Re: UPDATE: graphics/gd
On Wed May 10, 2017 at 09:45:19AM +0100, Stuart Henderson wrote:
> On 2017/05/09 21:14, Rafael Sadowski wrote:
> > multimedia/gstreamer1/ (tested but there is no gd)
>
> ha, my search matched "graphics/gd" against "graphics/gdk-pixbuf2".
>
> > Index: Makefile
> > Index: Makefile
> > Index: Makefile
> ...
>
> I'm not going to run patch 14 times, please send a diff done
> from /usr/ports :)
I'm sorry, new diff below:
Index: cad/pcb/Makefile
===
RCS file: /cvs/ports/cad/pcb/Makefile,v
retrieving revision 1.33
diff -u -p -u -p -r1.33 Makefile
--- cad/pcb/Makefile18 May 2015 11:29:37 - 1.33
+++ cad/pcb/Makefile10 May 2017 11:43:08 -
@@ -3,7 +3,7 @@
COMMENT= printed circuit board layout tool
DISTNAME= pcb-20110918
CATEGORIES=cad
-REVISION= 6
+REVISION= 7
HOMEPAGE= http://pcb.gpleda.org/
@@ -15,7 +15,7 @@ WANTLIB += Xi Xinerama Xmu Xrandr Xrende
WANTLIB += fontconfig freetype gd gdk-x11-2.0 gdk_pixbuf-2.0
WANTLIB += gdkglext-x11-1.0 gio-2.0 glib-2.0 gmodule-2.0 gobject-2.0
WANTLIB += gtk-x11-2.0 gtkglext-x11-1.0 jpeg m pango-1.0 pangocairo-1.0
-WANTLIB += pangoft2-1.0 pangox-1.0 png pthread tiff vpx z
+WANTLIB += pangoft2-1.0 pangox-1.0 png pthread tiff webp z
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=pcb/}
Index: converters/libpst/Makefile
===
RCS file: /cvs/ports/converters/libpst/Makefile,v
retrieving revision 1.48
diff -u -p -u -p -r1.48 Makefile
--- converters/libpst/Makefile 10 Apr 2017 11:45:24 - 1.48
+++ converters/libpst/Makefile 10 May 2017 11:43:08 -
@@ -11,6 +11,7 @@ SHARED_LIBS += pst 3.0
PKGNAME-main= ${DISTNAME}
PKGNAME-python=py-${DISTNAME}
+REVISION-main= 0
CATEGORIES=converters mail
@@ -26,7 +27,7 @@ cWANTLIB += m pthread ${LIBCXX}
WANTLIB-main += ${cWANTLIB} iconv intl
WANTLIB-main += bz2 c expat ffi fontconfig freetype gd gio-2.0
WANTLIB-main += glib-2.0 gmodule-2.0 gobject-2.0 gsf-1 jpeg pcre png
-WANTLIB-main += pthread-stubs tiff vpx xml2 z m pthread ${LIBCXX} lzma
+WANTLIB-main += pthread-stubs tiff webp xml2 z m pthread ${LIBCXX} lzma
WANTLIB-python += ${cWANTLIB} iconv
WANTLIB-python += pst util boost_python
Index: devel/cvsgraph/Makefile
===
RCS file: /cvs/ports/devel/cvsgraph/Makefile,v
retrieving revision 1.21
diff -u -p -u -p -r1.21 Makefile
--- devel/cvsgraph/Makefile 13 Sep 2016 14:40:29 - 1.21
+++ devel/cvsgraph/Makefile 10 May 2017 11:43:10 -
@@ -5,11 +5,12 @@ COMMENT= graphical representation of CV
DISTNAME= cvsgraph-1.7.0
CATEGORIES=devel
HOMEPAGE= http://www.akhphd.au.dk/~bertho/cvsgraph
+REVISION= 0
# GPLv2+
PERMIT_PACKAGE_CDROM= Yes
-WANTLIB += c fontconfig freetype gd iconv jpeg m png pthread tiff vpx
+WANTLIB += c fontconfig freetype gd iconv jpeg m png pthread tiff webp
WANTLIB += z
MASTER_SITES= ${HOMEPAGE}/release/
Index: graphics/gd/Makefile
===
RCS file: /cvs/ports/graphics/gd/Makefile,v
retrieving revision 1.70
diff -u -p -u -p -r1.70 Makefile
--- graphics/gd/Makefile10 Apr 2017 11:46:20 - 1.70
+++ graphics/gd/Makefile10 May 2017 11:43:22 -
@@ -2,12 +2,11 @@
COMMENT= library for dynamic creation of images
-V= 2.1.1
-REVISION= 3
+V= 2.2.4
DISTNAME= libgd-$V
PKGNAME= gd-$V
-SHARED_LIBS += gd 21.1 # 3.0
+SHARED_LIBS += gd 22.0 # 3.0
CATEGORIES=graphics
@@ -16,17 +15,17 @@ HOMEPAGE= http://www.libgd.org/
PERMIT_PACKAGE_CDROM= Yes
WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
-WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
+WANTLIB += pthread-stubs ${LIBCXX} tiff webp z
