head 1.2; access; symbols pkgsrc-2017Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2017.12.18.15.06.34; author leot; state dead; branches; next 1.1; commitid piDUW6ZgHXgvUnjA; 1.1 date 2017.10.25.11.00.03; author leot; state Exp; branches 1.1.2.1; next ; commitid mSGpjiZUP4KyhqcA; 1.1.2.1 date 2017.10.25.11.00.03; author bsiegert; state dead; branches; next 1.1.2.2; commitid 7DS2pPV5fZPCeKdA; 1.1.2.2 date 2017.11.04.17.48.30; author bsiegert; state Exp; branches; next ; commitid 7DS2pPV5fZPCeKdA; desc @@ 1.2 log @mupdf: Update print/mupdf to 1.12.0 pkgsrc changes: - Add support for the `opengl' option via graphics/glut and remove the `glfw' option to follow upstream changes. Adjust options.mk and buildlink3.mk accordingly. - Add patches/patch-platform_gl_gl-app.h to not force freeglut GLUT implementation to every non-APPLE platforms (glut also works!) and adjust the glut.h include. - Add a commented out lcms2 bl3 inclusion entry, lcms2>=2.9 is needed (due "lcms2art.h" et al. inclusion, so disable it for now) - Explain the OPJ_STATIC comment in patches/patch-source_fitz_load-jpx.c a bit more in depth... ...this will hopefully save some time to debug opj_* undefined symbols when trying to link libmupdf and accidently omitting the patches/patch-source_fitz_load-jpx.c hunk (for extra debugging stories fun, if OPJ_STATIC is defined some opj_* symbols are defined while others are not defined, making the debugging of that problem more naughty!). - Inject HAVE_{CURL,GLUT} variables via MAKE_ENV in options.mk to avoid depending on www/curl and graphics/glut (yes, that's a bit kludgy but unfortunately mupdf doesn't have a configure and so there isn't a more sensible way to do it). This is needed to avoid building mupdf-gl for native X.org where the glut.pc pkg-config file is available at build time. Also adjust patches/patch-ab accordingly. - Remove patches/patch-CVE*, they are no longer needed (all applied in 1.12.0) - Bump BUILDLINK_API_DEPENDS.mupdf to 1.12.0 (there were several API changes from 1.11 to 1.12.0) and remove the now redundant and no longer needed BUILDLINK_ABI_DEPENDS.mupdf. Changes: List of changes in MuPDF 1.12.0 * Color management: * LCMS2 library for color management. * CMYK rendering with overprint simulation. * Spot color rendering. * Transparency rendering fixes. * Structured text output improvements: * Reworked structured text API. * Faster text searching. * Highlight and copy text by selecting lines instead of by area. * New semantic XHTML output format. * New layout preserving HTML output format. * Features and improvements: * Improved non-AA rendering with new scan converter. * Improved LARGEFILE support. * Improved TIFF support. * Improved documentation. * PCLm output. * PSD output. * New "mutool trace" tool. * New "mutool sign" tool (work in progress). * Text redaction (work in progress). * Lots of bug fixes. @ text @$NetBSD: patch-CVE-2017-14686,v 1.1 2017/10/25 11:00:03 leot Exp $ Fix bug 698540: Check name, comment and meta size field signs. (AKA CVE-2017-14686) From upstream commit 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 --- source/fitz/unzip.c.orig +++ source/fitz/unzip.c @@@@ -141,6 +141,9 @@@@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off (void) fz_read_int32_le(ctx, file); /* ext file atts */ offset = fz_read_int32_le(ctx, file); + if (namesize < 0 || metasize < 0 || commentsize < 0) + fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry"); + name = fz_malloc(ctx, namesize + 1); n = fz_read(ctx, file, (unsigned char*)name, namesize); if (n < (size_t)namesize) @ 1.1 log @mupdf: backport patches to fix several possible security issues Backport patches from upstream to address CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, CVE-2017-15369 and CVE-2017-15587. These will not be needed for the next mupdf stable release. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2017-14686 was added on branch pkgsrc-2017Q3 on 2017-11-04 17:48:30 +0000 @ text @d1 19 @ 1.1.2.2 log @Pullup ticket #5595 - requested by sevan print/mupdf: security fix Revisions pulled up: - print/mupdf/Makefile 1.54 - print/mupdf/distinfo 1.38 - print/mupdf/patches/patch-CVE-2017-14685 1.1 - print/mupdf/patches/patch-CVE-2017-14686 1.1 - print/mupdf/patches/patch-CVE-2017-14687 1.1 - print/mupdf/patches/patch-CVE-2017-15369 1.1 - print/mupdf/patches/patch-CVE-2017-15587 1.1 --- Module Name: pkgsrc Committed By: leot Date: Wed Oct 25 11:00:03 UTC 2017 Modified Files: pkgsrc/print/mupdf: Makefile distinfo Added Files: pkgsrc/print/mupdf/patches: patch-CVE-2017-14685 patch-CVE-2017-14686 patch-CVE-2017-14687 patch-CVE-2017-15369 patch-CVE-2017-15587 Log Message: mupdf: backport patches to fix several possible security issues Backport patches from upstream to address CVE-2017-14685, CVE-2017-14686, CVE-2017-14687, CVE-2017-15369 and CVE-2017-15587. These will not be needed for the next mupdf stable release. Bump PKGREVISION. @ text @a0 19 $NetBSD: patch-CVE-2017-14686,v 1.1 2017/10/25 11:00:03 leot Exp $ Fix bug 698540: Check name, comment and meta size field signs. (AKA CVE-2017-14686) From upstream commit 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 --- source/fitz/unzip.c.orig +++ source/fitz/unzip.c @@@@ -141,6 +141,9 @@@@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off (void) fz_read_int32_le(ctx, file); /* ext file atts */ offset = fz_read_int32_le(ctx, file); + if (namesize < 0 || metasize < 0 || commentsize < 0) + fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry"); + name = fz_malloc(ctx, namesize + 1); n = fz_read(ctx, file, (unsigned char*)name, namesize); if (n < (size_t)namesize) @