Dear maintainer of textproc/htmldoc, please check the htmldoc website, there have been security fixes. http://www.msweet.org/projects.php?Z1 Please submit an upgrade for your port to HTMLDOC version 1.8.28 as soon as reasonably possible. If possible, please also state the CVE number should you come across it.
Maintainer of textproc/htmldoc, Please note that PR ports/186024 has just been submitted. If it contains a patch for an upgrade, an enhancement or a bug fix you agree on, reply to this email stating that you approve the patch and a committer will take care of it. The full text of the PR can be found at: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/186024 -- Edwin Groothuis via the GNATS Auto Assign Tool edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
This is a multi-part message in MIME format.
Responsible Changed From-To: freebsd-ports-bugs->mandree I'll take it.
Author: mandree Date: Wed Jan 29 20:18:52 2014 New Revision: 341774 URL: http://svnweb.freebsd.org/changeset/ports/341774 QAT: https://qat.redports.org/buildarchive/r341774/ Log: Upgrade to HTMLDOC 1.8.28, fixing security-relevant bugs. Support staging, and modernize LIB_DEPENDS. Tweak build environment to get proper detection of png/jpeg libs. Switch to using BZIP2 tarballs. PR: ports/186024 Approved by: jose@diasfernandes.pt (maintainer) Security: 6d08fa63-83bf-11e3-bdba-080027ef73ec Added: head/textproc/htmldoc/files/patch-htmldoc__http-private.h (contents, props changed) head/textproc/htmldoc/files/patch-htmldoc__http.c (contents, props changed) head/textproc/htmldoc/files/patch-htmldoc__image.cxx (contents, props changed) head/textproc/htmldoc/files/patch-htmldoc__ps-pdf.cxx (contents, props changed) Deleted: head/textproc/htmldoc/files/patch-image.cxx head/textproc/htmldoc/files/patch-openssl Modified: head/textproc/htmldoc/Makefile head/textproc/htmldoc/distinfo head/textproc/htmldoc/pkg-plist Modified: head/textproc/htmldoc/Makefile ============================================================================== --- head/textproc/htmldoc/Makefile Wed Jan 29 19:49:48 2014 (r341773) +++ head/textproc/htmldoc/Makefile Wed Jan 29 20:18:52 2014 (r341774) @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= htmldoc -PORTVERSION= 1.8.27 -PORTREVISION= 7 +PORTVERSION= 1.8.28 CATEGORIES= textproc MASTER_SITES= http://www.msweet.org/files/project1/ \ ${MASTER_SITE_EASYSW} @@ -13,25 +12,27 @@ DISTNAME= ${PORTNAME}-${PORTVERSION}-sou MAINTAINER= jose@diasfernandes.pt COMMENT= Converts HTML to PDF and/or PostScript -LIB_DEPENDS= jpeg:${PORTSDIR}/graphics/jpeg \ - png15:${PORTSDIR}/graphics/png +LICENSE= GPLv2 + +LIB_DEPENDS= libjpeg.so:${PORTSDIR}/graphics/jpeg \ + libpng15.so:${PORTSDIR}/graphics/png OPTIONS_DEFINE= HTMLDOCGUI HTMLDOCGUI_DESC= Build GUI front-end -# .bz2 file is available since Aug 2, but we don't want to -# start mirroring _in addition to_ the .gz variant. When the -# vendor's release is updated again, we should switch to .bz2 -#USE_BZIP2= yes +USE_BZIP2= yes GNU_CONFIGURE= yes -NO_STAGE= yes # Configure