-MASTER_SITES= https://bitbucket.org/libgd/gd-libgd/downloads/
+MASTER_SITES= https://github.com/libgd/libgd/releases/download/${PKGNAME}/
CONFIGURE_STYLE= gnu
CONFIGURE_ARGS+= --without-xpm
LIB_DEPENDS= converters/libiconv \
graphics/jpeg \
+ graphics/libwebp \
graphics/png \
- graphics/tiff \
- multimedia/libvpx
+ graphics/tiff
.include
Index: graphics/gd/distinfo
===
RCS file: /cvs/ports/graphics/gd/distinfo,v
retrieving revision 1.8
diff -u -p -u -p -r1.8 distinfo
--- graphics/gd/distinfo14 Nov 2015 12:41:53 - 1.8
+++ graphics/gd/distinfo10 May 2017 11:43:22 -
@@ -1,2 +1,2 @@
-SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU=
-SIZE (libgd-2.1.1.tar.gz) = 2390586
+SHA256 (libgd-2.2.4.tar.gz) =
Re: UPDATE: graphics/gd
On 2017/05/09 21:14, Rafael Sadowski wrote: > multimedia/gstreamer1/ (tested but there is no gd) ha, my search matched "graphics/gd" against "graphics/gdk-pixbuf2". > Index: Makefile > Index: Makefile > Index: Makefile ... I'm not going to run patch 14 times, please send a diff done from /usr/ports :)
Re: UPDATE: graphics/gd
On Sun May 07, 2017 at 10:14:55PM +0100, Stuart Henderson wrote:
> On 2017/05/07 22:37, Rafael Sadowski wrote:
> > On Sun Apr 30, 2017 at 12:08:47PM +0100, Stuart Henderson wrote:
> > > On 2017/04/29 23:14, Rafael Sadowski wrote:
> > > > is there any good reason to not update libgd? Here are eight good
> > > > reasons for a update:
> > >
> > > No reason not to update it. Quite a few things depend on it though,
> > > so testing is a bit annoying, which might explain why it's old.
> > >
> > > > -WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
> > > > -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
> > > > +#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
> > > > +#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
> > >
> > > er?
> > >
> > > > LIB_DEPENDS= converters/libiconv \
> > > > graphics/jpeg \
> > > > graphics/png \
> > > > - graphics/tiff \
> > > > - multimedia/libvpx
> > > > + graphics/tiff
> > >
> > > Need to make sure that dropping libvpx doesn't cause problems in
> > > dependent ports.
> > >
> > > Didn't they change from libvpx to libwebp rather than dropping webp
> > > support completely?
> >
> > Please find an new diff with libwebp support from Brad Smith.
> >
> > The following ports are affected (diff see below):
> >
> > cad/pcb
> > graphics/libgphoto2
> > net/amule
> > net/rtg
> > print/texlive/base
> > sysutils/modlogan
> > www/analog
> >
> > Unaffected:
> >
> > emulators/fceux
> > mail/rspamd
> > math/plplot
> > net/mldonkey
> > net/nagios/nagios
> > sysutils/nut
> > www/rt
> > www/webalizer
>
> These lists don't match the diff; www/analog isn't in the diff,
> net/mldonkey is in the diff but listed as unaffected, and
> math/graphviz is in the diff but not listed above at all.
Everything too rash! Now, with more structure!
>
> (For a commit which touches ports all over the tree, you should
> list the directories on the command line rather than letting cvs
> iterate over the whole lot, so you want the list to be correct :)
ACK;
>
> Apart from the extra whitespace in the WANTLIB line for graphviz,
> what's in the diff looks correct, but there are some other ports
> which I think may be affected too - are you sure that you don't
> need changes for libpst, cvsgraph, eduke32, mscgen, p5-GD,
> gnuplot, gstreamer1-plugins-good?
Now, hopefully complete.
