CVS commit: pkgsrc/graphics/libexif

["Leonardo Taccari" <leot%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   leot
Date:           Sat Oct 13 10:17:31 UTC 2018

Modified Files:
        pkgsrc/graphics/libexif: Makefile distinfo
Added Files:
        pkgsrc/graphics/libexif/patches: patch-libexif_exif-data.c

Log Message:
libexif: Add a patch from upstream to address CVE-2017-7544

Bump PKGREVISION


To generate a diff of this commit:
cvs rdiff -u -r1.43 -r1.44 pkgsrc/graphics/libexif/Makefile
cvs rdiff -u -r1.29 -r1.30 pkgsrc/graphics/libexif/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/graphics/libexif/Makefile
diff -u pkgsrc/graphics/libexif/Makefile:1.43 pkgsrc/graphics/libexif/Makefile:1.44
--- pkgsrc/graphics/libexif/Makefile:1.43       Thu Oct  9 14:06:36 2014
+++ pkgsrc/graphics/libexif/Makefile    Sat Oct 13 10:17:30 2018
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.43 2014/10/09 14:06:36 wiz Exp $
+# $NetBSD: Makefile,v 1.44 2018/10/13 10:17:30 leot Exp $
 
 DISTNAME=      libexif-0.6.21
+PKGREVISION=   1
 CATEGORIES=    graphics
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=libexif/}
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/graphics/libexif/distinfo
diff -u pkgsrc/graphics/libexif/distinfo:1.29 pkgsrc/graphics/libexif/distinfo:1.30
--- pkgsrc/graphics/libexif/distinfo:1.29       Tue Nov  3 21:34:07 2015
+++ pkgsrc/graphics/libexif/distinfo    Sat Oct 13 10:17:30 2018
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.29 2015/11/03 21:34:07 agc Exp $
+$NetBSD: distinfo,v 1.30 2018/10/13 10:17:30 leot Exp $
 
 SHA1 (libexif-0.6.21.tar.bz2) = a52219b12dbc8d33fc096468591170fda71316c0
 RMD160 (libexif-0.6.21.tar.bz2) = 979f06096b7271d8713c1766e0ad5dfabb06c531
 SHA512 (libexif-0.6.21.tar.bz2) = 4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35
 Size (libexif-0.6.21.tar.bz2) = 1368435 bytes
+SHA1 (patch-libexif_exif-data.c) = 50934bfb6686d411f0277d6e0868596347f5b5a5

Added files:

Index: pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c
diff -u /dev/null pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c:1.1
--- /dev/null   Sat Oct 13 10:17:31 2018
+++ pkgsrc/graphics/libexif/patches/patch-libexif_exif-data.c   Sat Oct 13 10:17:30 2018
@@ -0,0 +1,29 @@
+$NetBSD: patch-libexif_exif-data.c,v 1.1 2018/10/13 10:17:30 leot Exp $
+
+Backport patch to fix CVE-2017-7544 from upstream commit id
+c39acd1692023b26290778a02a9232c873f9d71a:
+
+ <https://github.com/libexif/libexif/commit/c39acd1692023b26290778a02a9232c873f9d71a>
+
+On saving makernotes, make sure the makernote container tags has a type with 1
+byte components.
+
+Fixes (at least):
+ https://sourceforge.net/p/libexif/bugs/130
+ https://sourceforge.net/p/libexif/bugs/129
+
+--- libexif/exif-data.c.orig   2012-07-12 18:31:56.000000000 +0000
++++ libexif/exif-data.c
+@@ -255,6 +255,12 @@ exif_data_save_data_entry (ExifData *dat
+                       exif_mnote_data_set_offset (data->priv->md, *ds - 6);
+                       exif_mnote_data_save (data->priv->md, &e->data, &e->size);
+                       e->components = e->size;
++                      if (exif_format_get_size (e->format) != 1) {
++                              /* e->format is taken from input code,
++                               * but we need to make sure it is a 1 byte
++                               * entity due to the multiplication below. */
++                              e->format = EXIF_FORMAT_UNDEFINED;
++                      }
+               }
+       }
+