Revision bump to address CVE-2007-635{1,2}. See security bug #202350.

Package-Manager: portage-2.1.4_rc9

6 files changed, 130 insertions, 8 deletions

diff --git a/media-libs/libexif/ChangeLog b/media-libs/libexif/ChangeLog
index 1fec6ade0d0f..8d17e3a61cf4 100644
--- a/media-libs/libexif/ChangeLog
+++ b/media-libs/libexif/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for media-libs/libexif
 # Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/libexif/ChangeLog,v 1.88 2007/12/18 17:31:44 eradicator Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libexif/ChangeLog,v 1.89 2007/12/18 17:45:49 eradicator Exp $
+
+*libexif-0.6.16-r1 (18 Dec 2007)
+
+  18 Dec 2007; Jeremy Huddleston <eradicator@gentoo.org>
+  +files/libexif-CVE-2007-6351.patch, +files/libexif-CVE-2007-6352.patch,
+  +libexif-0.6.16-r1.ebuild:
+  Revision bump to address CVE-2007-635{1,2}.  See security bug #202350.
 
   18 Dec 2007; Jeremy Huddleston <eradicator@gentoo.org>
   libexif-0.6.16.ebuild:
diff --git a/media-libs/libexif/Manifest b/media-libs/libexif/Manifest
index 8b79def878ee..9cc6956211e2 100644
--- a/media-libs/libexif/Manifest
+++ b/media-libs/libexif/Manifest
@@ -5,15 +5,27 @@ AUX libexif-0.6.13-pkgconfig.patch 402 RMD160 269822b19acf52a1be773e64fcf72f5480
 MD5 8f89c1f64e76139750aa946f964de2eb files/libexif-0.6.13-pkgconfig.patch 402
 RMD160 269822b19acf52a1be773e64fcf72f5480155e89 files/libexif-0.6.13-pkgconfig.patch 402
 SHA256 9986246ab56eb294bd93eada0847f3141beed90f23f5711f4ff0f696f38f2def files/libexif-0.6.13-pkgconfig.patch 402
+AUX libexif-CVE-2007-6351.patch 405 RMD160 974706cbb2683f62b9da5a7307fac87dedab87df SHA1 02ec666c10de3c9f9fe540e679c58d1dd2650cc3 SHA256 0d01009cedb6e01f39072b0f4662fb51aeb71f52e5db6dea2e9aeebacc2f02f5
+MD5 cbefe8fb1bc3448065d27cca318de808 files/libexif-CVE-2007-6351.patch 405
+RMD160 974706cbb2683f62b9da5a7307fac87dedab87df files/libexif-CVE-2007-6351.patch 405
+SHA256 0d01009cedb6e01f39072b0f4662fb51aeb71f52e5db6dea2e9aeebacc2f02f5 files/libexif-CVE-2007-6351.patch 405
+AUX libexif-CVE-2007-6352.patch 691 RMD160 19ebfba5d7db6c152194f924bf68780e8d49b13d SHA1 9887067d4ce307cc535658cfaf1e8bc4a4985646 SHA256 6686731b147f789a8d1e36550175ff3ba2308f01b1656a734a753e01632692cc
+MD5 756bb22be45471c95b480eac5dca04f9 files/libexif-CVE-2007-6352.patch 691
+RMD160 19ebfba5d7db6c152194f924bf68780e8d49b13d files/libexif-CVE-2007-6352.patch 691
+SHA256 6686731b147f789a8d1e36550175ff3ba2308f01b1656a734a753e01632692cc files/libexif-CVE-2007-6352.patch 691
 DIST libexif-0.6.16.tar.bz2 691528 RMD160 3754861ad0550f9d77b0aa745dcb3d394ec658ed SHA1 4fea28a05496b3c7075ca5f619439340be534a3f SHA256 db6885d5e40e3a273ff8bb9708ab739c8ace3c5abdd75509eec8ea31a31aac43