seems broken and ignores these ATM: -CONFIGURE_ARGS+=--enable-localjpeg --enable-localzlib --enable-localpng +CONFIGURE_ARGS+=--disable-localjpeg --disable-localzlib --disable-localpng WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} EXCLUDE= png jpeg zlib htmldoc/md5* htmldoc/rc4* htmldoc/snprintf* EXTRACT_AFTER_ARGS=${EXCLUDE:S,^,--exclude ,} +INSTALL_TARGET= install \ + bindir=${STAGEDIR}${PREFIX}/bin \ + datadir=${STAGEDIR}${PREFIX}/share \ + mandir=${STAGEDIR}${MANPREFIX}/man +LDFLAGS+= -L${LOCALBASE}/lib -MAN1= htmldoc.1 post-patch: ${REINPLACE_CMD} -e 's,@JPEG@ @ZLIB@ @PNG@ ,,' ${WRKSRC}/Makefile.in ${REINPLACE_CMD} -e 's|@LDFLAGS@|-L${LOCALBASE}/lib @LDFLAGS@|' \ @@ -40,13 +41,18 @@ post-patch: # Remove redundant code: ${REINPLACE_CMD} -Ee 's,(md5|snprintf|rc4)\.o,,g' \ ${WRKSRC}/htmldoc/Makefile + ${REINPLACE_CMD} -Ee 's,md5-private\.h,,;s,rc4\.h,,' \ + ${WRKSRC}/htmldoc/Dependencies post-configure: ${REINPLACE_CMD} -e \ 's|../png/libpng.a ../zlib/libz.a ../jpeg/libjpeg.a|-ljpeg -lpng -lz|' ${WRKSRC}/Makedefs -.include <bsd.port.pre.mk> +post-install: + ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/htmldoc + .include <bsd.port.options.mk> +.include <bsd.port.pre.mk> .if ${PORT_OPTIONS:MHTMLDOCGUI} LIB_DEPENDS+= fltk:${PORTSDIR}/x11-toolkits/fltk Modified: head/textproc/htmldoc/distinfo ============================================================================== --- head/textproc/htmldoc/distinfo Wed Jan 29 19:49:48 2014 (r341773) +++ head/textproc/htmldoc/distinfo Wed Jan 29 20:18:52 2014 (r341774) @@ -1,2 +1,2 @@ -SHA256 (htmldoc-1.8.27-source.tar.gz) = 64f6d9f40f00f9cc68df6508123e88ed30fef924881fd28dca45358ecd79d320 -SIZE (htmldoc-1.8.27-source.tar.gz) = 4462252 +SHA256 (htmldoc-1.8.28-source.tar.bz2) = 2a688bd820ad6f7bdebb274716102dafbf4d5fcfa20a5b8d87a56b030d184732 +SIZE (htmldoc-1.8.28-source.tar.bz2) = 4026568 Added: head/textproc/htmldoc/files/patch-htmldoc__http-private.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/textproc/htmldoc/files/patch-htmldoc__http-private.h Wed Jan 29 20:18:52 2014 (r341774) @@ -0,0 +1,25 @@ +--- ./htmldoc/http-private.h.orig 2011-12-30 08:41:10.000000000 +0100 ++++ ./htmldoc/http-private.h 2014-01-28 04:47:41.000000000 +0100 +@@ -83,12 +83,12 @@ + # endif /* __sgi || (__APPLE__ && !_SOCKLEN_T) */ + + # include "http.h" +-# include "md5-private.h" + + # if defined HAVE_LIBSSL + # include <openssl/err.h> + # include <openssl/rand.h> + # include <openssl/ssl.h> ++# include <openssl/md5.h> + # elif defined HAVE_GNUTLS + # include <gnutls/gnutls.h> + # include <gnutls/x509.h> +@@ -276,7 +276,7 @@ + char buffer[HTTP_MAX_BUFFER]; + /* Buffer for incoming data */ + int auth_type; /* Authentication in use */ +- _cups_md5_state_t md5_state; /* MD5 state */ ++ MD5_CTX md5_state; /* MD5 state */ + char nonce[HTTP_MAX_VALUE]; + /* Nonce value */ + int nonce_count; /* Nonce count */ Added: head/textproc/htmldoc/files/patch-htmldoc__http.