OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 20-Dec-2007 10:18:10
Branch: HEAD Handle: 2007122009180900
Modified files:
openpkg-src/perl-tk perl-tk.patch perl-tk.spec
Log:
modifying package: perl-tk-5.10.0 20071219 -> 20071220
Summary:
Revision Changes Path
1.6 +19 -818 openpkg-src/perl-tk/perl-tk.patch
1.101 +2 -2 openpkg-src/perl-tk/perl-tk.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/perl-tk/perl-tk.patch
============================================================================
$ cvs diff -u -r1.5 -r1.6 perl-tk.patch
--- openpkg-src/perl-tk/perl-tk.patch 4 Aug 2004 14:01:54 -0000 1.5
+++ openpkg-src/perl-tk/perl-tk.patch 20 Dec 2007 09:18:09 -0000 1.6
@@ -1,6 +1,23 @@
+Index: Tk-804.028/PNG/libpng/pngconf.h
+--- Tk-804.028/PNG/libpng/pngconf.h.orig 2007-05-05 20:38:41 +0200
++++ Tk-804.028/PNG/libpng/pngconf.h 2007-12-20 09:49:47 +0100
+@@ -310,13 +310,6 @@
+ # define PNG_SAVE_BSD_SOURCE
+ # undef _BSD_SOURCE
+ # endif
+-# ifdef _SETJMP_H
+- /* If you encounter a compiler error here, see the explanation
+- * near the end of INSTALL.
+- */
+- __png.h__ already includes setjmp.h;
+- __dont__ include it again.;
+-# endif
+ # endif /* __linux__ */
+
+ /* include setjmp.h for error handling */
Index: Tk-PNG-2.005/libpng/pngconf.h
---- Tk-PNG-2.005/libpng/pngconf.h.orig 2004-07-01 13:18:23 +0200
-+++ Tk-PNG-2.005/libpng/pngconf.h 2004-07-01 13:30:50 +0200
+--- Tk-PNG-2.005/libpng/pngconf.h.orig 2000-04-21 20:57:31 +0200
++++ Tk-PNG-2.005/libpng/pngconf.h 2007-12-20 09:48:54 +0100
@@ -119,10 +119,6 @@
#define _PNG_SAVE_BSD_SOURCE
#undef _BSD_SOURCE
@@ -12,819 +29,3 @@
#endif /* __linux__ */
/* include setjmp.h for error handling */
-Index: Tk-PNG-2.005/libpng/pngerror.c
---- Tk-PNG-2.005/libpng/pngerror.c.orig 2004-07-01 13:18:23 +0200
-+++ Tk-PNG-2.005/libpng/pngerror.c 2004-07-01 13:34:07 +0200
-@@ -82,10 +82,13 @@
- if (message == NULL)
- buffer[iout] = 0;
- else {
-+ png_size_t len;
-+ if ((len = png_strlen(error_message)) > 63)
-+ len = 63;
- buffer[iout++] = ':';
- buffer[iout++] = ' ';
-- png_memcpy(buffer+iout, message, 64);
-- buffer[iout+63] = 0;
-+ png_memcpy(buffer+iout, error_message, len);
-+ buffer[iout+len] = 0;
- }
- }
-
-Index: Tk-PNG-2.005/libpng/pngrtran.c
---- Tk-PNG-2.005/libpng/pngrtran.c.orig 2000-04-21 20:57:35 +0200
-+++ Tk-PNG-2.005/libpng/pngrtran.c 2004-07-01 13:18:23 +0200
-@@ -1783,8 +1783,8 @@
- /* This changes the data from GG to GGXX */
- if (flags & PNG_FLAG_FILLER_AFTER)
- {
-- png_bytep sp = row + (png_size_t)row_width;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 2;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 1; i < row_width; i++)
- {
- *(--dp) = hi_filler;
-@@ -1801,8 +1801,8 @@
- /* This changes the data from GG to XXGG */
- else
- {
-- png_bytep sp = row + (png_size_t)row_width;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 2;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 0; i < row_width; i++)
- {
- *(--dp) = *(--sp);
-@@ -1859,8 +1859,8 @@
- /* This changes the data from RRGGBB to RRGGBBXX */
- if (flags & PNG_FLAG_FILLER_AFTER)
- {
-- png_bytep sp = row + (png_size_t)row_width * 3;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 6;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 1; i < row_width; i++)