+EBUILD libexif-0.6.16-r1.ebuild 1972 RMD160 4e899376971a904d4e8b08ace7ef9dc41b956cf4 SHA1 5baeb81ba06a74d336e9918f9e81e1c0e56eae67 SHA256 9ee10f6177a19181a890fe6abffc026795989bbe9f54b2bfe4c4a7583cd4514d
+MD5 511978075bad91bb0f2ae635ce0153cd libexif-0.6.16-r1.ebuild 1972
+RMD160 4e899376971a904d4e8b08ace7ef9dc41b956cf4 libexif-0.6.16-r1.ebuild 1972
+SHA256 9ee10f6177a19181a890fe6abffc026795989bbe9f54b2bfe4c4a7583cd4514d libexif-0.6.16-r1.ebuild 1972
 EBUILD libexif-0.6.16.ebuild 1862 RMD160 5addd1174d21923102871d491a2c915c707b2f7f SHA1 d650b4377cdc4b8e806dea78e4871a752512e7a4 SHA256 9a696b46e21f7b0c05c2414eee81e4f0e64b14b74f8fd895ac5977add9ec95cf
 MD5 627c4f35cc31437169a0566ef315038c libexif-0.6.16.ebuild 1862
 RMD160 5addd1174d21923102871d491a2c915c707b2f7f libexif-0.6.16.ebuild 1862
 SHA256 9a696b46e21f7b0c05c2414eee81e4f0e64b14b74f8fd895ac5977add9ec95cf libexif-0.6.16.ebuild 1862
-MISC ChangeLog 13478 RMD160 41ce0884c04210329e105d685d2f3714df1bbda6 SHA1 be5ff4fe0b7d673df4f709e9c61b16851199bdf5 SHA256 6dbccbe98470a64cf8dd3341fa33d85e721765547b2652a9c8c66801670a668b
-MD5 ea48260dd80b567e3fbc0de295dace31 ChangeLog 13478
-RMD160 41ce0884c04210329e105d685d2f3714df1bbda6 ChangeLog 13478
-SHA256 6dbccbe98470a64cf8dd3341fa33d85e721765547b2652a9c8c66801670a668b ChangeLog 13478
+MISC ChangeLog 13746 RMD160 99f304678c26aedab20b59b11e5b2bb0b0f805c7 SHA1 dcecaeb50ab08437bd155d608b945a8a4dc30413 SHA256 86db46bfae149b09369a3e706635295c5f59a4e3a31741a0eb655bb829d54d67
+MD5 2b6342989fe7ec0364d90bcc6e762c47 ChangeLog 13746
+RMD160 99f304678c26aedab20b59b11e5b2bb0b0f805c7 ChangeLog 13746
+SHA256 86db46bfae149b09369a3e706635295c5f59a4e3a31741a0eb655bb829d54d67 ChangeLog 13746
 MISC metadata.xml 259 RMD160 d1f5ea37202987c54db9697175a55e5609386654 SHA1 d7234631415b27fa166f13d440f0ea6e4d3f1044 SHA256 14f1bab6a31d434eda6319b2783239e50179d75501edb6e255bb6c3e665418cf
 MD5 c1e212329f9083e2405b16dd382d6632 metadata.xml 259
 RMD160 d1f5ea37202987c54db9697175a55e5609386654 metadata.xml 259
@@ -21,10 +33,13 @@ SHA256 14f1bab6a31d434eda6319b2783239e50179d75501edb6e255bb6c3e665418cf metadata
 MD5 cbe066c942ac8df06bf42bd6bedc4635 files/digest-libexif-0.6.16 247
 RMD160 d2ae52af1ee097f728b0de47f137cf65cf2536db files/digest-libexif-0.6.16 247
 SHA256 ff9030e7ca48bd5e3e933689330393b8792e367c41dff53f07f74c248fb29c3f files/digest-libexif-0.6.16 247
+MD5 cbe066c942ac8df06bf42bd6bedc4635 files/digest-libexif-0.6.16-r1 247
+RMD160 d2ae52af1ee097f728b0de47f137cf65cf2536db files/digest-libexif-0.6.16-r1 247
+SHA256 ff9030e7ca48bd5e3e933689330393b8792e367c41dff53f07f74c248fb29c3f files/digest-libexif-0.6.16-r1 247
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.7 (GNU/Linux)
 