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/textproc/htmldoc/files/patch-htmldoc__http.c Wed Jan 29 20:18:52 2014 (r341774) @@ -0,0 +1,11 @@ +--- ./htmldoc/http.c.orig 2014-01-05 21:41:32.000000000 +0100 ++++ ./htmldoc/http.c 2014-01-28 04:47:07.000000000 +0100 +@@ -1228,6 +1228,8 @@ + * Using the current time is a dubious random seed, but on some systems + * it is the best we can do (on others, this seed isn't even used...) + */ ++#define CUPS_RAND() arc4random() ++#define CUPS_SRAND(v) arc4random_stir() + + CUPS_SRAND(time(NULL)); + Added: head/textproc/htmldoc/files/patch-htmldoc__image.cxx ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/textproc/htmldoc/files/patch-htmldoc__image.cxx Wed Jan 29 20:18:52 2014 (r341774) @@ -0,0 +1,10 @@ +--- ./htmldoc/image.cxx.orig 2013-08-09 04:53:39.000000000 +0200 ++++ ./htmldoc/image.cxx 2014-01-28 04:47:41.000000000 +0100 +@@ -44,6 +44,7 @@ + } + + #include <png.h> /* Portable Network Graphics (PNG) definitions */ ++#include <pngpriv.h> + + + /* Added: head/textproc/htmldoc/files/patch-htmldoc__ps-pdf.cxx ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/textproc/htmldoc/files/patch-htmldoc__ps-pdf.cxx Wed Jan 29 20:18:52 2014 (r341774) @@ -0,0 +1,285 @@ +--- ./htmldoc/ps-pdf.cxx.orig 2014-01-06 04:42:43.000000000 +0100 ++++ ./htmldoc/ps-pdf.cxx 2014-01-28 04:47:41.000000000 +0100 +@@ -120,13 +120,9 @@ + + /*#define DEBUG*/ + #include "htmldoc.h" +-#include "md5-private.h" +-#define md5_append _cupsMD5Append +-#define md5_finish _cupsMD5Finish +-#define md5_init _cupsMD5Init + typedef unsigned char md5_byte_t; +-#define md5_state_t _cups_md5_state_t +-#include "rc4.h" ++#include <openssl/md5.h> ++#include <openssl/rc4.h> + #include <stdarg.h> + #include <ctype.h> + #include <time.h> +@@ -331,8 +327,8 @@ + static uchar comp_buffer[8192]; + static uchar encrypt_key[16]; + static int encrypt_len; +-static rc4_context_t encrypt_state; +-static md5_byte_t file_id[16]; ++static RC4_KEY encrypt_state; ++static unsigned char file_id[16]; + + + /* +@@ -10545,7 +10541,7 @@ + { + // Encrypt the colormap... + encrypt_init(); +- rc4_encrypt(&encrypt_state, cmap[0], cmap[0], ncolors * 3); ++ RC4(&encrypt_state, ncolors * 3, cmap[0], cmap[0]); + } + + fprintf(out, "/ColorSpace[/Indexed/DeviceRGB %d<", ncolors - 1); +@@ -11166,9 +11162,9 @@ + int font_desc[TYPE_MAX][STYLE_MAX]; + /* Font descriptor objects */ + char temp[1024]; /* Temporary string */ +- md5_state_t md5; /* MD5 state */ +- md5_byte_t digest[16]; /* MD5 digest value */ +- rc4_context_t rc4; /* RC4 context */ ++ MD5_CTX md5; /* MD5 state */ ++ unsigned char digest[16]; /* MD5 digest value */ ++ RC4_KEY rc4; /* RC4 context */ + uchar owner_pad[32], /* Padded owner password */ + owner_key[32], /* Owner key */ + user_pad[32], /* Padded user password */ +@@ -11568,10 +11564,10 @@ + * Compute the file ID... + */ + +- md5_init(&md5); +- md5_append(&md5, (md5_byte_t *)OutputPath, sizeof(OutputPath)); +- md5_append(&md5, (md5_byte_t *)&doc_time, sizeof(doc_time)); +- md5_finish(&md5, file_id); ++ MD5_Init(&md5); ++ MD5_Update(&md5, (unsigned char *)OutputPath, sizeof(OutputPath)); ++ MD5_Update(&md5, (unsigned