head 1.2; access; symbols pkgsrc-2017Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2017.12.18.15.06.34; author leot; state dead; branches; next 1.1; commitid piDUW6ZgHXgvUnjA; 1.1 date 2017.10.25.11.00.03; author leot; state Exp; branches 1.1.2.1; next ; commitid mSGpjiZUP4KyhqcA; 1.1.2.1 date 2017.10.25.11.00.03; author bsiegert; state dead; branches; next 1.1.2.2; commitid 7DS2pPV5fZPCeKdA; 1.1.2.2 date 2017.11.04.17.48.30; author bsiegert; state Exp; branches; next ; commitid 7DS2pPV5fZPCeKdA; desc @@ 1.2 log @mupdf: Update print/mupdf to 1.12.0 pkgsrc changes: - Add support for the `opengl' option via graphics/glut and remove the `glfw' option to follow upstream changes. Adjust options.mk and buildlink3.mk accordingly. - Add patches/patch-platform_gl_gl-app.h to not force freeglut GLUT implementation to every non-APPLE platforms (glut also works!) and adjust the glut.h include. - Add a commented out lcms2 bl3 inclusion entry, lcms2>=2.9 is needed (due "lcms2art.h" et al. inclusion, so disable it for now) - Explain the OPJ_STATIC comment in patches/patch-source_fitz_load-jpx.c a bit more in depth... ...this will hopefully save some time to debug opj_* undefined symbols when trying to link libmupdf and accidently omitting the patches/patch-source_fitz_load-jpx.c hunk (for extra debugging stories fun, if OPJ_STATIC is defined some opj_* symbols are defined while others are not defined, making the debugging of that problem more naughty!). - Inject HAVE_{CURL,GLUT} variables via MAKE_ENV in options.mk to avoid depending on www/curl and graphics/glut (yes, that's a bit kludgy but unfortunately mupdf doesn't have a configure and so there isn't a more sensible way to do it). This is needed to avoid building mupdf-gl for native X.org where the glut.pc pkg-config file is available at build time. Also adjust patches/patch-ab accordingly. - Remove patches/patch-CVE*, they are no longer needed (all applied in 1.12.0) - Bump BUILDLINK_API_DEPENDS.mupdf to 1.12.0 (there were several API changes from 1.11 to 1.12.0) and remove the now redundant and no longer needed BUILDLINK_ABI_DEPENDS.mupdf. Changes: List of changes in MuPDF 1.12.0 * Color management: * LCMS2 library for color management. * CMYK rendering with overprint simulation. * Spot color rendering. * Transparency rendering fixes. * Structured text output improvements: * Reworked structured text API. * Faster text searching. * Highlight and copy text by selecting lines instead of by area. * New semantic XHTML output format. * New layout preserving HTML output format. * Features and improvements: * Improved non-AA rendering with new scan converter. * Improved LARGEFILE support. * Improved TIFF support. * Improved documentation. * PCLm output. * PSD output. * New "mutool trace" tool. * New "mutool sign" tool (work in progress). * Text redaction (work in progress). * Lots of bug fixes. @ text @$NetBSD: patch-CVE-2017-14685,v 1.1 2017/10/25 11:00:03 leot Exp $ Fix 698539: Don't use xps font if it could not be loaded. (AKA CVE-2017-14685) xps_load_links_in_glyphs did not cope with font loading failures. From upstream commit ab1a420613dec93c686acbee2c165274e922f82a --- source/xps/xps-link.c.orig +++ source/xps/xps-link.c @@@@ -91,6 +91,8 @@@@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct bidi_level = atoi(bidi_level_att); font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att); + if (!font) + return; text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, fz_atof(font_size_att), fz_atof(origin_x_att), fz_atof(origin_y_att), is_sideways, bidi_level, indices_att, unicode_att); @ 1.1 log @mupdf: backport patches to fix several possible security issues Backport patches from upstream to address CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, CVE-2017-15369 and CVE-2017-15587. These will not be needed for the next mupdf stable release. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2017-14685 was added on branch pkgsrc-2017Q3 on 2017-11-04 17:48:30 +0000 @ text @d1 20 @ 1.1.2.2 log @Pullup ticket #5595 - requested by sevan print/mupdf: security fix Revisions pulled up: - print/mupdf/Makefile 1.54 - print/mupdf/distinfo 1.38 - print/mupdf/patches/patch-CVE-2017-14685 1.1 - print/mupdf/patches/patch-CVE-2017-14686 1.1 - print/mupdf/patches/patch-CVE-2017-14687 1.1 - print/mupdf/patches/patch-CVE-2017-15369 1.1 - print/mupdf/patches/patch-CVE-2017-15587 1.1 --- Module Name: pkgsrc Committed By: leot Date: Wed Oct 25 11:00:03 UTC 2017 Modified Files: pkgsrc/print/mupdf: Makefile distinfo Added Files: pkgsrc/print/mupdf/patches: patch-CVE-2017-14685 patch-CVE-2017-14686 patch-CVE-2017-14687 patch-CVE-2017-15369 patch-CVE-2017-15587 Log Message: mupdf: backport patches to fix several possible security issues Backport patches from upstream to address CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, CVE-2017-15369 and CVE-2017-15587. These will not be needed for the next mupdf stable release. Bump PKGREVISION. @ text @a0 20 $NetBSD: patch-CVE-2017-14685,v 1.1 2017/10/25 11:00:03 leot Exp $ Fix 698539: Don't use xps font if it could not be loaded. (AKA CVE-2017-14685) xps_load_links_in_glyphs did not cope with font loading failures. From upstream commit ab1a420613dec93c686acbee2c165274e922f82a --- source/xps/xps-link.c.orig +++ source/xps/xps-link.c @@@@ -91,6 +91,8 @@@@ xps_load_links_in_glyphs(fz_context *ctx, xps_document *doc, const fz_matrix *ct bidi_level = atoi(bidi_level_att); font = xps_lookup_font(ctx, doc, base_uri, font_uri_att, style_att); + if (!font) + return; text = xps_parse_glyphs_imp(ctx, doc, &local_ctm, font, fz_atof(font_size_att), fz_atof(origin_x_att), fz_atof(origin_y_att), is_sideways, bidi_level, indices_att, unicode_att); @