- {
- *(--dp) = hi_filler;
-@@ -1881,8 +1881,8 @@
- /* This changes the data from RRGGBB to XXRRGGBB */
- else
- {
-- png_bytep sp = row + (png_size_t)row_width * 3;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 6;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 0; i < row_width; i++)
- {
- *(--dp) = *(--sp);
-Index: Tk-804.027/PNG/libpng/pngconf.h
---- Tk-804.027/PNG/libpng/pngconf.h.orig 2003-11-29 12:39:30 +0100
-+++ Tk-804.027/PNG/libpng/pngconf.h 2004-07-01 13:36:23 +0200
-@@ -251,10 +251,6 @@
- # define PNG_SAVE_BSD_SOURCE
- # undef _BSD_SOURCE
- # endif
--# ifdef _SETJMP_H
-- __png.h__ already includes setjmp.h;
-- __dont__ include it again.;
--# endif
- # endif /* __linux__ */
-
- /* include setjmp.h for error handling */
-Index: Tk-804.027/PNG/libpng/pngerror.c
---- Tk-804.027/PNG/libpng/pngerror.c.orig 2003-11-29 12:39:30 +0100
-+++ Tk-804.027/PNG/libpng/pngerror.c 2004-07-01 13:36:23 +0200
-@@ -135,10 +135,13 @@
- buffer[iout] = 0;
- else
- {
-+ png_size_t len;
-+ if ((len = png_strlen(error_message)) > 63)
-+ len = 63;
- buffer[iout++] = ':';
- buffer[iout++] = ' ';
-- png_memcpy(buffer+iout, error_message, 64);
-- buffer[iout+63] = 0;
-+ png_memcpy(buffer+iout, error_message, len);
-+ buffer[iout+len] = 0;
- }
- }
-
-Index: Tk-804.027/PNG/libpng/pngrtran.c
---- Tk-804.027/PNG/libpng/pngrtran.c.orig 2003-11-29 12:39:31 +0100
-+++ Tk-804.027/PNG/libpng/pngrtran.c 2004-07-01 13:36:23 +0200
-@@ -1889,8 +1889,8 @@
- /* This changes the data from GG to GGXX */
- if (flags & PNG_FLAG_FILLER_AFTER)
- {
-- png_bytep sp = row + (png_size_t)row_width;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 2;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 1; i < row_width; i++)
- {
- *(--dp) = hi_filler;
-@@ -1907,8 +1907,8 @@
- /* This changes the data from GG to XXGG */
- else
- {
-- png_bytep sp = row + (png_size_t)row_width;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 2;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 0; i < row_width; i++)
- {
- *(--dp) = *(--sp);
-@@ -1965,8 +1965,8 @@
- /* This changes the data from RRGGBB to RRGGBBXX */
- if (flags & PNG_FLAG_FILLER_AFTER)
- {
-- png_bytep sp = row + (png_size_t)row_width * 3;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 6;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 1; i < row_width; i++)
- {
- *(--dp) = hi_filler;
-@@ -1987,8 +1987,8 @@
- /* This changes the data from RRGGBB to XXRRGGBB */
- else
- {
-- png_bytep sp = row + (png_size_t)row_width * 3;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 6;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 0; i < row_width; i++)
- {
- *(--dp) = *(--sp);
-
-http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt
-
-> [Problems discovered and fixed by] Chris Evans
->
-> 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS
(pngrutil.c)
-> 2) Dangerous code in png_handle_sBIT (pngrutil.c)
-CAN-2004-0597
-
-> 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c)
-> this flaw is duplicated in multiple other locations.
-CAN-2004-0598
-
-> 4) Theoretical integer overflow in allocation in png_handle_sPLT
(pngrutil.c)
-> 5) Integer overflow in png_read_png (pngread.c)
-> 6) Integer overflows during progressive reading.