char *)&doc_time, sizeof(doc_time)); ++ MD5_Final(file_id, &md5); + + /* + * Setup encryption stuff as necessary... +@@ -11627,18 +11623,18 @@ + * Compute the owner key... + */ + +- md5_init(&md5); +- md5_append(&md5, owner_pad, 32); +- md5_finish(&md5, digest); ++ MD5_Init(&md5); ++ MD5_Update(&md5, owner_pad, 32); ++ MD5_Final(digest, &md5); + + if (encrypt_len > 5) + { + // MD5 the result 50 more times... + for (i = 0; i < 50; i ++) + { +- md5_init(&md5); +- md5_append(&md5, digest, 16); +- md5_finish(&md5, digest); ++ MD5_Init(&md5); ++ MD5_Update(&md5, digest, 16); ++ MD5_Final(digest, &md5); + } + + // Copy the padded user password... +@@ -11651,14 +11647,14 @@ + for (j = 0; j < encrypt_len; j ++) + encrypt_key[j] = digest[j] ^ i; + +- rc4_init(&rc4, encrypt_key, encrypt_len); +- rc4_encrypt(&rc4, owner_key, owner_key, 32); ++ RC4_set_key(&rc4, encrypt_len, encrypt_key); ++ RC4(&rc4, 32, owner_key, owner_key); + } + } + else + { +- rc4_init(&rc4, digest, encrypt_len); +- rc4_encrypt(&rc4, user_pad, owner_key, 32); ++ RC4_set_key(&rc4, encrypt_len, digest); ++ RC4(&rc4, 32, user_pad, owner_key); + } + + /* +@@ -11680,27 +11676,27 @@ + * Compute the encryption key... + */ + +- md5_init(&md5); +- md5_append(&md5, user_pad, 32); +- md5_append(&md5, owner_key, 32); ++ MD5_Init(&md5); ++ MD5_Update(&md5, user_pad, 32); ++ MD5_Update(&md5, owner_key, 32); + + perm_bytes[0] = perm_value; + perm_bytes[1] = perm_value >> 8; + perm_bytes[2] = perm_value >> 16; + perm_bytes[3] = perm_value >> 24; + +- md5_append(&md5, perm_bytes, 4); +- md5_append(&md5, file_id, 16); +- md5_finish(&md5, digest); ++ MD5_Update(&md5, perm_bytes, 4); ++ MD5_Update(&md5, file_id, 16); ++ MD5_Final(digest, &md5); + + if (encrypt_len > 5) + { + // MD5 the result 50 times.. + for (i = 0; i < 50; i ++) + { +- md5_init(&md5); +- md5_append(&md5, digest, 16); +- md5_finish(&md5, digest); ++ MD5_Init(&md5); ++ MD5_Update(&md5, digest, 16); ++ MD5_Final(digest, &md5); + } + } + +@@ -11712,10 +11708,10 @@ + + if (encrypt_len > 5) + { +- md5_init(&md5); +- md5_append(&md5, pad, 32); +- md5_append(&md5, file_id, 16); +- md5_finish(&md5, user_key); ++ MD5_Init(&md5); ++ MD5_Update(&md5, pad, 32); ++ MD5_Update(&md5, file_id, 16); ++ MD5_Final(user_key, &md5); + + memset(user_key + 16, 0, 16); + +@@ -11726,14 +11722,14 @@ + for (j = 0; j < encrypt_len; j ++) + digest[j] = encrypt_key[j] ^ i; + +- rc4_init(&rc4, digest, encrypt_len); +- rc4_encrypt(&rc4, user_key, user_key, 16); ++ RC4_set_key(&rc4, encrypt_len, digest); ++ RC4(&rc4, 16, user_key, user_key); + } + } + else + { +- rc4_init(&rc4, encrypt_key, encrypt_len); +- rc4_encrypt(&rc4, pad, user_key, 32); ++ RC4_set_key(&rc4, encrypt_len, encrypt_key); ++ RC4(&rc4, 32, pad, user_key); + } + + /* +@@ -11920,7 +11916,7 @@ + else + bytes = len; + +- rc4_encrypt(&encrypt_state, s, news, bytes); ++ RC4(&encrypt_state, bytes, s, news); + + for (i = 0; i < bytes; i ++) + fprintf(out, "%02x", news[i]); +@@ -12585,7 +12581,7 @@ + unicode[0] = 0xfe; // Start with BOM + unicode[1] = 