Affected:
net/amule/
devel/cvsgraph/
math/gnuplot/
math/graphviz/
graphics/libgphoto2/
converters/libpst/
net/mldonkey/
sysutils/modlogan/
graphics/mscgen/
graphics/p5-GD/
cad/pcb/
net/rtg/
print/texlive/base
Unaffected:
emulators/fceux/
games/eduke32/
graphics/ansilove/
graphics/fswebcam/
graphics/luagd/
graphics/py-gd/
mail/rspamd/
math/plplot/
multimedia/gstreamer1/ (tested but there is no gd)
net/icinga/core
net/nagios/nagios
net/pfstat/
net/vnstat
sysutils/apcupsd/
sysutils/nut/
www/analog/
www/nginx/
www/rt/
www/sarg/
www/webalizer
Index: Makefile
===
RCS file: /cvs/ports/net/amule/Makefile,v
retrieving revision 1.58
diff -u -p -u -p -r1.58 Makefile
--- Makefile10 Apr 2017 11:46:23 - 1.58
+++ Makefile7 May 2017 19:44:56 -
@@ -6,7 +6,7 @@ COMMENT-daemon =stand-alone daemon/cmdli
V =2.3.2
DISTNAME = aMule-$V
-REVISION = 1
+REVISION = 2
CATEGORIES = net
HOMEPAGE = http://www.amule.org/
@@ -52,7 +52,7 @@ RUN_DEPENDS-main =${RUN_DEPENDS} \
commonWANTLIB =c ixml m pthread ${LIBCXX} threadutil upnp \
wx_base wx_base_net z
WANTLIB-main = ${WANTLIB} ${commonWANTLIB} \
- GeoIP X11 cryptopp fontconfig tiff vpx \
+ GeoIP X11 cryptopp fontconfig tiff webp \
freetype gd jpeg png wx_gtk2_adv wx_gtk2_core
WANTLIB-daemon = ${WANTLIB} ${commonWANTLIB} \
cryptopp readline termcap
Index: Makefile
===
RCS file: /cvs/ports/devel/cvsgraph/Makefile,v
retrieving revision 1.21
diff -u -p -u -p -r1.21 Makefile
--- Makefile13 Sep 2016 14:40:29 - 1.21
+++ Makefile8 May 2017 19:57:24 -
@@ -5,11 +5,12 @@ COMMENT= graphical representation of CV
DISTNAME= cvsgraph-1.7.0
CATEGORIES=devel
HOMEPAGE= http://www.akhphd.au.dk/~bertho/cvsgraph
+REVISION= 0
# GPLv2+
PERMIT_PACKAGE_CDROM= Yes
-WANTLIB += c fontconfig freetype gd iconv jpeg m png pthread tiff vpx
+WANTLIB += c fontconfig freetype gd iconv jpeg m png pthread tiff webp
WANTLIB += z
MASTER_SITES= ${HOMEPAGE}/release/
Index: Makefile
===
RCS file: /home/cvs/ports/graphics/gd/Makefile,v
retrieving revision 1.70
diff -u -p -u -p -r1.70 Makefile
--- Makefile10 Apr 2017 11:46:20 - 1.70
Re: UPDATE: graphics/gd
On 2017/05/07 22:37, Rafael Sadowski wrote:
> On Sun Apr 30, 2017 at 12:08:47PM +0100, Stuart Henderson wrote:
> > On 2017/04/29 23:14, Rafael Sadowski wrote:
> > > is there any good reason to not update libgd? Here are eight good
> > > reasons for a update:
> >
> > No reason not to update it. Quite a few things depend on it though,
> > so testing is a bit annoying, which might explain why it's old.
> >
> > > -WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
> > > -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
> > > +#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
> > > +#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
> >
> > er?
> >
> > > LIB_DEPENDS= converters/libiconv \
> > > graphics/jpeg \
> > > graphics/png \
> > > - graphics/tiff \
> > > - multimedia/libvpx
> > > + graphics/tiff
> >
> > Need to make sure that dropping libvpx doesn't cause problems in
> > dependent ports.
> >
> > Didn't they change from libvpx to libwebp rather than dropping webp
> > support completely?
>
> Please find an new diff with libwebp support from Brad Smith.
>
> The following ports are affected (diff see below):
>
> cad/pcb
> graphics/libgphoto2
> net/amule
> net/rtg
> print/texlive/base
> sysutils/modlogan
> www/analog
>
> Unaffected:
>
> emulators/fceux
> mail/rspamd
> math/plplot
> net/mldonkey
> net/nagios/nagios
> sysutils/nut
> www/rt
> www/webalizer
These lists don't match the diff; www/analog isn't in the diff,
net/mldonkey is in the diff but listed as unaffected, and
math/graphviz is in the diff but not listed above at all.
(For a commit which touches ports all over the tree, you should
list the directories on the command line rather than letting cvs
iterate over the whole lot, so you want the list to be correct :)
Apart from the extra whitespace in the WANTLIB line for graphviz,
what's in the diff looks correct, but there are some other ports
which I think may be affected too - are you sure that you don't
need changes for libpst, cvsgraph, eduke32, mscgen, p5-GD,
gnuplot, gstreamer1-plugins-good?
