diff options
author | rhatto <rhatto@18ef50b8-d735-4ccd-97c1-689132df3dd9> | 2009-01-13 14:34:52 +0000 |
---|---|---|
committer | rhatto <rhatto@18ef50b8-d735-4ccd-97c1-689132df3dd9> | 2009-01-13 14:34:52 +0000 |
commit | b67d2844ae6ce5b2407866d3eef4e272c5947de1 (patch) | |
tree | f27c9418527ca8fbcdad8bd2e7817a1a001fca7e /media/gfx/jhead | |
parent | 92ca76634ba31cf3b7c93934b519e6447028ba61 (diff) | |
download | mkbuilds-b67d2844ae6ce5b2407866d3eef4e272c5947de1.tar.gz mkbuilds-b67d2844ae6ce5b2407866d3eef4e272c5947de1.tar.bz2 |
jhead: adding patch to fix GLSA 200901-02
git-svn-id: svn+slack://slack.fluxo.info/var/svn/mkbuilds@359 18ef50b8-d735-4ccd-97c1-689132df3dd9
Diffstat (limited to 'media/gfx/jhead')
-rw-r--r-- | media/gfx/jhead/Manifest | 5 | ||||
-rw-r--r-- | media/gfx/jhead/jhead-2.84.diff | 122 | ||||
-rw-r--r-- | media/gfx/jhead/jhead.mkbuild | 2 |
3 files changed, 126 insertions, 3 deletions
diff --git a/media/gfx/jhead/Manifest b/media/gfx/jhead/Manifest index a002276..eef1fd4 100644 --- a/media/gfx/jhead/Manifest +++ b/media/gfx/jhead/Manifest @@ -1,3 +1,4 @@ DIST jhead-2.84.tar.gz 64159 MD5 3e009f8e8a6a077d4a966d14b8797038 SHA1 63251c63a7d88e4f7b00f287ebc7b1095c2422f6 SHA256 c4811e7672703e09831bc931eac129a003a5949c43298ad8c6bba10e04797294 SHA512 11110fcc32a1463dda55bf4efa6f24122660312352e7cff3c78613cdd0f9d1651eee4dd06ea9569f79a9eb9a023a76bc7387ab80e0ec20546e50f4e63667b728 RMD160 018b75450d7a1e1c2018fd05b2c3c25f70cd8669 -MKBUILD jhead.mkbuild 2850 MD5 ec35eddec7605c6364eed96b1eba7ed9 SHA1 9f6bf28489b8aa101d58d513cfd0404ef2f3140d SHA256 70615d0bdbbee15f35808e0fccd4bc2f01a4f8e644ab8b015aa4012e7452190c SHA512 9d2f90f9bbabe3986dbc2f4d4e46f164c7a21ed2fb1da8adb4c773db71b4a1581864fe0cfb41a7ca44ac068719fa201b57feedab9a688db83d60e69fbdb4c8a6 RMD160 28116d69d734da5973b38c6d53d6a53801088d1b -SLACKBUILD jhead.SlackBuild 6322 MD5 ee0e06362f301c5dafdfe4aff779b684 SHA1 fa8430525ab4f1feef7f7333c609e5d287702b65 SHA256 254d674c994ac9b72ececad63a7b2a955533ed359f332797db89a588ddbbceb8 SHA512 44fbdab621e65c7569be0e3a8134c845acf46e09c00af9ce09f0dec7fe9216343f699b1266526a939e0ed1c5832687830add211c788064a87f9f3346ca18c619 RMD160 ccd8463f0360af1f878e916fdf4dce847aec4666 +MKBUILD jhead.mkbuild 2850 MD5 330ae5992ddf62ce30c2dd525e550365 RMD160 ad3a9d82b58398aa133ab35a4bb5a981ad892d35 SHA1 d24735fc18f8660f541ee5538fa25e76a2b303cf SHA256 1018a09afbf5f132eb9a787e3346d0a2e5d2eb7e219cef451dc063f80d8357be SHA512 a572e2636035e8d4eff15fdc38439f00aa15c6b5d22749716728cc69885b2b2eee43bbb88fae39f30c15825dfb2aff18ecb7c128243f05ffcf2164d451dc26ff +PATCH jhead-2.84.diff 4346 MD5 4d59c419285eb61c6d399c99c9d56bad RMD160 3312ba98eb1743d059cc96ced9ef58df8ecbfe38 SHA1 bf70d638464cf8df84c715e0933f708cc066b804 SHA256 dd7a611a9ac66687d7386e880d8319b9cc4a7175e3f5fec961b596ffc137d458 SHA512 6465eed64f02581926bc87d132cd5eedeebfc043add6f8f25b18c2d954d8c6a34f541fbea246f121f0be84a5d0217f00a7ff015c15fffa9bbff914e74ad232cd +SLACKBUILD jhead.SlackBuild 7302 MD5 5fdaab5eca79a52cf9c9fbd2abc1bd9e RMD160 5a965b5e8ce77cee97c8da91b48e819c156b43ef SHA1 245838a86dce04f003c1192f22148942a7aeb7aa SHA256 3497f4174a90eab11a06937c25f40f281269c6d7d6d6eae60c11a94f8857418c SHA512 70d868b2aa29e20778d2789e15821475671777f0ec0397034a7e481e8ea5727b31887df6ea0115ff8008b42c32c19b4dabe4318cd8a9ede19f0358a22c9e5610 diff --git a/media/gfx/jhead/jhead-2.84.diff b/media/gfx/jhead/jhead-2.84.diff new file mode 100644 index 0000000..4ed8ff5 --- /dev/null +++ b/media/gfx/jhead/jhead-2.84.diff @@ -0,0 +1,122 @@ +this patch fixes gentoo bug #243238 (CVE-2008-{4640,4641}) + +diff -ru jhead-2.84.orig/jhead.c jhead-2.84/jhead.c +--- jhead-2.84.orig/jhead.c 2008-10-04 18:10:35.000000000 +0200 ++++ jhead-2.84/jhead.c 2008-11-28 18:51:52.000000000 +0100 +@@ -295,44 +295,88 @@ + + + //-------------------------------------------------------------------------- ++// Escape an argument such that it is interpreted literally by the shell ++// (returns the number of written characters) ++//-------------------------------------------------------------------------- ++static int shellescape(char* to, const char* from) ++{ ++ int i, j; ++ i = j = 0; ++ ++ // Enclosing characters in double quotes preserves the literal value of ++ // all characters within the quotes, with the exception of $, `, and \. ++ to[j++] = '"'; ++ while(from[i]) ++ { ++#ifdef _WIN32 ++ // Under WIN32, there isn't really anything dangerous you can do with ++ // escape characters, plus windows users aren't as sercurity paranoid. ++ // Hence, no need to do fancy escaping. ++ to[j++] = from[i++]; ++#else ++ switch(from[i]) { ++ case '"': ++ case '$': ++ case '`': ++ case '\\': ++ to[j++] = '\\'; ++ default: ++ to[j++] = from[i++]; ++ } ++#endif ++ if (j >= PATH_MAX) ErrFatal("max path exceeded"); ++ } ++ to[j++] = '"'; ++ return j; ++} ++ ++ ++//-------------------------------------------------------------------------- + // Apply the specified command to the JPEG file. + //-------------------------------------------------------------------------- + static void DoCommand(const char * FileName, int ShowIt) + { + int a,e; +- char ExecString[PATH_MAX*2]; +- char TempName[PATH_MAX+1]; ++ char ExecString[PATH_MAX*3]; ++ char TempName[PATH_MAX+10]; + int TempUsed = FALSE; + + e = 0; + +- // Make a temporary file in the destination directory by changing last char. +- strcpy(TempName, FileName); +- a = strlen(TempName)-1; +- TempName[a] = (char)(TempName[a] == 't' ? 'z' : 't'); ++ // Generate an unused temporary file name in the destination directory ++ // (a is the number of characters to copy from FileName) ++ a = strlen(FileName)-1; ++ while(a > 0 && FileName[a-1] != '/') a--; ++ memcpy(TempName, FileName, a); ++ strcpy(TempName+a, "XXXXXX"); ++ mkstemp(TempName); ++ if(!TempName[0]) { ++ ErrFatal("Cannot find available temporary file name"); ++ } ++ ++ + + // Build the exec string. &i and &o in the exec string get replaced by input and output files. + for (a=0;;a++){ + if (ApplyCommand[a] == '&'){ + if (ApplyCommand[a+1] == 'i'){ + // Input file. +- e += sprintf(ExecString+e, "\"%s\"",FileName); ++ e += shellescape(ExecString+e, FileName); + a += 1; + continue; + } + if (ApplyCommand[a+1] == 'o'){ + // Needs an output file distinct from the input file. +- e += sprintf(ExecString+e, "\"%s\"",TempName); ++ e += shellescape(ExecString+e, TempName); + a += 1; + TempUsed = TRUE; +- unlink(TempName);// Remove any pre-existing temp file + continue; + } + } + ExecString[e++] = ApplyCommand[a]; + if (ApplyCommand[a] == 0) break; + } +- ++ShowIt = 1; + if (ShowIt) printf("Cmd:%s\n",ExecString); + + errno = 0; +@@ -638,7 +682,7 @@ + ErrFatal("Orientation screwup"); + } + +- sprintf(RotateCommand, "jpegtran -%s -outfile &o &i", Argument); ++ sprintf(RotateCommand, "jpegtran -trim -%s -outfile &o &i", Argument); + ApplyCommand = RotateCommand; + DoCommand(FileName, FALSE); + ApplyCommand = NULL; +@@ -657,7 +701,7 @@ + strcpy(ThumbTempName_out, FileName); + strcat(ThumbTempName_out, ".tho"); + SaveThumbnail(ThumbTempName_in); +- sprintf(RotateCommand,"jpegtran -%s -outfile \"%s\" \"%s\"", ++ sprintf(RotateCommand,"jpegtran -trim -%s -outfile \"%s\" \"%s\"", + Argument, ThumbTempName_out, ThumbTempName_in); + + if (system(RotateCommand) == 0){ diff --git a/media/gfx/jhead/jhead.mkbuild b/media/gfx/jhead/jhead.mkbuild index 153ab57..d8cf43b 100644 --- a/media/gfx/jhead/jhead.mkbuild +++ b/media/gfx/jhead/jhead.mkbuild @@ -64,7 +64,7 @@ off: md5sum_download_and_check_1 off: gpg_signature_check on: manifest_check on: untar_source -off: patch_source + on: patch_source off: configure on: make_package on: install_package |