main/giflib: security upgrade to 5.2.2

41ce1c58 · J0WI · Natanael Copa · 0da374af · 41ce1c58 · 41ce1c58
Commit 41ce1c58 authored 1 year ago by J0WI Committed by Natanael Copa 1 year ago
--- a/main/giflib/APKBUILD
+++ b/main/giflib/APKBUILD
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=giflib
-pkgver=5.2.1
+pkgver=5.2.2
-pkgrel=2
+pkgrel=0
 pkgdesc="A library for reading and writing GIF images"
 url="https://sourceforge.net/projects/giflib/"
 arch="all"
@@ -10,11 +10,16 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
 makedepends="xmlto"
 checkdepends="coreutils"
 source="https://downloads.sourceforge.net/sourceforge/giflib/giflib-$pkgver.tar.gz
-	CVE-2022-28506.patch
+	CVE-2021-40633.patch
-	giflib-restore-deprecated-functions.patch
+	correct-document-page-install.patch
+	dont-build-html-pages-images.patch
 	"
 # secfixes:
+#   5.2.2-r0:
+#     - CVE-2023-39742
+#     - CVE-2023-48161
+#     - CVE-2021-40633
 #   5.2.1-r2:
 #     - CVE-2022-28506
@@ -38,7 +43,8 @@ utils() {
 }
 sha512sums="
-4550e53c21cb1191a4581e363fc9d0610da53f7898ca8320f0d3ef6711e76bdda2609c2df15dc94c45e28bff8de441f1227ec2da7ea827cb3c0405af4faa4736  giflib-5.2.1.tar.gz
+0865ab2b1904fa14640c655fdb14bb54244ad18a66e358565c00287875d00912343f9be8bfac7658cc0146200d626f7ec9160d7a339f20ba3be6b9941d73975f  giflib-5.2.2.tar.gz
-1742eb5006628de4b4578fa4920b9ea849f4d340900f8acb1bf825d9d5041941770a2c21a2fadc467e8185696e9592d05486bfdcdd7102dba6f2eb18b5142410  CVE-2022-28506.patch
+33394cd01a5379ffadffa1a3c9ebd4fe2fddd3ea53fd3c713cc65b0ea0158d26aeb5148a9721c4892e944ef1a5694f54c23450118ab3b6f597e64eb6f3986731  CVE-2021-40633.patch
-fdc4a46e4a61e15e14ad712f164a3595902da700c3280ef3ec6fae345118c055eefb1eb73bb755078d0ea1f6112fa4a2b8edf9d918017e0bdf413497d15e1eaf  giflib-restore-deprecated-functions.patch
+6cb391eefc95f554ee83e89edf6fae365498597e370d684de5d020cb8f87f7bc3506afb30cbd36e9de2302d3301e33e044804c2d2a2c977d1bb7fa9e73f489cb  correct-document-page-install.patch
+aa32ccce78120a50f84c2dec644d10996a0fdb41335b47a1d71b45d14ffc9efd14e6aca3f2392dd6713e3c216c07736e94d21d661a90cfe4d57422eb08a1fbc2  dont-build-html-pages-images.patch
 "
--- a/main/giflib/CVE-2021-40633.patch
+++ b/main/giflib/CVE-2021-40633.patch
+From ccbc956432650734c91acb3fc88837f7b81267ff Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 21 Feb 2024 18:55:00 -0500
+Subject: [PATCH] Clean up memory better at end of run (CVE-2021-40633)
+---
+ gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/gif2rgb.c b/gif2rgb.c
+index d51226d..fc2e683 100644
+--- a/gif2rgb.c
+++ b/gif2rgb.c
+@@ -515,10 +515,13 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag,
+ 	}
+ 	DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer,
+ 	               GifFile->SWidth, GifFile->SHeight);
+	for (i = 0; i < GifFile->SHeight; i++) {
+        	(void)free(ScreenBuffer[i]);
+	}
+ 	(void)free(ScreenBuffer);
+ 	{
+ 		int Error;
+ 		if (DGifCloseFile(GifFile, &Error) == GIF_ERROR) {
+-- 
+2.43.0
--- a/main/giflib/CVE-2022-28506.patch
+++ b/main/giflib/CVE-2022-28506.patch
-https://sourceforge.net/p/giflib/code/merge-requests/12/
--- a/gif2rgb.c
-+++ b/gif2rgb.c
-@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileNam
-             GifRow = ScreenBuffer[i];
-             GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
-             for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
-+                /* Check if color is within color palete */
-+                if (GifRow[j] >= ColorMap->ColorCount)
-+                {
-+                   GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
-+                }
-                 ColorMapEntry = &ColorMap->Colors[GifRow[j]];
-                 *BufferP++ = ColorMapEntry->Red;
-                 *BufferP++ = ColorMapEntry->Green;
--- a/main/giflib/correct-document-page-install.patch
+++ b/main/giflib/correct-document-page-install.patch
+From 61f375082c80ee479eb8ff03189aea691a6a06aa Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 21 Feb 2024 08:33:51 -0500
+Subject: [PATCH] Correct document page install.