Re: UPDATE: graphics/gd
On Sun Apr 30, 2017 at 12:08:47PM +0100, Stuart Henderson wrote:
> On 2017/04/29 23:14, Rafael Sadowski wrote:
> > is there any good reason to not update libgd? Here are eight good
> > reasons for a update:
>
> No reason not to update it. Quite a few things depend on it though,
> so testing is a bit annoying, which might explain why it's old.
>
> > -WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
> > -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
> > +#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
> > +#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
>
> er?
>
> > LIB_DEPENDS= converters/libiconv \
> > graphics/jpeg \
> > graphics/png \
> > - graphics/tiff \
> > - multimedia/libvpx
> > + graphics/tiff
>
> Need to make sure that dropping libvpx doesn't cause problems in
> dependent ports.
>
> Didn't they change from libvpx to libwebp rather than dropping webp
> support completely?
Please find an new diff with libwebp support from Brad Smith.
The following ports are affected (diff see below):
cad/pcb
graphics/libgphoto2
net/amule
net/rtg
print/texlive/base
sysutils/modlogan
www/analog
Unaffected:
emulators/fceux
mail/rspamd
math/plplot
net/mldonkey
net/nagios/nagios
sysutils/nut
www/rt
www/webalizer
OK? Comments?
Best regards,
Rafael Sadowski
Index: cad/pcb/Makefile
===
RCS file: /cvs/ports/cad/pcb/Makefile,v
retrieving revision 1.33
diff -u -p -u -p -r1.33 Makefile
--- cad/pcb/Makefile18 May 2015 11:29:37 - 1.33
+++ cad/pcb/Makefile7 May 2017 20:29:20 -
@@ -3,7 +3,7 @@
COMMENT= printed circuit board layout tool
DISTNAME= pcb-20110918
CATEGORIES=cad
-REVISION= 6
+REVISION= 7
HOMEPAGE= http://pcb.gpleda.org/
@@ -15,7 +15,7 @@ WANTLIB += Xi Xinerama Xmu Xrandr Xrende
WANTLIB += fontconfig freetype gd gdk-x11-2.0 gdk_pixbuf-2.0
WANTLIB += gdkglext-x11-1.0 gio-2.0 glib-2.0 gmodule-2.0 gobject-2.0
WANTLIB += gtk-x11-2.0 gtkglext-x11-1.0 jpeg m pango-1.0 pangocairo-1.0
-WANTLIB += pangoft2-1.0 pangox-1.0 png pthread tiff vpx z
+WANTLIB += pangoft2-1.0 pangox-1.0 png pthread tiff webp z
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=pcb/}
Index: graphics/gd/Makefile
===
RCS file: /cvs/ports/graphics/gd/Makefile,v
retrieving revision 1.70
diff -u -p -u -p -r1.70 Makefile
--- graphics/gd/Makefile10 Apr 2017 11:46:20 - 1.70
+++ graphics/gd/Makefile7 May 2017 20:29:34 -
@@ -2,12 +2,11 @@
COMMENT= library for dynamic creation of images
-V= 2.1.1
-REVISION= 3
+V= 2.2.4
DISTNAME= libgd-$V
PKGNAME= gd-$V
-SHARED_LIBS += gd 21.1 # 3.0
+SHARED_LIBS += gd 22.0 # 3.0
CATEGORIES=graphics
@@ -16,17 +15,17 @@ HOMEPAGE= http://www.libgd.org/
PERMIT_PACKAGE_CDROM= Yes
WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
-WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
+WANTLIB += pthread-stubs ${LIBCXX} tiff webp z
-MASTER_SITES= https://bitbucket.org/libgd/gd-libgd/downloads/
+MASTER_SITES= https://github.com/libgd/libgd/releases/download/${PKGNAME}/
CONFIGURE_STYLE= gnu
CONFIGURE_ARGS+= --without-xpm
LIB_DEPENDS= converters/libiconv \
graphics/jpeg \
+ graphics/libwebp \
graphics/png \
- graphics/tiff \
- multimedia/libvpx
+ graphics/tiff
.include
Index: graphics/gd/distinfo
===
RCS file: /cvs/ports/graphics/gd/distinfo,v
retrieving revision 1.8
diff -u -p -u -p -r1.8 distinfo
--- graphics/gd/distinfo14 Nov 2015 12:41:53 - 1.8
+++ graphics/gd/distinfo7 May 2017 20:29:34 -
@@ -1,2 +1,2 @@
-SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU=
-SIZE (libgd-2.1.1.tar.gz) = 2390586
+SHA256 (libgd-2.2.4.tar.gz) = SHplCqYUIX7QirG9GqXSgvnTec/ZXHVq7QtDQGOBvmU=
+SIZE (libgd-2.2.4.tar.gz) = 3013928
Index: graphics/gd/patches/patch-src_gd_crop_c
===
RCS file: graphics/gd/patches/patch-src_gd_crop_c
diff -N graphics/gd/patches/patch-src_gd_crop_c
--- graphics/gd/patches/patch-src_gd_crop_c 30 Jun 2016 13:27:42 -
1.1
+++ /dev/null 1 Jan 1970 00:00:00 -
@@ -1,19 +0,0 @@
-$OpenBSD: patch-src_gd_crop_c,v 1.1 2016/06/30 13:27:42 jasper Exp $
-
-CVE-2016-6128
-https://bugs.php.net/bug.php?id=72494
-https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd
-
src/gd_crop.c.orig Thu Jun 30 15:23:49 2016
-+++ src/gd_crop.c Thu Jun 30 15:24:14 2016
-@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePt
-
Re: UPDATE: graphics/gd
On 2017/04/29 23:14, Rafael Sadowski wrote:
> is there any good reason to not update libgd? Here are eight good
> reasons for a update:
No reason not to update it. Quite a few things depend on it though,
so testing is a bit annoying, which might explain why it's old.
