Bug 112725 - [patch] [security] update graphics/png to 1.2.18
Summary: [patch] [security] update graphics/png to 1.2.18
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Andrey A. Chernov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-17 02:30 UTC by Nick Barkas
Modified: 2007-05-21 12:30 UTC (History)
1 user (show)

See Also:


Attachments
png.patch (2.42 KB, patch)
2007-05-17 02:30 UTC, Nick Barkas
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Barkas 2007-05-17 02:30:11 UTC
Here is a patch to upgrade graphics/png to 1.2.18 so that the port will no
longer be affected by the following security vulnerability:
http://www.vuxml.org/freebsd/4cb9c513-03ef-11dc-a51d-0019b95d4f14.html

I am not certain my patch to files/patch-aa is correct. It had to be updated
slightly to apply properly, but since the upstream file was altered I don't know
if it does the right thing anymore. The patched patch removes a conditional that
will only be true on non-i386 machines, so I cannot properly test it (I don't 
have any non-i386 machines).

Maintainer has been CC'd.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2007-05-17 02:30:22 UTC
Responsible Changed
From-To: freebsd-ports-bugs->ache

Over to maintainer
Comment 2 Eygene Ryabinkin 2007-05-18 10:01:09 UTC
Good day.

I happened to make the same patch, but for the 1.2.17: ports/112728.
That PR is outdated by the current one, but I have some questions
about the proposed patch.

Nick, it is very strange, but your patch does not compiles on my
i386 system: pnggccrd.c provokes errors
-----
pnggccrd.c: In function `png_squelch_warnings':
pnggccrd.c:362: error: assignment of read-only variable `_const4'
pnggccrd.c:363: error: assignment of read-only variable `_const6'
pnggccrd.c:364: error: assignment of read-only variable `_mask8_0'
pnggccrd.c:365: error: assignment of read-only variable `_mask16_1'
pnggccrd.c:366: error: assignment of read-only variable `_mask16_0'
pnggccrd.c:367: error: assignment of read-only variable `_mask24_2'
pnggccrd.c:368: error: assignment of read-only variable `_mask24_1'
pnggccrd.c:369: error: assignment of read-only variable `_mask24_0'
pnggccrd.c:370: error: assignment of read-only variable `_mask32_3'
pnggccrd.c:371: error: assignment of read-only variable `_mask32_2'
pnggccrd.c:372: error: assignment of read-only variable `_mask32_1'
pnggccrd.c:373: error: assignment of read-only variable `_mask32_0'
pnggccrd.c:374: error: assignment of read-only variable `_mask48_5'
pnggccrd.c:375: error: assignment of read-only variable `_mask48_4'
pnggccrd.c:376: error: assignment of read-only variable `_mask48_3'
pnggccrd.c:377: error: assignment of read-only variable `_mask48_2'
pnggccrd.c:378: error: assignment of read-only variable `_mask48_1'
pnggccrd.c:379: error: assignment of read-only variable `_mask48_0'
-----
And this holds even for 1.2.17: the variable qualifiers had been
changed to 'static const' since 1.2.16.  And since the
PNG_ASSEMBLER_CODE_SUPPORTED macro is defined by-default for i386,
the offending code will be compiled for i386.  I assume that you
had tried to rebuild the port on the i386 and it was successful?

The following patch cured the situation for me:

--- pnggccrd.c.orig	Fri May 18 10:18:53 2007
+++ pnggccrd.c	Fri May 18 10:20:06 2007
@@ -359,6 +359,7 @@
    _pctemp = _pctemp;
    _MMXLength = _MMXLength;
 #endif
+#if 0 /* Assignment to const's? Very strange... */
    _const4  = _const4;
    _const6  = _const6;
    _mask8_0  = _mask8_0;
@@ -377,6 +378,7 @@
    _mask48_2 = _mask48_2;
    _mask48_1 = _mask48_1;
    _mask48_0 = _mask48_0;
+#endif
 }
 #endif /* PNG_MMX_CODE_SUPPORTED */
 
As I understand, the only reason to have png_squelch_warnings was to
make compiler silent about unused variables, so patch will not harm
the port.

About the files/patch-aa alteration: it will drop disabling MMX
code for non-i386 architectures, but since the patch-ad enables
PNG_ASSEMBLER_CODE_SUPPORTED only for i386 and MMX code will be
included only if PNG_ASSEMBLER_CODE_SUPPORTED is true, then the
alteration seems to be safe.
-- 
Eygene
Comment 3 dfilter service freebsd_committer freebsd_triage 2007-05-21 12:21:18 UTC
ache        2007-05-21 11:21:09 UTC

  FreeBSD ports repository

  Modified files:
    graphics/png         Makefile distinfo 
    graphics/png/files   patch-aa patch-ab patch-ad 
  Added files:
    graphics/png/files   patch-ae 
  Log:
  Update to 1.2.18
  
  PR:             112725
  Submitted by:   Nick Barkas <snb@threerings.net>
  Approved by:    portmgr (pav)
  Security:       VuXML ID 4cb9c513-03ef-11dc-a51d-0019b95d4f14
  
  Revision  Changes    Path
  1.80      +1 -1      ports/graphics/png/Makefile
  1.34      +3 -3      ports/graphics/png/distinfo
  1.29      +1 -1      ports/graphics/png/files/patch-aa
  1.7       +1 -1      ports/graphics/png/files/patch-ab
  1.2       +6 -6      ports/graphics/png/files/patch-ad
  1.1       +18 -0     ports/graphics/png/files/patch-ae (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Andrey A. Chernov freebsd_committer freebsd_triage 2007-05-21 12:22:31 UTC
State Changed
From-To: open->closed

Committed