-> 7) Other flaws. [integer overflows]
-CAN-2004-0599
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03a-trns-chunk-overflow.txt
- Use to patch libpng-0.89 through 1.0.5. Does not work with libpng-0.88
and earlier.
- This fixes the most dangerous of the newly reported vulnerabilities
-
-diff -r -U 3 libpng-1.0.5/pngrutil.c libpng-1.0.5patch03a/pngrutil.c
---- Tk-PNG-2.005/libpng/pngrutil.c.orig Thu Oct 14 07:43:08 1999
-+++ Tk-PNG-2.005/libpng/pngrutil.c Fri Jul 23 22:41:02 2004
-@@ -754,7 +754,8 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Missing PLTE before tRNS");
- }
-- else if (length > png_ptr->num_palette)
-+ if (length > (png_uint_32)png_ptr->num_palette ||
-+ length > 256)
- {
- png_warning(png_ptr, "Incorrect tRNS chunk length");
- png_crc_finish(png_ptr, length);
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04a-get-uint-31.txt
- Use to patch libpng-1.0.5
- This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX,
- and png_get_uint_31(), which are needed by patches 05-08.
-
-diff -r -U 3 libpng-1.0.5/png.h libpng-1.0.5patch04a/png.h
---- Tk-PNG-2.005/libpng/png.h.orig Thu Oct 14 07:43:08 1999
-+++ Tk-PNG-2.005/libpng/png.h Fri Jul 23 22:02:58 2004
-@@ -510,7 +510,11 @@
- typedef png_info FAR * FAR * png_infopp;
-
- /* Maximum positive integer used in PNG is (2^31)-1 */
--#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
-+#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL)
-+#define PNG_UINT_32_MAX (~((png_uint_32)0))
-+#define PNG_SIZE_MAX (~((png_size_t)0))
-+/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */
-+#define PNG_MAX_UINT PNG_UINT_31_MAX
-
- /* These describe the color_type field in png_info. */
- /* color type masks */
-@@ -1839,6 +1843,8 @@
- PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf));
- PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf));
- #endif /* PNG_READ_BIG_ENDIAN_SUPPORTED */
-+PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr,
-+ png_bytep buf));
-
- /* Initialize png_ptr struct for reading, and allocate any other memory.
- * (old interface - NOT DLL EXPORTED).
-
-diff -r -U 3 libpng-1.0.5/pngrutil.c libpng-1.0.5patch04a/pngrutil.c
---- Tk-PNG-2.005/libpng/pngrutil.c.orig Thu Oct 14 07:43:08 1999
-+++ Tk-PNG-2.005/libpng/pngrutil.c Fri Jul 23 22:02:59 2004
-@@ -18,6 +18,14 @@
- #include "pngasmrd.h"
- #endif
-
-+png_uint_32 /* PRIVATE */
-+png_get_uint_31(png_structp png_ptr, png_bytep buf)
-+{
-+ png_uint_32 i = png_get_uint_32(buf);
-+ if (i > PNG_UINT_31_MAX)
-+ png_error(png_ptr, "PNG unsigned integer out of range.\n");
-+ return (i);
-+}
- #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
- /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
- png_uint_32
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt
- Use to patch libpng-1.0.0 through 1.2.5
- Requires one of libpng-patch04*
-
-diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c
---- Tk-PNG-2.005/libpng/pngpread.c.orig Thu Oct 3 06:32:28 2002
-+++ Tk-PNG-2.005/libpng/pngpread.c Fri Jul 23 18:57:39 2004
-@@ -208,7 +208,7 @@
- }
-
- png_push_fill_buffer(png_ptr, chunk_length, 4);
-- png_ptr->push_length = png_get_uint_32(chunk_length);
-+ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
- png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
-@@ -591,6 +591,11 @@
- png_size_t new_max;
- png_bytep old_buffer;
-
-+ if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
-+ (png_ptr->current_buffer_size + 256))
-+ {
-+ png_error(png_ptr, "Potential overflow of save_buffer");
-+ }
- new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size +
256;
- old_buffer = png_ptr->save_buffer;
- png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr,
-@@ -637,8 +642,7 @@
- }
-
- png_push_fill_buffer(png_ptr, chunk_length, 4);
-- png_ptr->push_length = png_get_uint_32(chunk_length);
--
-+ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
- png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06a-pngread-chunklength.txt
- Use to patch libpng-1.0.0 through 1.0.12, 1.2.0, and 1.2.1.