> -WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
> -WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
> +#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
> +#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
er?
> LIB_DEPENDS= converters/libiconv \
> graphics/jpeg \
> graphics/png \
> - graphics/tiff \
> - multimedia/libvpx
> + graphics/tiff
Need to make sure that dropping libvpx doesn't cause problems in
dependent ports.
Didn't they change from libvpx to libwebp rather than dropping webp
support completely?
UPDATE: graphics/gd
Hi ports@,
is there any good reason to not update libgd? Here are eight good
reasons for a update:
- gdImageCreate() doesn't check for oversized images and as such is prone
to DoS vulnerabilities. (CVE-2016-9317)
- double-free in gdImageWebPtr() (CVE-2016-6912)
- potential unsigned underflow in gd_interpolation.c (CVE-2016-10166)
- DOS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)
- Signed Integer Overflow gd_io.c (CVE-2016-10168)
- Integer Overflow in gdImagePaletteToTrueColor() resulting in heap
overflow (CVE-2016-5767)
- #215 Stack overflow with gdImageFillToBorder (CVE-2015-8874,
CVE-2016-9933) NULL Pointer Dereference at _gdScaleVert
Test result from 2.1.1 on amd64:
1 of 93 tests failed
Please report to https://bitbucket.org/libgd/gd-libgd/issues
and from the new one:
tsuite summary for GD 2.2.4
# TOTAL: 153
# # PASS: 150
# # SKIP: 0
# # XFAIL: 0
# # FAIL: 3
# # XPASS: 0
# # ERROR: 0
#
Best regards,
Rafael Sadowski
Index: Makefile
===
RCS file: /cvs/ports/graphics/gd/Makefile,v
retrieving revision 1.70
diff -u -p -u -p -r1.70 Makefile
--- Makefile10 Apr 2017 11:46:20 - 1.70
+++ Makefile29 Apr 2017 21:04:18 -
@@ -2,12 +2,11 @@
COMMENT= library for dynamic creation of images
-V= 2.1.1
-REVISION= 3
+V= 2.2.4
DISTNAME= libgd-$V
PKGNAME= gd-$V
-SHARED_LIBS += gd 21.1 # 3.0
+SHARED_LIBS += gd 22.0 # 3.0
CATEGORIES=graphics
@@ -15,10 +14,10 @@ HOMEPAGE= http://www.libgd.org/
PERMIT_PACKAGE_CDROM= Yes
-WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
-WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
+#WANTLIB += c expat fontconfig freetype iconv jpeg m png pthread
+#WANTLIB += pthread-stubs ${LIBCXX} tiff vpx z
-MASTER_SITES= https://bitbucket.org/libgd/gd-libgd/downloads/
+MASTER_SITES= https://github.com/libgd/libgd/releases/download/${PKGNAME}/
CONFIGURE_STYLE= gnu
CONFIGURE_ARGS+= --without-xpm
@@ -26,7 +25,6 @@ CONFIGURE_ARGS+= --without-xpm
LIB_DEPENDS= converters/libiconv \
graphics/jpeg \
graphics/png \
- graphics/tiff \
- multimedia/libvpx
+ graphics/tiff
.include
Index: distinfo
===
RCS file: /cvs/ports/graphics/gd/distinfo,v
retrieving revision 1.8
diff -u -p -u -p -r1.8 distinfo
--- distinfo14 Nov 2015 12:41:53 - 1.8
+++ distinfo29 Apr 2017 21:04:18 -
@@ -1,2 +1,2 @@
-SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU=
-SIZE (libgd-2.1.1.tar.gz) = 2390586
+SHA256 (libgd-2.2.4.tar.gz) = SHplCqYUIX7QirG9GqXSgvnTec/ZXHVq7QtDQGOBvmU=
+SIZE (libgd-2.2.4.tar.gz) = 3013928
Index: patches/patch-src_gd_crop_c
===
RCS file: patches/patch-src_gd_crop_c
diff -N patches/patch-src_gd_crop_c
--- patches/patch-src_gd_crop_c 30 Jun 2016 13:27:42 - 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -
@@ -1,19 +0,0 @@
-$OpenBSD: patch-src_gd_crop_c,v 1.1 2016/06/30 13:27:42 jasper Exp $
-
-CVE-2016-6128
