diff options
Diffstat (limited to 'source/l/libcroco')
| -rw-r--r-- | source/l/libcroco/898e3a8c8c03.patch | 58 | ||||
| -rwxr-xr-x | source/l/libcroco/libcroco.SlackBuild | 35 | ||||
| -rw-r--r-- | source/l/libcroco/slack-desc | 2 |
3 files changed, 85 insertions, 10 deletions
diff --git a/source/l/libcroco/898e3a8c8c03.patch b/source/l/libcroco/898e3a8c8c03.patch new file mode 100644 index 00000000..b669339c --- /dev/null +++ b/source/l/libcroco/898e3a8c8c03.patch @@ -0,0 +1,58 @@ +From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001 +From: Ignacio Casal Quinteiro <qignacio@amazon.com> +Date: Sun, 16 Apr 2017 13:13:43 +0200 +Subject: input: check end of input before reading a byte + +When reading bytes we weren't check that the index wasn't +out of bound and this could produce an invalid read which +could deal to a security bug. +--- + src/cr-input.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/cr-input.c b/src/cr-input.c +index 49000b1..3b63a88 100644 +--- a/src/cr-input.c ++++ b/src/cr-input.c +@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc) + *we should free buf here because it's own by CRInput. + *(see the last parameter of cr_input_new_from_buf(). + */ +- buf = NULL ; ++ buf = NULL; + } + + cleanup: +@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this) + enum CRStatus + cr_input_read_byte (CRInput * a_this, guchar * a_byte) + { ++ gulong nb_bytes_left = 0; ++ + g_return_val_if_fail (a_this && PRIVATE (a_this) + && a_byte, CR_BAD_PARAM_ERROR); + +@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte) + if (PRIVATE (a_this)->end_of_input == TRUE) + return CR_END_OF_INPUT_ERROR; + ++ nb_bytes_left = cr_input_get_nb_bytes_left (a_this); ++ ++ if (nb_bytes_left < 1) { ++ return CR_END_OF_INPUT_ERROR; ++ } ++ + *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index]; + + if (PRIVATE (a_this)->nb_bytes - +@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char) + if (*a_char == '\n') { + PRIVATE (a_this)->end_of_line = TRUE; + } +- + } + + return status; +-- +cgit v0.12 + diff --git a/source/l/libcroco/libcroco.SlackBuild b/source/l/libcroco/libcroco.SlackBuild index d5a1fcba..bd02392c 100755 --- a/source/l/libcroco/libcroco.SlackBuild +++ b/source/l/libcroco/libcroco.SlackBuild @@ -1,8 +1,8 @@ -#!/bin/sh +#!/bin/bash # Slackware build script for libcroco -# Copyright 2012,2013,2015 Robby Workman, Tuscaloosa, Alabama, USA +# Copyright 2012, 2013, 2015 Robby Workman, Tuscaloosa, Alabama, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -22,9 +22,11 @@ # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +cd $(dirname $0) ; CWD=$(pwd) + PKGNAM=libcroco VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} if [ -z "$ARCH" ]; then case "$( uname -m )" in @@ -34,7 +36,16 @@ if [ -z "$ARCH" ]; then esac fi -CWD=$(pwd) +# If the variable PRINT_PACKAGE_NAME is set, then this script will report what +# the name of the created package would be, and then exit. This information +# could be useful to other scripts. +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PKGNAM-$VERSION-$ARCH-$BUILD.txz" + exit 0 +fi + +NUMJOBS=${NUMJOBS:-" -j7 "} + TMP=${TMP:-/tmp} PKG=$TMP/package-$PKGNAM @@ -58,8 +69,8 @@ rm -rf $PKG mkdir -p $TMP $PKG cd $TMP rm -rf $PKGNAM-$VERSION -tar xvf $CWD/$PKGNAM-$VERSION.tar.xz -cd $PKGNAM-$VERSION +tar xvf $CWD/$PKGNAM-$VERSION.tar.xz || exit 1 +cd $PKGNAM-$VERSION || exit 1 chown -R root:root . find . \ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ @@ -67,6 +78,9 @@ find . \ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ -exec chmod 644 {} \; +# https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/ +patch -p1 --verbose < $CWD/898e3a8c8c03.patch || exit 1 + CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ @@ -76,10 +90,13 @@ CXXFLAGS="$SLKCFLAGS" \ --localstatedir=/var \ --mandir=/usr/man \ --docdir=/usr/doc/$PKGNAM-$VERSION \ - --build=$ARCH-slackware-linux + --build=$ARCH-slackware-linux || exit 1 + +make $NUMJOBS || make || exit 1 +make install DESTDIR=$PKG || exit 1 -make -make install DESTDIR=$PKG +# Don't ship .la files: +rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | \ grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true diff --git a/source/l/libcroco/slack-desc b/source/l/libcroco/slack-desc index eabe8cfd..0e0ad8ca 100644 --- a/source/l/libcroco/slack-desc +++ b/source/l/libcroco/slack-desc @@ -2,7 +2,7 @@ # The "handy ruler" below makes it easier to edit a package description. # Line up the first '|' above the ':' following the base package name, and # the '|' on the right side marks the last column you can put a character in. -# You must make exactly 11 lines for the formatting to be correct. It's also +# You must make exactly 11 lines for the formatting to be correct. It's also # customary to leave one space after the ':' except on otherwise blank lines. |-----handy-ruler------------------------------------------------------| |