[pkgsrc/trunk]: pkgsrc/print/ghostscript Add patch for the security vulnerabi...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/ac8d0d9c3918
branches:  trunk
changeset: 557392:ac8d0d9c3918
user:      tron <tron%pkgsrc.org@localhost>
date:      Tue Apr 14 19:32:54 2009 +0000

description:
Add patch for the security vulnerability reported in CVE-2009-0196
taken from Redhat's Bugzilla.

diffstat:

 print/ghostscript/Makefile         |   4 ++--
 print/ghostscript/distinfo         |   3 ++-
 print/ghostscript/patches/patch-aa |  24 ++++++++++++++++++++++++
 3 files changed, 28 insertions(+), 3 deletions(-)

diffs (55 lines):

diff -r 4c9eac3ec216 -r ac8d0d9c3918 print/ghostscript/Makefile
--- a/print/ghostscript/Makefile        Tue Apr 14 19:24:30 2009 +0000
+++ b/print/ghostscript/Makefile        Tue Apr 14 19:32:54 2009 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.60 2009/03/25 10:42:13 drochner Exp $
+# $NetBSD: Makefile,v 1.61 2009/04/14 19:32:54 tron Exp $
 
 DISTNAME=      ghostscript-8.64
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    print
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=ghostscript/}
 EXTRACT_SUFX=  .tar.bz2
diff -r 4c9eac3ec216 -r ac8d0d9c3918 print/ghostscript/distinfo
--- a/print/ghostscript/distinfo        Tue Apr 14 19:24:30 2009 +0000
+++ b/print/ghostscript/distinfo        Tue Apr 14 19:32:54 2009 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.22 2009/03/25 10:42:13 drochner Exp $
+$NetBSD: distinfo,v 1.23 2009/04/14 19:32:54 tron Exp $
 
 SHA1 (ghostscript-8.64.tar.bz2) = 4c2a6e04145428d35da73fbc4db9c66a75e336e0
 RMD160 (ghostscript-8.64.tar.bz2) = 565134dcfe1e823b435c3761461c5eb394bd633c
 Size (ghostscript-8.64.tar.bz2) = 16921504 bytes
+SHA1 (patch-aa) = 31d077502dba343c5834e5ee9fdb42102ef47668
 SHA1 (patch-ab) = 7a98cad37f94394f172bdac23f5dd73fb1f08006
 SHA1 (patch-ad) = 8b3b743b2d6405ea35bfb16970942ecd55702401
 SHA1 (patch-ae) = 50335e72adebe95ab0cb5873d1c6dd00e971579a
diff -r 4c9eac3ec216 -r ac8d0d9c3918 print/ghostscript/patches/patch-aa
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/ghostscript/patches/patch-aa        Tue Apr 14 19:32:54 2009 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-aa,v 1.4 2009/04/14 19:32:54 tron Exp $
+
+Patch for CVE-2009-0196 taken from Redhat's Bugzilla:
+
+https://bugzilla.redhat.com/attachment.cgi?id=337747
+
+--- jbig2dec/jbig2_symbol_dict.c.orig  2007-12-11 08:29:58.000000000 +0000
++++ jbig2dec/jbig2_symbol_dict.c       2009-04-14 20:19:01.000000000 +0100
+@@ -699,6 +699,15 @@
+         exrunlength = params->SDNUMEXSYMS;
+       else
+         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
++      if (exrunlength > params->SDNUMEXSYMS - j) {
++        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++          "runlength too large in export symbol table (%d > %d - %d)\n",
++          exrunlength, params->SDNUMEXSYMS, j);
++        jbig2_sd_release(ctx, SDEXSYMS);
++        /* skip to the cleanup code and return SDEXSYMS = NULL */
++        SDEXSYMS = NULL;
++        break;
++      }
+       for(k = 0; k < exrunlength; k++)
+         if (exflag) {
+           SDEXSYMS->glyphs[j++] = (i < m) ?