-https://bugs.php.net/bug.php?id=72494
-https://github.com/libgd/libgd/compare/3fe0a7128bac5000fdcfab888bd2a75ec0c9447d...fd623025505e87bba7ec8555eeb72dae4fb0afd
-
src/gd_crop.c.orig Thu Jun 30 15:23:49 2016
-+++ src/gd_crop.c Thu Jun 30 15:24:14 2016
-@@ -136,6 +136,10 @@ BGD_DECLARE(gdImagePtr) gdImageCropThreshold(gdImagePt
- return NULL;
- }
-
-+ if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
-+ return NULL;
-+ }
-+
- /* TODO: Add gdImageGetRowPtr and works with ptr at the row level
-* for the true color and palette images
-* new formats will simply work with ptr
Index: patches/patch-src_gd_gd2_c
===
RCS file: patches/patch-src_gd_gd2_c
diff -N patches/patch-src_gd_gd2_c
--- patches/patch-src_gd_gd2_c 9 May 2016 06:29:18 - 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -
@@ -1,15 +0,0 @@
-$OpenBSD: patch-src_gd_gd2_c,v 1.1 2016/05/09 06:29:18 ajacoutot Exp $
-
-gd2: handle corrupt images better (CVE-2016-3074)
-
src/gd_gd2.c.orig Sun May 8 23:50:58 2016
-+++ src/gd_gd2.c Sun May 8 23:52:14 2016
-@@ -167,6 +167,8 @@ _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
- if (gdGetInt ([i].size, in) != 1) {
- goto fail2;
- };
-+ if (cidx[i].offset < 0 || cidx[i].size < 0)
UPDATE: graphics/gd
Hi @ports,
simple libgd update to 2.1.1. CVE-2014-9709 patch is not more necessary.
Tested on amd64: "All 93 tests passed".
Cheers, Rafael
Index: Makefile
===
RCS file: /cvs/ports/graphics/gd/Makefile,v
retrieving revision 1.62
diff -u -p -u -p -r1.62 Makefile
--- Makefile17 Aug 2015 19:52:39 - 1.62
+++ Makefile14 Nov 2015 12:19:52 -
@@ -2,10 +2,9 @@
COMMENT= library for dynamic creation of images
-V= 2.1.0
+V= 2.1.1
DISTNAME= libgd-$V
PKGNAME= gd-$V
-REVISION= 2
SHARED_LIBS= gd 21.0
Index: distinfo
===
RCS file: /cvs/ports/graphics/gd/distinfo,v
retrieving revision 1.7
diff -u -p -u -p -r1.7 distinfo
--- distinfo17 Mar 2014 23:20:57 - 1.7
+++ distinfo14 Nov 2015 12:19:52 -
@@ -1,2 +1,2 @@
-SHA256 (libgd-2.1.0.tar.gz) = PO72nVRUo5LoeTrpC18NYy3T4gh5wShWqh0dPQY6Ucg=
-SIZE (libgd-2.1.0.tar.gz) = 2330322
+SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU=
+SIZE (libgd-2.1.1.tar.gz) = 2390586
Index: patches/patch-src_gd_gif_in_c
===
RCS file: patches/patch-src_gd_gif_in_c
diff -N patches/patch-src_gd_gif_in_c
--- patches/patch-src_gd_gif_in_c 26 Mar 2015 09:16:31 - 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -
@@ -1,32 +0,0 @@
-$OpenBSD: patch-src_gd_gif_in_c,v 1.1 2015/03/26 09:16:31 jasper Exp $
-
-Security fix for CVE-2014-9709, gd: buffer read overflow in gd_gif_in.c
-
src/gd_gif_in.c.orig Thu Mar 26 10:07:17 2015
-+++ src/gd_gif_in.cThu Mar 26 10:08:35 2015
-@@ -75,8 +75,10 @@ static struct {
-
- #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
-
-+#define CSD_BUF_SIZE 280
-+
- typedef struct {
-- unsigned char buf[280];
-+ unsigned char buf[CSD_BUF_SIZE];
- int curbit;
- int lastbit;
- int done;
-@@ -410,7 +412,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_
-
- ret = 0;
- for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
-- ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
-+ if (i < CSD_BUF_SIZE * 8) {
-+ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
-+ } else {
-+ ret = -1;
-+ break;
-+ }
- }
-
- scd->curbit += code_size;
Re: UPDATE: graphics/gd
I'll take care of this. There are also API additions so it needs
a SHARED_LIBS bump.
