FlightCrew: fix CVE-2019-13032, fix build with boost-1.89

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: FlightCrew: fix CVE-2019-13032, fix build with boost-1.89
From: kikadf (via pkgsrc-wip) <commit-notify%pkgsrc.org@localhost>
Date: Sat, 4 Oct 2025 12:55:09 +0000

Module Name:	pkgsrc-wip
Committed By:	kikadf <kikadf.01%gmail.com@localhost>
Pushed By:	kikadf
Date:		Sat Oct 4 14:53:14 2025 +0200
Changeset:	aab0a64b08227be94cc2f286028a39677b100206

Modified Files:
	FlightCrew/Makefile
	FlightCrew/distinfo
Added Files:
	FlightCrew/patches/patch-src_FlightCrew_Framework_ValidateEpub.cpp

Log Message:
FlightCrew: fix CVE-2019-13032, fix build with boost-1.89

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=aab0a64b08227be94cc2f286028a39677b100206

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 FlightCrew/Makefile                                |  4 +-
 FlightCrew/distinfo                                |  1 +
 ...patch-src_FlightCrew_Framework_ValidateEpub.cpp | 46 ++++++++++++++++++++++
 3 files changed, 49 insertions(+), 2 deletions(-)

diffs:
diff --git a/FlightCrew/Makefile b/FlightCrew/Makefile
index b9c5ebc05e..5aa250499b 100644
--- a/FlightCrew/Makefile
+++ b/FlightCrew/Makefile
@@ -2,7 +2,7 @@
 
 DISTNAME=	FlightCrew-0.7.2-Code
 PKGNAME=	${DISTNAME:S/-Code//}
-PKGREVISION=	60
+PKGREVISION=	61
 CATEGORIES=	textproc
 MASTER_SITES=	http://flightcrew.googlecode.com/files/
 EXTRACT_SUFX=	.zip
@@ -31,7 +31,7 @@ SUBST_FILES.cr+=	src/utf8-cpp/utf8/core.h
 SUBST_FILTER_CMD.cr=	${TR} -d '\r'
 SUBST_NOOP_OK.cr=	yes
 
-BUILDLINK_TRANSFORM+=	l:BoostParts:boost_date_time:boost_filesystem:boost_regex:boost_system:boost_thread:boost_program_options
+BUILDLINK_TRANSFORM+=	l:BoostParts:boost_date_time:boost_filesystem:boost_regex:boost_thread:boost_program_options
 BUILDLINK_TRANSFORM+=	l:Xerces:xerces-c
 BUILDLINK_TRANSFORM+=	l:zlib:z
 
diff --git a/FlightCrew/distinfo b/FlightCrew/distinfo
index 8148600dd2..c5179e7692 100644
--- a/FlightCrew/distinfo
+++ b/FlightCrew/distinfo
@@ -5,6 +5,7 @@ SHA512 (FlightCrew-0.7.2-Code.zip) = 6933cd85bab0300ee2258106225cbf23474516c4993
 Size (FlightCrew-0.7.2-Code.zip) = 7794710 bytes
 SHA1 (patch-CMakeLists.txt) = 8423ab7b53fad354e04fdfd159b070a8f8bf61f9
 SHA1 (patch-src_FlightCrew_CMakeLists.txt) = 2c60cb722bb7613f007f2e3a644f1d9f8509f8ba
+SHA1 (patch-src_FlightCrew_Framework_ValidateEpub.cpp) = a8f78da3bef54ec2382e264b67b0910373799181
 SHA1 (patch-src_FlightCrew_Validators_Opf_ReachabilityAnalysis.cpp) = 53fbd6e1b1b9a11739f16383406f10ddaa253293
 SHA1 (patch-src_FlightCrew_Validators_SaxSchemaValidator.cpp) = 65b6fe9e04d4567449dd36039999d14bee1e7e61
 SHA1 (patch-src_FlightCrew_tests_CMakeLists.txt) = 934296b4cd2425d30d5e4926dfd8f835a5284953
diff --git a/FlightCrew/patches/patch-src_FlightCrew_Framework_ValidateEpub.cpp b/FlightCrew/patches/patch-src_FlightCrew_Framework_ValidateEpub.cpp
new file mode 100644
index 0000000000..7920b1c944
--- /dev/null
+++ b/FlightCrew/patches/patch-src_FlightCrew_Framework_ValidateEpub.cpp
@@ -0,0 +1,46 @@
+$NetBSD$
+
+* Fix CVE-2019-13032 with upstream commits:
+  https://github.com/Sigil-Ebook/flightcrew/commit/c75c100218ed5c0e7652947051e28b54a75212ae
+  https://github.com/Sigil-Ebook/flightcrew/commit/b4f4a70f604ddcb4e8e343aa0e690764fc46d780
+
+--- src/FlightCrew/Framework/ValidateEpub.cpp.orig	2025-10-04 12:04:47.334261964 +0000
++++ src/FlightCrew/Framework/ValidateEpub.cpp
+@@ -118,10 +118,15 @@ fs::path GetRelativePathToNcx( const xc:
+         std::string href       = fromX( item->getAttribute( toX( "href" )       ) );
+         std::string media_type = fromX( item->getAttribute( toX( "media-type" ) ) );
+ 
+-        if ( xc::XMLUri::isValidURI( true, toX( href ) ) &&
+-             media_type == NCX_MIME )
+-        {
+-            return Util::Utf8PathToBoostPath( Util::UrlDecode( href ) );  
++        // prevent segfault here that would result as toX() will return null when 
++        // passed and empty string
++        if (!href.empty()) {
++
++             if ( xc::XMLUri::isValidURI( true, toX( href ) ) &&
++                  media_type == NCX_MIME )
++             {
++                 return Util::Utf8PathToBoostPath( Util::UrlDecode( href ) );  
++             }
+         }
+     }
+ 
+@@ -141,10 +146,13 @@ std::vector< fs::path > GetRelativePaths
+         std::string href       = fromX( item->getAttribute( toX( "href" )       ) );
+         std::string media_type = fromX( item->getAttribute( toX( "media-type" ) ) );
+ 
+-        if ( xc::XMLUri::isValidURI( true, toX( href ) ) &&
+-             ( media_type == XHTML_MIME || media_type == OEB_DOC_MIME ) )
+-        {                    
+-            paths.push_back( Util::Utf8PathToBoostPath( Util::UrlDecode( href ) ) );
++        if (!href.empty()) {
++
++             if ( xc::XMLUri::isValidURI( true, toX( href ) ) &&
++                  ( media_type == XHTML_MIME || media_type == OEB_DOC_MIME ) )
++             {
++                  paths.push_back( Util::Utf8PathToBoostPath( Util::UrlDecode( href ) ) );
++             }
+         }
+     }
+

Prev by Date: suricata: set configure localstatedir parameter, more TODOs
Next by Date: Import txtproc/FlightCrew
Previous by Thread: suricata: set configure localstatedir parameter, more TODOs
Next by Thread: Import txtproc/FlightCrew
Indexes:

Home | Main Index | Thread Index | Old Index