bump for security bug #549344

Package-Manager: portage-2.2.19/cvs/Linux x86_64
Manifest-Sign-Key: 0x072AD062

4 files changed, 146 insertions, 5 deletions

diff --git a/media-gfx/ufraw/ChangeLog b/media-gfx/ufraw/ChangeLog
index f1fbf0002a27..71e0df047142 100644
--- a/media-gfx/ufraw/ChangeLog
+++ b/media-gfx/ufraw/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-gfx/ufraw
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-gfx/ufraw/ChangeLog,v 1.133 2015/05/21 19:52:08 maekke Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/ufraw/ChangeLog,v 1.134 2015/05/22 21:28:52 maekke Exp $
+
+*ufraw-0.21-r1 (22 May 2015)
+
+  22 May 2015; Markus Meier <maekke@gentoo.org> +ufraw-0.21-r1.ebuild,
+  +files/ufraw-0.21-CVE-2015-3885.patch:
+  bump for security bug #549344
 
 *ufraw-0.21 (21 May 2015)
 
diff --git a/media-gfx/ufraw/Manifest b/media-gfx/ufraw/Manifest
index 19990da650c2..0f769f6c1c0c 100644
--- a/media-gfx/ufraw/Manifest
+++ b/media-gfx/ufraw/Manifest
@@ -3,16 +3,18 @@ Hash: SHA256
 