On 2015/11/14 14:20, Rafael Sadowski wrote:
> Hi @ports,
>
> simple libgd update to 2.1.1. CVE-2014-9709 patch is not more necessary.
> Tested on amd64: "All 93 tests passed".
>
> Cheers, Rafael
>
>
> Index: Makefile
> ===
> RCS file: /cvs/ports/graphics/gd/Makefile,v
> retrieving revision 1.62
> diff -u -p -u -p -r1.62 Makefile
> --- Makefile 17 Aug 2015 19:52:39 - 1.62
> +++ Makefile 14 Nov 2015 12:19:52 -
> @@ -2,10 +2,9 @@
>
> COMMENT= library for dynamic creation of images
>
> -V= 2.1.0
> +V= 2.1.1
> DISTNAME=libgd-$V
> PKGNAME= gd-$V
> -REVISION=2
>
> SHARED_LIBS= gd 21.0
>
> Index: distinfo
> ===
> RCS file: /cvs/ports/graphics/gd/distinfo,v
> retrieving revision 1.7
> diff -u -p -u -p -r1.7 distinfo
> --- distinfo 17 Mar 2014 23:20:57 - 1.7
> +++ distinfo 14 Nov 2015 12:19:52 -
> @@ -1,2 +1,2 @@
> -SHA256 (libgd-2.1.0.tar.gz) = PO72nVRUo5LoeTrpC18NYy3T4gh5wShWqh0dPQY6Ucg=
> -SIZE (libgd-2.1.0.tar.gz) = 2330322
> +SHA256 (libgd-2.1.1.tar.gz) = z0e85aTExtx3uo0DSdHuyc7/d+2G8UskmgeAt/GFVMU=
> +SIZE (libgd-2.1.1.tar.gz) = 2390586
> Index: patches/patch-src_gd_gif_in_c
> ===
> RCS file: patches/patch-src_gd_gif_in_c
> diff -N patches/patch-src_gd_gif_in_c
> --- patches/patch-src_gd_gif_in_c 26 Mar 2015 09:16:31 - 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -
> @@ -1,32 +0,0 @@
> -$OpenBSD: patch-src_gd_gif_in_c,v 1.1 2015/03/26 09:16:31 jasper Exp $
> -
> -Security fix for CVE-2014-9709, gd: buffer read overflow in gd_gif_in.c
> -
> src/gd_gif_in.c.orig Thu Mar 26 10:07:17 2015
> -+++ src/gd_gif_in.c Thu Mar 26 10:08:35 2015
> -@@ -75,8 +75,10 @@ static struct {
> -
> - #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
> -
> -+#define CSD_BUF_SIZE 280
> -+
> - typedef struct {
> --unsigned char buf[280];
> -+unsigned char buf[CSD_BUF_SIZE];
> - int curbit;
> - int lastbit;
> - int done;
> -@@ -410,7 +412,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_
> -
> - ret = 0;
> - for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
> --ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
> -+if (i < CSD_BUF_SIZE * 8) {
> -+ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
> -+} else {
> -+ret = -1;
> -+break;
> -+}
> - }
> -
> - scd->curbit += code_size;
>
UPDATE: graphics/gd
see http://www.libgd.org/ReleaseNote020035
please test.