- Requires libpng-patch04-*
-
-diff -r -U 3 libpng-1.2.1/pngread.c libpng-1.2.1patch06a/pngread.c
---- Tk-PNG-2.005/libpng/pngread.c.orig Wed Dec 12 17:37:21 2001
-+++ Tk-PNG-2.005/libpng/pngread.c Fri Jul 23 20:15:23 2004
-@@ -365,7 +365,7 @@
- png_uint_32 length;
-
- png_read_data(png_ptr, chunk_length, 4);
-- length = png_get_uint_32(chunk_length);
-+ length = png_get_uint_31(png_ptr,chunk_length);
-
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-@@ -654,7 +654,7 @@
- png_crc_finish(png_ptr, 0);
-
- png_read_data(png_ptr, chunk_length, 4);
-- png_ptr->idat_size = png_get_uint_32(chunk_length);
-+ png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length);
-
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-@@ -927,7 +927,7 @@
- #endif /* PNG_GLOBAL_ARRAYS */
-
- png_read_data(png_ptr, chunk_length, 4);
-- length = png_get_uint_32(chunk_length);
-+ length = png_get_uint_31(png_ptr,chunk_length);
-
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt
- Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5
and earlier.
- No security problem. The bugs are similar to the one fixed in patch
- 03, but the only effect is that libpng will fail to detect misplaced
- harmless duplicate chunks.
- This is a OpenPKG backport to 1.0.5
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c
---- Tk-PNG-2.005/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ Tk-PNG-2.005/libpng/pngrutil.c Fri Jul 23 19:05:40 2004
-@@ -403,7 +407,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place gAMA chunk");
-
-- else if (info_ptr != NULL && info_ptr->valid & PNG_INFO_gAMA
-+ if (info_ptr != NULL && info_ptr->valid & PNG_INFO_gAMA
- #if defined(PNG_READ_sRGB_SUPPORTED)
- && !(info_ptr->valid & PNG_INFO_sRGB)
- #endif
-@@ -475,7 +479,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place sBIT chunk");
- }
-- else if (info_ptr != NULL && info_ptr->valid & PNG_INFO_sBIT)
-+ if (info_ptr != NULL && info_ptr->valid & PNG_INFO_sBIT)
- {
- png_warning(png_ptr, "Duplicate sBIT chunk");
- png_crc_finish(png_ptr, length);
-@@ -487,7 +491,7 @@
- else
- truelen = (png_size_t)png_ptr->channels;
-
-- if (length != truelen)
-+ if (length != truelen || length > 4)
- {
- png_warning(png_ptr, "Incorrect sBIT chunk length");
- png_crc_finish(png_ptr, length);
-@@ -539,7 +543,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Missing PLTE before cHRM");
-
-- else if (info_ptr != NULL && info_ptr->valid & PNG_INFO_cHRM
-+ if (info_ptr != NULL && info_ptr->valid & PNG_INFO_cHRM
- #if defined(PNG_READ_sRGB_SUPPORTED)
- && !(info_ptr->valid & PNG_INFO_sRGB)
- #endif
-@@ -676,7 +680,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place sRGB chunk");
-
-- else if (info_ptr != NULL && info_ptr->valid & PNG_INFO_sRGB)
-+ if (info_ptr != NULL && info_ptr->valid & PNG_INFO_sRGB)
- {
- png_warning(png_ptr, "Duplicate sRGB chunk");
- png_crc_finish(png_ptr, length);
-
-This patch from Chris Evans avoids a host of security problems related
-to buffer overflows that might occur when processing very large images.
-It causes the reader to reject any images claiming to have more rows or
-columns the png format supports.