 AUX ufraw-0.17-cfitsio-automagic.patch 933 SHA256 d489abaa6da90a46f4b3b23e2e5400c1eeb7d2e5532835df4d5ad244167e7d18 SHA512 84aadb7dc41927a26ac37a801e136628380e79f032f87a925e737ec76c349c96c410750234f4870fe2fa61680085472a028e47c13cf01b2bd7fc7a55dad6de1b WHIRLPOOL 7815f44171243408468347a6acdadbda239931b2f2a810e4f0a8e98023506d9761e73f3db137aad7930dd5814f7ffcc2c670cf572d50caf394e88d85cafef03b
 AUX ufraw-0.20-gimp.patch 943 SHA256 8d1f64085455655b8a3e99d40403e2a3c7c40d633406e8b5f8f5ee1e717d23e4 SHA512 225d87467ba0ccf7a8c4a985c62ef94d89cb51166f37c2abc616bf280730aa1a214989a91a9e8a4bb3173413640dc1b2f8de410e4897e60dccc332e7a9536e29 WHIRLPOOL d16b677b0a0c54e65deb68a0427b5a65b3d8f428f4c3cb5e83b712a14eb260505acf487305eb9b83a39fb9375935cd7e3d137d4b990d83b9f6e501575c2f74b4
+AUX ufraw-0.21-CVE-2015-3885.patch 1598 SHA256 97c1e29455bf1dabdb7a0e92bbca3b87ed8cfbd2f5f98c597e121c44d4320178 SHA512 128e1b35d7f2024964bfb303f8130aa2028f08b4146be91c4f8869678dae7c91158755c8b0260233ab8aa268cf1589e1bb9a57c262689da5fd4772c74dbddf8a WHIRLPOOL 9c6609aef43b6632ad4e0db5c5a72d8650085d73ea3a52a1584766dfb75675a49aaa69d6fc109721104a873f25337e4b545bd1570d19a0e0141ffd088115b2d4
 DIST ufraw-0.20.tar.gz 1086969 SHA256 6dcd30f73238f56641ec87ae07807a6ebeab141a1a481aafe3ddab6f3db8a1e0 SHA512 d18ecc257f9d88c77fca0e7a8641ee1e78abd28e73c34bd98def2d0dbd65f8fbaa677deca34ac4ed3ce7775764b6baca2896a023d690573057e4659de6dc3b1a WHIRLPOOL fedecf66ef22bdffe667408ac0b8106ec99ee2a1dd29fab53877229ec375bdeab37cc6fe942d7e3ef2c3de38a5770eaf4f49c44367ca1677acfda13bb4c85a1d
 DIST ufraw-0.21.tar.gz 1016298 SHA256 2a6a1bcc633bdc8e15615cf726befcd7f27ab00e7c2a518469a24e1a96964d87 SHA512 e1fbfcf7b6f15089d51626a3e2d3dc694aa79edfc0bdfe4a8be6f684d4a31a91c56502942174c0708de91413fe907acb5d2fa2ad9d1a5404eb66b14764909ae9 WHIRLPOOL 84e96894f9ecc9d3a81f96f7c58165e095553b9bab69343754c8a89ef18480f751745cb48e8846ea5db26d1077ace4104ef18d0c0546b2b54439819b81ee3a7c
 EBUILD ufraw-0.20-r1.ebuild 1884 SHA256 4b8b98e07982e1f9996e04667a9fc483e3c05fafc1d954e713ad170036315578 SHA512 f8767f44e376eecfc7be9285cf26ae344de39f03b597816c0f617da74e766aac2bbe7730a02136343ab75b96d348991be882fab49428bf31e3dcc86f6faef167 WHIRLPOOL cc4a4bd974b17d2a132bc8ef6560488cecf2ac136476eb823035a15aae700f7cbb4a3c210f598152cb965cffb5c051c40001cf5bc35816d9253b526f9ae005e6
+EBUILD ufraw-0.21-r1.ebuild 1864 SHA256 5dc0a1c26764a0a1733e0b12b3f3462b2a8ba70161c183253009c12062ba3790 SHA512 84070fda93177f63134152aa698ebebe7b032d2837d595c4c52ed936a5d5463c19012892fdfb26cc13e3936549173d580c4b2c588dbe29f164cc32b946f4e97a WHIRLPOOL 86f21c7ddbb46def88fb25e94de4399b68670bb666701f7c040b3cb7ca5f6e4914f383dc2dd01b56d61387d1c285f6dbce138158b78e4c6ac8cc5dcd9c4a7dc2
 EBUILD ufraw-0.21.ebuild 1814 SHA256 4b5f4a7b6e9e921071171d0f7ed0cf51c40d99536675df2aff278b8796ba1e72 SHA512 fac8a1f78510370f8de9cede387cf63d354b57bd47dfcf230197d53cc560f493d086935ba9b2432fe1eb8b5b4d48c83f033a595575a8bf0bcd8beb500495ca5f WHIRLPOOL 71e5ce37201de1e8c16a1b2583d975c28c4c3579facda674654a1d0dbed07d546b1f057908abc85294a5dc9a394b6408e3421ff7de4fcb2482319a4d8eeae062
-MISC ChangeLog 16964 SHA256 0b0205315852753bb6d86da9af6d31c4cdcac3fb73060d570f79399f53017e83 SHA512 48cbb57b2743a44b6e44160203e9d230ec201ee3dc7b07e097020aae0dd4fe4df87ba8ec1bb7b79e223587cc5bb0e2024f39643d641d3b41aa4ea93415c3d08a WHIRLPOOL 8ea7d1c8343a57145ec64fc421bb4e22d86e8981484499c4f2f820b4cb12f3dd21e53e1f10ca1fd0e289ade13ccc4ac5a4392f63afb54e69cfe320660af0ec5d
+MISC ChangeLog 17139 SHA256 fa4279e059cb0418cb1b4e374877e65b0d9cc2c761291e87bedd597cccf49f13 SHA512 4a47a1928b55756c8784885ff00a9708d33a4f0a0e25d3c1d347d9ff72b13c24dac52a47ec13ce7b38ba362a285c55be601755cb3095a779a48173e1a9f1b801 WHIRLPOOL 8b655af5fcceb903ff822f1d1c12d08f8b6085d0dd063ccc6f3b5038f8bb00e3ad49872c6130037f688c87034ea506e87d9402d80da0e3e303e66b490c976359
 MISC metadata.xml 437 SHA256 101562af2e68f9ce05d05494d48c03aaae046560eab55d6c5d472ae85fe3e4bc SHA512 be7071c107a374d39fc92eab5b1b0ca0be19dc3ec847241e7bc56acadca27d0bbd803beaaf4a40f12e44d581642d5338a65dfa7d37f78a3d75bc756ad6782446 WHIRLPOOL cab4d10b64bc1fbb4c2c72ba3d63b0ea46033bcd371472401e703304d1e6b76dfa8934e02192047b388b772da2af2dddc343067e225a1bd882943321524a3f3c