Index: Makefile
===
RCS file: /cvs/ports/graphics/gd/Makefile,v
retrieving revision 1.49
diff -u -r1.49 Makefile
--- Makefile31 May 2007 18:32:06 - 1.49
+++ Makefile26 Jun 2007 06:26:26 -
@@ -2,9 +2,8 @@
COMMENT= library for dynamic creation of images
-DISTNAME= gd-2.0.34
-PKGNAME= ${DISTNAME}p1
-SHARED_LIBS= gd 20.34
+DISTNAME= gd-2.0.35
+SHARED_LIBS= gd 20.35
CATEGORIES=graphics
MASTER_SITES= ${HOMEPAGE}releases/
Index: distinfo
===
RCS file: /cvs/ports/graphics/gd/distinfo,v
retrieving revision 1.5
diff -u -r1.5 distinfo
--- distinfo5 Apr 2007 16:19:55 - 1.5
+++ distinfo26 Jun 2007 06:26:26 -
@@ -1,5 +1,5 @@
-MD5 (gd-2.0.34.tar.gz) = OgLd5CvpKlES/iO0H1RDKw==
-RMD160 (gd-2.0.34.tar.gz) = FefcFHYtf5M2oAve/1hD5lAqvXo=
-SHA1 (gd-2.0.34.tar.gz) = 2QA3b2sC1dKeZ20PG3IuPBIoOyw=
-SHA256 (gd-2.0.34.tar.gz) = bn87r6U/x/7h3ps/VAWF8vMMZdEXQURH1FzxFpn2T5I=
-SIZE (gd-2.0.34.tar.gz) = 1273059
+MD5 (gd-2.0.35.tar.gz) = mCljRI3DbyDLebbpum/e3g==
+RMD160 (gd-2.0.35.tar.gz) = SuN7VjvsriYwjeG7xIm4zudo3K0=
+SHA1 (gd-2.0.35.tar.gz) = 73+7JQ9Ba6twz9pvdyg2JLg8AdU=
+SHA256 (gd-2.0.35.tar.gz) = u9FrnCaDd6rqnDwtZMXBEExTYA5AkPIi17s4k4w9fVI=
+SIZE (gd-2.0.35.tar.gz) = 1345700
Index: patches/patch-configure
===
RCS file: /cvs/ports/graphics/gd/patches/patch-configure,v
retrieving revision 1.3
diff -u -r1.3 patch-configure
--- patches/patch-configure 17 Feb 2007 16:30:11 - 1.3
+++ patches/patch-configure 26 Jun 2007 06:26:26 -
@@ -1,7 +1,7 @@
$OpenBSD: patch-configure,v 1.3 2007/02/17 16:30:11 bernd Exp $
configure.orig Wed Feb 7 10:59:57 2007
-+++ configure Wed Feb 7 11:01:33 2007
-@@ -23162,7 +23162,7 @@ if test `eval echo '${'$as_ac_Header'}'`
+--- configure.orig Mon Apr 23 16:57:52 2007
configure Tue Jun 26 08:11:35 2007
+@@ -22322,7 +22322,7 @@ if test `eval echo '${'$as_ac_Header'}'` = yes; then
cat confdefs.h _ACEOF
#define `echo HAVE_$ac_header | $as_tr_cpp` 1
_ACEOF
@@ -10,25 +10,25 @@
else
CPPFLAGS=$_cppflags
fi
-@@ -24254,7 +24254,7 @@ eval echo \\$as_me:$LINENO: $ac_try_ec
- ac_status=$?
- echo $as_me:$LINENO: \$? = $ac_status 5
- (exit $ac_status); }; }; then
+@@ -23262,7 +23262,7 @@ eval echo \\$as_me:$LINENO: $ac_try_echo\) 5
+test ! -s conftest.err
+} test -s conftest$ac_exeext
+$as_test_x conftest$ac_exeext; then
- acx_pthread_ok=yes
+ acx_pthread_ok=no
else
echo $as_me: failed program was: 5
sed 's/^/| /' conftest.$ac_ext 5
-@@ -24452,7 +24452,7 @@ eval echo \\$as_me:$LINENO: $ac_try_ec
- ac_status=$?
- echo $as_me:$LINENO: \$? = $ac_status 5
- (exit $ac_status); }; }; then
+@@ -23444,7 +23444,7 @@ eval echo \\$as_me:$LINENO: $ac_try_echo\) 5
+test ! -s conftest.err
+} test -s conftest$ac_exeext
+$as_test_x conftest$ac_exeext; then
- acx_pthread_ok=yes
+ acx_pthread_ok=no
else
echo $as_me: failed program was: 5
sed 's/^/| /' conftest.$ac_ext 5
-@@ -25472,7 +25472,7 @@ FFLAGS!$FFLAGS$ac_delim
+@@ -24461,7 +24461,7 @@ FFLAGS!$FFLAGS$ac_delim
ac_ct_F77!$ac_ct_F77$ac_delim
LIBTOOL!$LIBTOOL$ac_delim
XMKMF!$XMKMF$ac_delim
Index: patches/patch-gd_png_c
===
RCS file: patches/patch-gd_png_c
diff -N patches/patch-gd_png_c
--- patches/patch-gd_png_c 31 May 2007 18:32:06 - 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -
@@ -1,16 +0,0 @@
-$OpenBSD: patch-gd_png_c,v 1.1 2007/05/31 18:32:06 rui Exp $
gd_png.c.orig Thu May 31 16:03:54 2007
-+++ gd_png.c Thu May 31 16:05:09 2007
-@@ -81,7 +81,11 @@ gdPngErrorHandler (png_structp png_ptr, png_const_char
- static void
- gdPngReadData (png_structp png_ptr, png_bytep data, png_size_t length)
- {
-- gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
-+ int check;
-+ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr));
-+ if (check != length) {
-+png_error(png_ptr, Read Error: truncated data);
-+ }
- }
-
- static void