-
-diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h
---- Tk-PNG-2.005/libpng/png.h.orig 2002-10-03 12:32:26.000000000 +0100
-+++ Tk-PNG-2.005/libpng/png.h 2004-07-13 23:18:10.000000000 +0100
-@@ -835,6 +835,9 @@
- /* Maximum positive integer used in PNG is (2^31)-1 */
- #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
-
-+/* Constraints on width, height, (2 ^ 24) - 1*/
-+#define PNG_MAX_DIMENSION 16777215
-+
- /* These describe the color_type field in png_info. */
- /* color type masks */
- #define PNG_COLOR_MASK_PALETTE 1
-diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c
---- Tk-PNG-2.005/libpng/pngrutil.c.orig 2004-07-13 13:36:37.000000000
+0100
-+++ Tk-PNG-2.005/libpng/pngrutil.c 2004-07-13 23:43:02.000000000 +0100
-@@ -350,7 +350,11 @@
- png_crc_finish(png_ptr, 0);
-
- width = png_get_uint_32(buf);
-+ if (width > PNG_MAX_DIMENSION)
-+ png_error(png_ptr, "Width is too large");
- height = png_get_uint_32(buf + 4);
-+ if (height > PNG_MAX_DIMENSION)
-+ png_error(png_ptr, "Height is too large");
- bit_depth = buf[8];
- color_type = buf[9];
- compression_type = buf[10];
-@@ -675,7 +679,7 @@
- else
- truelen = (png_size_t)png_ptr->channels;
-
-- if (length != truelen)
-+ if (length != truelen || length > 4)
- {
- png_warning(png_ptr, "Incorrect sBIT chunk length");
- png_crc_finish(png_ptr, length);
-@@ -1400,7 +1405,7 @@
- void /* PRIVATE */
- png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
- {
-- int num, i;
-+ unsigned int num, i;
-
- png_debug(1, "in png_handle_hIST\n");
-
-@@ -946,14 +950,14 @@
- return;
- }
-
-- if (length != (png_uint_32)(2 * png_ptr->num_palette))
-+ num = length / 2 ;
-+ if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH)
- {
- png_warning(png_ptr, "Incorrect hIST chunk length");
- png_crc_finish(png_ptr, length);
- return;
- }
-
-- num = (int)length / 2 ;
- png_ptr->hist = (png_uint_16p)png_malloc(png_ptr,
- (png_uint_32)(num * sizeof (png_uint_16)));
- png_ptr->flags |= PNG_FLAG_FREE_HIST;
-@@ -2868,6 +2873,9 @@
- png_read_data(png_ptr, chunk_length, 4);
- png_ptr->idat_size = png_get_uint_32(chunk_length);
-
-+ if (png_ptr->idat_size > PNG_MAX_UINT)
-+ png_error(png_ptr, "Invalid chunk length.");
-+
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
- if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4))
-
-http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt
-
-> [Problems discovered and fixed by] Chris Evans
->
-> 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS
(pngrutil.c)
-> 2) Dangerous code in png_handle_sBIT (pngrutil.c)
-CAN-2004-0597
-
-> 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c)
-> this flaw is duplicated in multiple other locations.
-CAN-2004-0598
-
-> 4) Theoretical integer overflow in allocation in png_handle_sPLT
(pngrutil.c)
-> 5) Integer overflow in png_read_png (pngread.c)
-> 6) Integer overflows during progressive reading.
-> 7) Other flaws. [integer overflows]
-CAN-2004-0599
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt
- Use to patch libpng-1.0.9 through 1.2.5
- This fixes the most dangerous of the newly reported vulnerabilities
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c
---- Tk-804.027/PNG/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ Tk-804.027/PNG/libpng/pngrutil.c Fri Jul 23 18:54:36 2004
-@@ -1241,7 +1241,8 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Missing PLTE before tRNS");
- }
-- else if (length > (png_uint_32)png_ptr->num_palette)
-+ if (length > (png_uint_32)png_ptr->num_palette ||
-+ length > PNG_MAX_PALETTE_LENGTH)
- {
- png_warning(png_ptr, "Incorrect tRNS chunk length");
- png_crc_finish(png_ptr, length);
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt
- Use to patch libpng-1.0.6 through 1.2.5
- This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX,
- and png_get_uint_31(), which are needed by patches 05-08.