0xff; + +- rc4_encrypt(&encrypt_state, unicode, enicode, 2); ++ RC4(&encrypt_state, 2, unicode, enicode); + + fprintf(out, "%02x%02x", enicode[0], enicode[1]); + +@@ -12595,7 +12591,7 @@ + unicode[0] = ch >> 8; + unicode[1] = ch; + +- rc4_encrypt(&encrypt_state, unicode, enicode, 2); ++ RC4(&encrypt_state, 2, unicode, enicode); + + fprintf(out, "%02x%02x", enicode[0], enicode[1]); + } +@@ -12627,8 +12623,8 @@ + int i; /* Looping var */ + uchar data[21], /* Key data */ + *dataptr; /* Pointer to key data */ +- md5_state_t md5; /* MD5 state */ +- md5_byte_t digest[16]; /* MD5 digest value */ ++ MD5_CTX md5; /* MD5 state */ ++ unsigned char digest[16]; /* MD5 digest value */ + + + /* +@@ -12648,18 +12644,18 @@ + * Hash it... + */ + +- md5_init(&md5); +- md5_append(&md5, data, encrypt_len + 5); +- md5_finish(&md5, digest); ++ MD5_Init(&md5); ++ MD5_Update(&md5, data, encrypt_len + 5); ++ MD5_Final(digest, &md5); + + /* + * Initialize the RC4 context using the first N+5 bytes of the digest... + */ + + if (encrypt_len > 11) +- rc4_init(&encrypt_state, digest, 16); ++ RC4_set_key(&encrypt_state, 16, digest); + else +- rc4_init(&encrypt_state, digest, encrypt_len + 5); ++ RC4_set_key(&encrypt_state, encrypt_len + 5, digest); + } + + +@@ -12727,8 +12723,8 @@ + else + { + if (Encryption) +- rc4_encrypt(&encrypt_state, comp_buffer, comp_buffer, +- (uchar *)compressor.next_out - (uchar *)comp_buffer); ++ RC4(&encrypt_state, (uchar *)compressor.next_out - (uchar *)comp_buffer, ++ comp_buffer, comp_buffer); + + fwrite(comp_buffer, (uchar *)compressor.next_out - (uchar *)comp_buffer, + 1, out); +@@ -12751,8 +12747,8 @@ + else + { + if (Encryption) +- rc4_encrypt(&encrypt_state, comp_buffer, comp_buffer, +- (uchar *)compressor.next_out - (uchar *)comp_buffer); ++ RC4(&encrypt_state, (uchar *)compressor.next_out - (uchar *)comp_buffer, ++ comp_buffer, comp_buffer); + + fwrite(comp_buffer, (uchar *)compressor.next_out - (uchar *)comp_buffer, + 1, out); +@@ -12844,8 +12840,8 @@ + else + { + if (Encryption) +- rc4_encrypt(&encrypt_state, comp_buffer, comp_buffer, +- (uchar *)compressor.next_out - (uchar *)comp_buffer); ++ RC4(&encrypt_state, (uchar *)compressor.next_out - (uchar *)comp_buffer, ++ comp_buffer, comp_buffer); + + fwrite(comp_buffer, + (uchar *)compressor.next_out - (uchar *)comp_buffer, 1, out); +@@ -12878,7 +12874,7 @@ + if ((bytes = length - i) > (int)sizeof(newbuf)) + bytes = sizeof(newbuf); + +- rc4_encrypt(&encrypt_state, buf + i, newbuf, bytes); ++ RC4(&encrypt_state, bytes, buf + i, newbuf); + fwrite(newbuf, bytes, 1, out); + } + } Modified: head/textproc/htmldoc/pkg-plist ============================================================================== --- head/textproc/htmldoc/pkg-plist Wed Jan 29 19:49:48 2014 (r341773) +++ head/textproc/htmldoc/pkg-plist Wed Jan 29 20:18:52 2014 (r341774) @@ -1,4 +1,5 @@ bin/htmldoc +man/man1/htmldoc.1.gz %%DOCSDIR%%/help.html %%DOCSDIR%%/htmldoc.pdf %%DATADIR%%/fonts/Courier-Bold.afm _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed, with minor changes. Thanks!