Bug 112725 - [patch] [security] update graphics/png to 1.2.18
Summary: [patch] [security] update graphics/png to 1.2.18
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Andrey A. Chernov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-17 02:30 UTC by Nick Barkas
Modified: 2007-05-21 12:30 UTC (History)
1 user (show)

See Also:

Attachments
png.patch (2.42 KB, patch)
2007-05-17 02:30 UTC, Nick Barkas 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Barkas 2007-05-17 02:30:11 UTC 
Here is a patch to upgrade graphics/png to 1.2.18 so that the port will no
longer be affected by the following security vulnerability:
http://www.vuxml.org/freebsd/4cb9c513-03ef-11dc-a51d-0019b95d4f14.html

I am not certain my patch to files/patch-aa is correct. It had to be updated
slightly to apply properly, but since the upstream file was altered I don't know
if it does the right thing anymore. The patched patch removes a conditional that
will only be true on non-i386 machines, so I cannot properly test it (I don't 
have any non-i386 machines).

Maintainer has been CC'd.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2007-05-17 02:30:22 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->ache

Over to maintainer
Comment 2 Eygene Ryabinkin 2007-05-18 10:01:09 UTC 
Good day.

I happened to make the same patch, but for the 1.2.17: ports/112728.
That PR is outdated by the current one, but I have some questions
about the proposed patch.

Nick, it is very strange, but your patch does not compiles on my
i386 system: pnggccrd.c provokes errors
-----
pnggccrd.c: In function `png_squelch_warnings':
pnggccrd.c:362: error: assignment of read-only variable `_const4'
pnggccrd.c:363: error: assignment of read-only variable `_const6'
pnggccrd.c:364: error: assignment of read-only variable `_mask8_0'
pnggccrd.c:365: error: assignment of read-only variable `_mask16_1'
pnggccrd.c:366: error: assignment of read-only variable `_mask16_0'
pnggccrd.c:367: error: assignment of read-only variable `_mask24_2'
pnggccrd.c:368: error: assignment of read-only variable `_mask24_1'
pnggccrd.c:369: error: assignment of read-only variable `_mask24_0'
pnggccrd.c:370: error: assignment of read-only variable `_mask32_3'
pnggccrd.c:371: error: assignment of read-only variable `_mask32_2'
pnggccrd.c:372: error: assignment of read-only variable `_mask32_1'
pnggccrd.c:373: error: assignment of read-only variable `_mask32_0'
pnggccrd.c:374: error: assignment of read-only variable `_mask48_5'
pnggccrd.c:375: error: assignment of read-only variable `_mask48_4'
pnggccrd.c:376: error: assignment of read-only variable `_mask48_3'
pnggccrd.c:377: error: assignment of read-only variable `_mask48_2'
pnggccrd.c:378: error: assignment of read-only variable `_mask48_1'
pnggccrd.c:379: error: assignment of read-only variable `_mask48_0'
-----
And this holds even for 1.2.17: the variable qualifiers had been
changed to 'static const' since 1.2.16.  And since the
PNG_ASSEMBLER_CODE_SUPPORTED macro is defined by-default for i386,
the offending code will be compiled for i386.  I assume that you
had tried to rebuild the port on the i386 and it was successful?

The following patch cured the situation for me:

--- pnggccrd.c.orig	Fri May 18 10:18:53 2007
+++ pnggccrd.c	Fri May 18 10:20:06 2007
@@ -359,6 +359,7 @@
    _pctemp = _pctemp;
    _MMXLength = _MMXLength;
 #endif
+#if 0 /* Assignment to const's? Very strange... */
    _const4  = _const4;
    _const6  = _const6;
    _mask8_0  = _mask8_0;
@@ -377,6 +378,7 @@
    _mask48_2 = _mask48_2;
    _mask48_1 = _mask48_1;
    _mask48_0 = _mask48_0;
+#endif
 }
 #endif /* PNG_MMX_CODE_SUPPORTED */
 
As I understand, the only reason to have png_squelch_warnings was to
make compiler silent about unused variables, so patch will not harm
the port.

About the files/patch-aa alteration: it will drop disabling MMX
code for non-i386 architectures, but since the patch-ad enables
PNG_ASSEMBLER_CODE_SUPPORTED only for i386 and MMX code will be
included only if PNG_ASSEMBLER_CODE_SUPPORTED is true, then the
alteration seems to be safe.
-- 
Eygene
Comment 3 dfilter service freebsd_committer freebsd_triage 2007-05-21 12:21:18 UTC 
ache        2007-05-21 11:21:09 UTC

  FreeBSD ports repository

  Modified files:
    graphics/png         Makefile distinfo 
    graphics/png/files   patch-aa patch-ab patch-ad 
  Added files:
    graphics/png/files   patch-ae 
  Log:
  Update to 1.2.18
  
  PR:             112725
  Submitted by:   Nick Barkas <snb@threerings.net>
  Approved by:    portmgr (pav)
  Security:       VuXML ID 4cb9c513-03ef-11dc-a51d-0019b95d4f14
  
  Revision  Changes    Path
  1.80      +1 -1      ports/graphics/png/Makefile
  1.34      +3 -3      ports/graphics/png/distinfo
  1.29      +1 -1      ports/graphics/png/files/patch-aa
  1.7       +1 -1      ports/graphics/png/files/patch-ab
  1.2       +6 -6      ports/graphics/png/files/patch-ad
  1.1       +18 -0     ports/graphics/png/files/patch-ae (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 4 Andrey A. Chernov freebsd_committer freebsd_triage 2007-05-21 12:22:31 UTC 
State Changed
From-To: open->closed

Committed