-
-diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h
---- Tk-804.027/PNG/libpng/png.h.orig Thu Oct 3 06:32:26 2002
-+++ Tk-804.027/PNG/libpng/png.h Fri Jul 23 18:56:27 2004
-@@ -833,7 +833,11 @@
- typedef png_info FAR * FAR * png_infopp;
-
- /* Maximum positive integer used in PNG is (2^31)-1 */
--#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
-+#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL)
-+#define PNG_UINT_32_MAX (~((png_uint_32)0))
-+#define PNG_SIZE_MAX (~((png_size_t)0))
-+/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */
-+#define PNG_MAX_UINT PNG_UINT_31_MAX
-
- /* These describe the color_type field in png_info. */
- /* color type masks */
-@@ -2655,6 +2659,8 @@
- PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf));
- PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf));
- #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */
-+PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr,
-+ png_bytep buf));
-
- /* Initialize png_ptr struct for reading, and allocate any other memory.
- * (old interface - DEPRECATED - use png_create_read_struct instead).
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c
---- Tk-804.027/PNG/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ Tk-804.027/PNG/libpng/pngrutil.c Fri Jul 23 18:56:27 2004
-@@ -38,6 +38,14 @@
- # endif
- #endif
-
-+png_uint_32 /* PRIVATE */
-+png_get_uint_31(png_structp png_ptr, png_bytep buf)
-+{
-+ png_uint_32 i = png_get_uint_32(buf);
-+ if (i > PNG_UINT_31_MAX)
-+ png_error(png_ptr, "PNG unsigned integer out of range.\n");
-+ return (i);
-+}
- #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
- /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
- png_uint_32 /* PRIVATE */
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch05-pngpread-chunklength.txt
- Use to patch libpng-1.0.0 through 1.2.5
- Requires one of libpng-patch04*
-
-diff -r -U 3 libpng-1.2.5/pngpread.c libpng-1.2.5patch05/pngpread.c
---- Tk-804.027/PNG/libpng/pngpread.c.orig Thu Oct 3 06:32:28 2002
-+++ Tk-804.027/PNG/libpng/pngpread.c Fri Jul 23 18:57:39 2004
-@@ -208,7 +208,7 @@
- }
-
- png_push_fill_buffer(png_ptr, chunk_length, 4);
-- png_ptr->push_length = png_get_uint_32(chunk_length);
-+ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
- png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
-@@ -591,6 +591,11 @@
- png_size_t new_max;
- png_bytep old_buffer;
-
-+ if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
-+ (png_ptr->current_buffer_size + 256))
-+ {
-+ png_error(png_ptr, "Potential overflow of save_buffer");
-+ }
- new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size +
256;
- old_buffer = png_ptr->save_buffer;
- png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr,
-@@ -637,8 +642,7 @@
- }
-
- png_push_fill_buffer(png_ptr, chunk_length, 4);
-- png_ptr->push_length = png_get_uint_32(chunk_length);
--
-+ png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length);
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
- png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt
- Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5.
- Requires libpng-patch04-*
-
-diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c
---- Tk-804.027/PNG/libpng/pngread.c.orig Thu Oct 3 06:32:29 2002
-+++ Tk-804.027/PNG/libpng/pngread.c Fri Jul 23 18:59:57 2004
-@@ -384,7 +384,7 @@
- png_uint_32 length;
-
- png_read_data(png_ptr, chunk_length, 4);
-- length = png_get_uint_32(chunk_length);
-+ length = png_get_uint_31(png_ptr,chunk_length);
-
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-@@ -392,9 +392,6 @@
- png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name,
- length);
-
-- if (length > PNG_MAX_UINT)
-- png_error(png_ptr, "Invalid chunk length.");
--
- /* This should be a binary subdivision search or a hash for
- * matching the chunk name rather than a linear search.
