e 's:tidy/tidy.h:tidy.h:' \
+		-e 's:tidy/tidybuffio.h:buffio.h:' \
+		configure src/plugins/html_extractor.c || die
+
+	if ! use tidy; then
+		sed -i -e 's:tidy.h:dIsAbLe&:' configure || die
+	fi
+}
+
+src_configure() {
+	e_ac_cv() {
+		export ac_cv_"$@"
+	}
+
+	e_ac_cv {lib_rpm_rpmReadPackageFile,prog_HAVE_ZZUF}=no
+
+	e_ac_cv header_FLAC_all_h=$(usex flac)
+	e_ac_cv lib_FLAC_FLAC__stream_decoder_init_stream=$(usex flac)
+	e_ac_cv lib_FLAC_FLAC__stream_decoder_init_ogg_stream=$(usex flac)
+
+	e_ac_cv header_sys_apparmor_h=$(usex apparmor)
+	e_ac_cv header_archive_h=$(usex archive)
+	e_ac_cv header_bzlib_h=$(usex bzip2)
+	e_ac_cv header_gif_lib_h=$(usex gif)
+	e_ac_cv header_jpeglib_h=$(usex jpeg)
+	e_ac_cv header_magic_h=$(usex magic)
+	e_ac_cv header_mpeg2dec_mpeg2_h=$(usex mpeg)
+	e_ac_cv header_tiffio_h=$(usex tiff)
+	e_ac_cv header_vorbis_vorbisfile_h=$(usex vorbis)
+	e_ac_cv header_zlib_h=$(usex zlib)
+	e_ac_cv lib_mp4v2_MP4ReadProvider=$(usex mp4)
+	e_ac_cv lib_smf_smf_load_from_memory=$(usex midi)
+
+	local myeconfargs=(
+		--disable-static
+		--enable-experimental
+		--enable-glib
+		--disable-gsf-gnome
+		$(use_enable ffmpeg)
+		$(use_enable gsf)
+		$(use_with gstreamer)
+	)
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+	find "${ED}" -name '*.la' -delete || die
+}

next             reply	other threads:[~2018-12-29 22:02 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-29 22:02 Andreas Sturmlechner [this message]
  -- strict thread matches above, loose matches on Subject: below --
2018-12-29 23:52 [gentoo-commits] repo/gentoo:master commit in: media-libs/libextractor/, media-libs/libextractor/files/ Andreas Sturmlechner
2018-11-09 18:54 Andreas Sturmlechner
2018-10-21 12:20 Pacho Ramos
2018-10-20 20:46 Pacho Ramos
2018-09-16 11:42 Andreas Sturmlechner

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d0b5968606 dfblob:2cd0448ba8 dfblob:4517123079 )
 OR (
bs:"[gentoo-commits] repo/gentoo:master commit in: media-libs/libextractor/, media-libs/libextractor/files/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1546120921.10ca5198d87e67194880e4421dc4a3d348211008.asturm@gentoo \
    --to=asturm@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox