[UPDATE] graphics/libsixel -> 1.8.3 security fixes

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[UPDATE] graphics/libsixel -> 1.8.3 security fixes

trondd-2
Upstream beat us to it.  Release 1.8.3 fixes the previously submitted CVEs
plus several others I wasn't aware of and some bonus GitHub issues.

Also they packaged the tarball containing a different directory than
previously.  Fixed with WRKDIST.



Security fix for CVE-2018-19757 (#79), NULL pointer dereference problem,
reported by @nluedtke and fixed by @knok (#91, #94).

Security fix for CVE-2018-19762 (#81), heap-based buffer overflow problem,
reported by @nluedtke and fixed by @knok (#92).

Security fix for CVE-2018-19756 (#80), heap-based buffer over-read problem,
reported by @nluedtke and fixed by @knok (#93).

Security fix for CVE-2018-19763 (#82), heap-based buffer over-read problem,
reported by @nluedtke and fixed by @knok (#95).

Security fix for CVE-2018-19761, illegal address access,
fixed by @knok (#96).

Security fix for CVE-2018-19759, heap-based buffer over-read problem,
fixed by @knok (#98).

Security fix for CVE-2018-3753 (#83), infinite loop problem,
reported by @cool-tomato and fixed by @knok (#99).

Security fix for CVE-2018-19759 (#102),
heap-based buffer over-read that will cause a denial of service.
reported and fixed by @YourButterfly. (#106)

Security fix for CVE-2019-19635 (#103), heap-based buffer overflow,
reported and fixed by @YourButterfly. (#106)

Security fix for CVE-2019-19636 (#104) and CVE-2019-19637 (#105),
integer overflow problem. reported and fixed by @YourButterfly. (#106)

gif loader: check LZW code size (Issue #75), Thanks to @HongxuChen.

core: Fix a global-buffer-overflow problem (Issue #72), Thanks to @fgeek.

core: Fix unexpected hangs/performance issues (Issue #76),
Thanks to @HongxuChen.


Tim.

Index: Makefile
===================================================================
RCS file: /cvs/ports/graphics/libsixel/Makefile,v
retrieving revision 1.5
diff -u -p -r1.5 Makefile
--- Makefile 12 Jul 2019 20:47:02 -0000 1.5
+++ Makefile 15 Dec 2019 04:08:01 -0000
@@ -2,7 +2,7 @@
 
 COMMENT = encoder/decoder implementation for DEC SIXEL graphics
 
-V = 1.8.2
+V = 1.8.3
 DISTNAME = libsixel-$V
 
 SHARED_LIBS += sixel 1.0 # 1.6
@@ -30,5 +30,7 @@ CONFIGURE_ARGS += --disable-python \
 
 # Requires Python
 NO_TEST = Yes
+
+WRKDIST = ${WRKDIR}/sixel-$V
 
 .include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /cvs/ports/graphics/libsixel/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo 24 Jul 2018 12:18:01 -0000 1.3
+++ distinfo 15 Dec 2019 04:08:01 -0000
@@ -1,2 +1,2 @@
-SHA256 (libsixel-1.8.2.tar.gz) = xGTSpvzzXp5rrRh2cp6FOoufar/pfZ40h8m/rEXPKl8=
-SIZE (libsixel-1.8.2.tar.gz) = 4778776
+SHA256 (libsixel-1.8.3.tar.gz) = 2uThBUQN+OWBkpSIgb5WSEV0bmuncRUkIFi0sWPfH3Y=
+SIZE (libsixel-1.8.3.tar.gz) = 641789
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/graphics/libsixel/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- pkg/PLIST 16 Apr 2017 15:58:31 -0000 1.1.1.1
+++ pkg/PLIST 15 Dec 2019 04:08:01 -0000
@@ -3,7 +3,7 @@
 bin/libsixel-config
 @bin bin/sixel2png
 include/sixel.h
-lib/libsixel.a
+@static-lib lib/libsixel.a
 lib/libsixel.la
 @lib lib/libsixel.so.${LIBsixel_VERSION}
 lib/pkgconfig/libsixel.pc

Reply | Threaded
Open this post in threaded view
|

Re: [UPDATE] graphics/libsixel -> 1.8.3 security fixes

Frederic Cambus
On Sat, Dec 14, 2019 at 11:18:16PM -0500, trondd wrote:
> Upstream beat us to it.  Release 1.8.3 fixes the previously submitted CVEs
> plus several others I wasn't aware of and some bonus GitHub issues.

This makes it much easier :) Committed, thanks!