- */
-@@ -673,10 +670,7 @@
- png_crc_finish(png_ptr, 0);
-
- png_read_data(png_ptr, chunk_length, 4);
-- png_ptr->idat_size = png_get_uint_32(chunk_length);
--
-- if (png_ptr->idat_size > PNG_MAX_UINT)
-- png_error(png_ptr, "Invalid chunk length.");
-+ png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length);
-
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-@@ -946,15 +940,12 @@
- #endif /* PNG_GLOBAL_ARRAYS */
-
- png_read_data(png_ptr, chunk_length, 4);
-- length = png_get_uint_32(chunk_length);
-+ length = png_get_uint_31(png_ptr,chunk_length);
-
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-
- png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name);
--
-- if (length > PNG_MAX_UINT)
-- png_error(png_ptr, "Invalid chunk length.");
-
- if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4))
- png_handle_IHDR(png_ptr, info_ptr, length);
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt
- Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't
implement png_read_png().
- Requires libpng-patch04-*
-
-diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c
---- Tk-804.027/PNG/libpng/pngread.c.orig Thu Oct 3 06:32:29 2002
-+++ Tk-804.027/PNG/libpng/pngread.c Fri Jul 23 19:01:39 2004
-@@ -1299,6 +1299,9 @@
- */
- png_read_info(png_ptr, info_ptr);
-
-+ if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep))
-+ png_error(png_ptr,"Image is too high to process with png_read_png()");
-+
- /* -------------- image transformations start here ------------------- */
-
- #if defined(PNG_READ_16_TO_8_SUPPORTED)
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt
- Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't
implement png_read_png().
- Requires libpng-patch04-*
-
-The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package
maintainer)
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c
---- Tk-804.027/PNG/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ Tk-804.027/PNG/libpng/pngrutil.c Fri Jul 23 19:02:48 2004
-@@ -1154,8 +1154,18 @@
- }
-
- new_palette.nentries = data_length / entry_size;
-- new_palette.entries = (png_sPLT_entryp)png_malloc(
-+ if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry))
-+ {
-+ png_warning(png_ptr, "sPLT chunk too long");
-+ return;
-+ }
-+ new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
- png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));
-+ if (new_palette.entries == NULL)
-+ {
-+ png_warning(png_ptr, "sPLT chunk requires too much memory");
-+ return;
-+ }
-
- #ifndef PNG_NO_POINTER_INDEXING
- for (i = 0; i < new_palette.nentries; i++)
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt
- Use to patch libpng-1.0.9 through 1.2.5. Does not work with
libpng-1.0.6-1.0.8.
- Libpng-1.0.5 and earlier didn't implement iCCP chunk reading.
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c
---- Tk-804.027/PNG/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ Tk-804.027/PNG/libpng/pngrutil.c Fri Jul 23 19:04:28 2004
-@@ -977,8 +977,7 @@
- png_bytep pC;
- png_charp profile;
- png_uint_32 skip = 0;
-- png_uint_32 profile_size = 0;
-- png_uint_32 profile_length = 0;
-+ png_uint_32 profile_size, profile_length;
- png_size_t slength, prefix_length, data_length;
-
- png_debug(1, "in png_handle_iCCP\n");
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt
- Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5
and earlier.
- No security problem. The bugs are similar to the one fixed in patch
- 03, but the only effect is that libpng will fail to detect misplaced
- harmless duplicate chunks.
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c
---- Tk-804.027/PNG/libpng/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ Tk-804.027/PNG/libpng/pngrutil.c Fri Jul 23 19:05:40 2004
-@@ -579,7 +579,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place gAMA chunk");
-
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
- #if defined(PNG_READ_sRGB_SUPPORTED)
- && !(info_ptr->valid & PNG_INFO_sRGB)
- #endif
-@@ -660,7 +660,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place sBIT chunk");
- }
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
- {
- png_warning(png_ptr, "Duplicate sBIT chunk");
- png_crc_finish(png_ptr, length);
-@@ -729,7 +729,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Missing PLTE before cHRM");
-
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
- #if defined(PNG_READ_sRGB_SUPPORTED)
- && !(info_ptr->valid & PNG_INFO_sRGB)
- #endif
-@@ -891,7 +891,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place sRGB chunk");
-
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
- {
- png_warning(png_ptr, "Duplicate sRGB chunk");
- png_crc_finish(png_ptr, length);
-@@ -995,7 +995,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place iCCP chunk");
-
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
- {
- png_warning(png_ptr, "Duplicate iCCP chunk");
- png_crc_finish(png_ptr, length);
-
-This patch from Chris Evans avoids a host of security problems related
-to buffer overflows that might occur when processing very large images.