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
-iEYEAREIAAYFAlVeN3EACgkQkKaRLQcq0GLlMgCfWDsy+eitHnP0iVSPJSaT0Cgw
-SQcAniIFcdfyHI7Oqqt/ZTfvCvTPYNjl
-=mgJf
+iEYEAREIAAYFAlVfn5UACgkQkKaRLQcq0GLungCfTpBmLRn9ou5UnIBnm48qDvcH
+ZNoAoLEVQ43EuTv5wyYAfb4ufHvj5aid
+=O5/R
 -----END PGP SIGNATURE-----
diff --git a/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch b/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch
new file mode 100644
index 000000000000..c17c66c41ab7
--- /dev/null
+++ b/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch
@@ -0,0 +1,52 @@
+From 6b4ff65c6fc1a88eaa7bfc1ee5a25413d171b5f7 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Thu, 21 May 2015 13:47:29 +0200
+Subject: [PATCH] patch: CVE-2015-3885
+
+Squashed commit of the following:
+
+commit 8f2a2348638f74e059069d98a6329fcc656ae4b5
+Author: Nils Philippsen <nils@redhat.com>
+Date:   Tue May 19 11:36:57 2015 +0200
+
+    CVE-2015-3885: avoid overflowing array
+
+    When reading raw image files containing lossless JPEG data, headers
+    could be manipulated to make the signed int variable 'len' negative
+    which specifies how much actual data follows. Interpreted as unsigned,
+    this could lead to reading file data past the 64k boundary of the array
+    used for storing it. To avoid that, make 'len' unsigned short, and bail
+    out early if its value would become invalid (i.e. <= 0).
+---
+ dcraw.cc | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dcraw.cc b/dcraw.cc
+index 75ea121..d9f96ff 100644
+--- a/dcraw.cc
++++ b/dcraw.cc
+@@ -934,7 +934,8 @@ struct jhead {
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
+@@ -945,8 +946,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+   do {
+     fread (data, 2, 2, ifp);
+     tag =  data[0] << 8 | data[1];
+-    len = (data[2] << 8 | data[3]) - 2;
+-    if (tag <= 0xff00) return 0;
++    len = (data[2] << 8 | data[3]);
++    if (tag <= 0xff00 || len <= 2) return 0;
++    len -= 2;
+     fread (data, 1, len, ifp);
+     switch (tag) {
+       case 0xffc3:
+-- 
+2.4.1
+
diff --git a/media-gfx/ufraw/ufraw-0.21-r1.ebuild b/media-gfx/ufraw/ufraw-0.21-r1.ebuild
new file mode 100644
index 000000000000..a38f2670fe53
--- /dev/null
+++ b/media-gfx/ufraw/ufraw-0.21-r1.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/ufraw/ufraw-0.21-r1.ebuild,v 1.1 2015/05/22 21:28:52 maekke Exp $
+
+EAPI=5
+inherit autotools eutils fdo-mime gnome2-utils toolchain-funcs
+
+DESCRIPTION="RAW Image format viewer and GIMP plugin"
+HOMEPAGE="http://ufraw.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~x64-solaris ~x86-solaris"
+IUSE="contrast fits gimp gnome gtk openmp timezone"
+
+REQUIRED_USE="gimp? ( gtk )"
+
+RDEPEND="
+	dev-libs/glib:2=
+	>=media-gfx/exiv2-0.11:0=
+	media-libs/lcms:2=
+	>=media-libs/lensfun-0.2.5:=
+	media-libs/libpng:0=
+	media-libs/tiff:0=
+	virtual/jpeg:0=
+	fits? ( sci-libs/cfitsio:0= )
+	gnome? ( >=gnome-base/gconf-2 )
+	gtk? ( >=x11-libs/gtk+-2.6:2
+		>=media-gfx/gtkimageview-1.5 )
+	gimp? ( >=media-gfx/gimp-2 )
+"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-0.17-cfitsio-automagic.patch
+	epatch "${FILESDIR}"/${P}-CVE-2015-3885.patch
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		$(use_enable contrast) \
+		$(use_with fits cfitsio) \
+		$(use_with gimp) \
+		$(use_enable gnome mime) \
+		$(use_with gtk) \
+		$(use_enable openmp) \
+		$(use_enable timezone dst-correction)
+}
+
+src_compile() {
+	emake AR="$(tc-getAR)"
+}
+
+src_install() {
+	emake DESTDIR="${D}" schemasdir=/etc/gconf/schemas install
+	dodoc README TODO
+}
+
+pkg_preinst() {
+	if use gnome; then
+		gnome2_gconf_savelist
+	fi
+}
+
+pkg_postinst() {
+	if use gnome; then
+		fdo-mime_mime_database_update
+		fdo-mime_desktop_database_update
+		gnome2_gconf_install
+	fi
+}
+
+pkg_postrm() {
+	if use gnome; then
+		fdo-mime_desktop_database_update
+		fdo-mime_mime_database_update
+	fi
+}