-iD8DBQFHaAR5jC1Anjf1NmMRAjtdAJ4/38yFv0AcE59Jd9F42RaEj7NGrgCeP96Q
-OWMgctR5kTR0aUlRBvz4BW4=
-=D0vX
+iD8DBQFHaAdYjC1Anjf1NmMRAl98AJ0QL+hElOuhl8tzM3SlsjIrZ/tWPACeMaN4
+1lFVyOaIPEVdIgdodbdGGkU=
+=IIsS
 -----END PGP SIGNATURE-----
diff --git a/media-libs/libexif/files/digest-libexif-0.6.16-r1 b/media-libs/libexif/files/digest-libexif-0.6.16-r1
new file mode 100644
index 000000000000..03112b7a85fd
--- /dev/null
+++ b/media-libs/libexif/files/digest-libexif-0.6.16-r1
@@ -0,0 +1,3 @@
+MD5 deee153b1ded5a944ea05d041d959eca libexif-0.6.16.tar.bz2 691528
+RMD160 3754861ad0550f9d77b0aa745dcb3d394ec658ed libexif-0.6.16.tar.bz2 691528
+SHA256 db6885d5e40e3a273ff8bb9708ab739c8ace3c5abdd75509eec8ea31a31aac43 libexif-0.6.16.tar.bz2 691528
diff --git a/media-libs/libexif/files/libexif-CVE-2007-6351.patch b/media-libs/libexif/files/libexif-CVE-2007-6351.patch
new file mode 100644
index 000000000000..eecf7e37151b
--- /dev/null
+++ b/media-libs/libexif/files/libexif-CVE-2007-6351.patch
@@ -0,0 +1,13 @@
+Index: libexif-0.6.16/libexif/exif-loader.c
+===================================================================
+--- libexif-0.6.16.orig/libexif/exif-loader.c
++++ libexif-0.6.16/libexif/exif-loader.c
+@@ -176,6 +176,8 @@ exif_loader_write (ExifLoader *eld, unsi
+ 		break;
+ 	}
+ 
++	if (!len)
++		return 1;
+ 	exif_log (eld->log, EXIF_LOG_CODE_DEBUG, "ExifLoader",
+ 		  "Scanning %i byte(s) of data...", len);
+ 
diff --git a/media-libs/libexif/files/libexif-CVE-2007-6352.patch b/media-libs/libexif/files/libexif-CVE-2007-6352.patch
new file mode 100644
index 000000000000..c6d53cee91d9
--- /dev/null
+++ b/media-libs/libexif/files/libexif-CVE-2007-6352.patch
@@ -0,0 +1,17 @@
+Index: libexif-0.6.16/libexif/exif-data.c
+===================================================================
+--- libexif-0.6.16.orig/libexif/exif-data.c
++++ libexif-0.6.16/libexif/exif-data.c
+@@ -288,10 +288,9 @@ static void
+ exif_data_load_data_thumbnail (ExifData *data, const unsigned char *d,
+ 			       unsigned int ds, ExifLong offset, ExifLong size)
+ {
+-	if (ds < offset + size) {
++	if ((ds < offset + size) || (offset < 0) || (offset > ds)) {
+ 		exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData",
+-			  "Bogus thumbnail offset and size: %i < %i + %i.",
+-			  (int) ds, (int) offset, (int) size);
++			  "Bogus thumbnail offset and size.");
+ 		return;
+ 	}
+ 	if (data->data) 
diff --git a/media-libs/libexif/libexif-0.6.16-r1.ebuild b/media-libs/libexif/libexif-0.6.16-r1.ebuild
new file mode 100644
index 000000000000..8777c70fadc2
--- /dev/null
+++ b/media-libs/libexif/libexif-0.6.16-r1.ebuild
@@ -0,0 +1,67 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libexif/libexif-0.6.16-r1.ebuild,v 1.1 2007/12/18 17:45:49 eradicator Exp $
+
+inherit eutils libtool
+
+DESCRIPTION="Library for parsing, editing, and saving EXIF data"
+HOMEPAGE="http://libexif.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+IUSE="doc nls"
+
+DEPEND="dev-util/pkgconfig
+	doc? ( app-doc/doxygen )
+	nls? ( sys-devel/gettext )"
+
+RDEPEND="nls? ( virtual/libintl )"
+
+src_unpack() {
+	unpack ${A}
+
+	cd "${S}"
+	epatch "${FILESDIR}/${PN}-0.6.13-pkgconfig.patch"
+	epatch "${FILESDIR}/${PN}-CVE-2007-6351.patch"
+	epatch "${FILESDIR}/${PN}-CVE-2007-6352.patch"
+
+	# We do this for sane .so versioning on FreeBSD
+	elibtoolize
+}
+
+src_compile() {
+	local my_conf="--with-doc-dir=/usr/share/doc/${PF}"
+	use nls || my_conf="${my_conf} --without-libintl-prefix"
+	econf $(use_enable nls) $(use_enable doc docs) \
+		--with-pic --disable-rpath ${my_conf} || die
+	emake || die
+}
+
+src_install() {
+	dodir /usr/$(get_libdir)
+	dodir /usr/include/libexif
+	use nls && dodir /usr/share/locale
+	use doc && dodir /usr/share/doc/${PF}
+	dodir /usr/$(get_libdir)/pkgconfig
+
+	make DESTDIR="${D}" install || die
+
+	dodoc ChangeLog README
+
+	# installs a blank directory for whatever broken reason
+	use nls || rm -rf "${D}usr/share/locale"
+}
+
+pkg_postinst() {
+	if has_version '<media-libs/libexif-0.6.13-r2'; then
+		elog "If you are upgrading from a version of libexif older than 0.6.13-r2,"
+		elog "you will need to do the following to rebuild dependencies:"
+		elog "# revdep-rebuild --soname libexif.so.9"
+		elog "# revdep-rebuild --soname libexif.so.10"
+		elog ""
+		elog "Note, it is actually safe to create a symlink from libexif.so.10 to"
+		elog "libexif.so.12 if you need to during the update."
+	fi
+}