-It causes the reader to reject any images claiming to have more rows or
-columns the png format supports.
-
-diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h
---- Tk-804.027/PNG/libpng/png.h.orig 2002-10-03 12:32:26.000000000 +0100
-+++ Tk-804.027/PNG/libpng/png.h 2004-07-13 23:18:10.000000000 +0100
-@@ -835,6 +835,9 @@
- /* Maximum positive integer used in PNG is (2^31)-1 */
- #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
-
-+/* Constraints on width, height, (2 ^ 24) - 1*/
-+#define PNG_MAX_DIMENSION 16777215
-+
- /* These describe the color_type field in png_info. */
- /* color type masks */
- #define PNG_COLOR_MASK_PALETTE 1
-diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c
---- Tk-804.027/PNG/libpng/pngrutil.c.orig 2004-07-13 13:36:37.000000000
+0100
-+++ Tk-804.027/PNG/libpng/pngrutil.c 2004-07-13 23:43:02.000000000 +0100
-@@ -350,7 +350,11 @@
- png_crc_finish(png_ptr, 0);
-
- width = png_get_uint_32(buf);
-+ if (width > PNG_MAX_DIMENSION)
-+ png_error(png_ptr, "Width is too large");
- height = png_get_uint_32(buf + 4);
-+ if (height > PNG_MAX_DIMENSION)
-+ png_error(png_ptr, "Height is too large");
- bit_depth = buf[8];
- color_type = buf[9];
- compression_type = buf[10];
-@@ -675,7 +679,7 @@
- else
- truelen = (png_size_t)png_ptr->channels;
-
-- if (length != truelen)
-+ if (length != truelen || length > 4)
- {
- png_warning(png_ptr, "Incorrect sBIT chunk length");
- png_crc_finish(png_ptr, length);
-@@ -1400,7 +1405,7 @@
- void /* PRIVATE */
- png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
- {
-- int num, i;
-+ unsigned int num, i;
- png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
-
- png_debug(1, "in png_handle_hIST\n");
-@@ -1426,8 +1431,8 @@
- return;
- }
-
-- num = (int)length / 2 ;
-- if (num != png_ptr->num_palette)
-+ num = length / 2 ;
-+ if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH)
- {
- png_warning(png_ptr, "Incorrect hIST chunk length");
- png_crc_finish(png_ptr, length);
-@@ -2868,6 +2873,9 @@
- png_read_data(png_ptr, chunk_length, 4);
- png_ptr->idat_size = png_get_uint_32(chunk_length);
-
-+ if (png_ptr->idat_size > PNG_MAX_UINT)
-+ png_error(png_ptr, "Invalid chunk length.");
-+
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
- if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4))
-
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/perl-tk/perl-tk.spec
============================================================================
$ cvs diff -u -r1.100 -r1.101 perl-tk.spec
--- openpkg-src/perl-tk/perl-tk.spec 19 Dec 2007 13:51:08 -0000 1.100
+++ openpkg-src/perl-tk/perl-tk.spec 20 Dec 2007 09:18:09 -0000 1.101
@@ -24,7 +24,7 @@
# versions of individual parts
%define V_perl 5.10.0
-%define V_tk 804.027
+%define V_tk 804.028
%define V_tk_tiff 0.10
%define V_tk_jpeg 2.014
%define V_tk_png 2.005
@@ -66,7 +66,7 @@
Group: Perl
License: GPL/Artistic
Version: %{V_perl}
-Release: 20071219
+Release: 20071220
# list of sources
Source0: http://www.cpan.org/modules/by-module/Tk/Tk-%{V_tk}.tar.gz
@@ .
______________________________________________________________________
OpenPKG http://openpkg.org
CVS Repository Commit List [email protected]