+---
+ Makefile | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+diff --git a/Makefile b/Makefile
+index 87966a9..f4ecb24 100644
+--- a/Makefile
+++ b/Makefile
+@@ -61,19 +61,23 @@ UTILS = $(INSTALLABLE) \
+ 	gifsponge \
+ 	gifwedge
+ LDLIBS=libgif.a -lm
+-MANUAL_PAGES = \
+MANUAL_PAGES_1 = \
+ 	doc/gif2rgb.xml \
+ 	doc/gifbuild.xml \
+ 	doc/gifclrmp.xml \
+ 	doc/giffix.xml \
+-	doc/giflib.xml \
+ 	doc/giftext.xml \
+ 	doc/giftool.xml
+MANUAL_PAGES_7 = \
+	doc/giflib.xml
+
+MANUAL_PAGES = $(MANUAL_PAGES_1) $(MANUAL_PAGES_7)
+
+ SOEXTENSION	= so
+ LIBGIFSO	= libgif.$(SOEXTENSION)
+ LIBGIFSOMAJOR	= libgif.$(SOEXTENSION).$(LIBMAJOR)
+ LIBGIFSOVER	= libgif.$(SOEXTENSION).$(LIBVER)
+ LIBUTILSO	= libutil.$(SOEXTENSION)
+@@ -146,12 +150,13 @@ install-lib:
+ 	$(INSTALL) -m 644 libgif.a "$(DESTDIR)$(LIBDIR)/libgif.a"
+ 	$(INSTALL) -m 755 $(LIBGIFSO) "$(DESTDIR)$(LIBDIR)/$(LIBGIFSOVER)"
+ 	ln -sf $(LIBGIFSOVER) "$(DESTDIR)$(LIBDIR)/$(LIBGIFSOMAJOR)"
+ 	ln -sf $(LIBGIFSOMAJOR) "$(DESTDIR)$(LIBDIR)/$(LIBGIFSO)"
+ install-man:
+-	$(INSTALL) -d "$(DESTDIR)$(MANDIR)/man1"
+-	$(INSTALL) -m 644 $(MANUAL_PAGES) "$(DESTDIR)$(MANDIR)/man1"
+	$(INSTALL) -d "$(DESTDIR)$(MANDIR)/man1" "$(DESTDIR)$(MANDIR)/man7"
+	$(INSTALL) -m 644 $(MANUAL_PAGES_1:xml=1) "$(DESTDIR)$(MANDIR)/man1"
+	$(INSTALL) -m 644 $(MANUAL_PAGES_7:xml=7) "$(DESTDIR)$(MANDIR)/man7"
+ uninstall: uninstall-man uninstall-include uninstall-lib uninstall-bin
+ uninstall-bin:
+ 	cd "$(DESTDIR)$(BINDIR)" && rm -f $(INSTALLABLE)
+ uninstall-include:
+ 	rm -f "$(DESTDIR)$(INCDIR)/gif_lib.h"
+-- 
+2.43.0
--- a/main/giflib/dont-build-html-pages-images.patch
+++ b/main/giflib/dont-build-html-pages-images.patch
+Description: Don't build the site HTML pages images.
+  It saves us to have ImageMagick as a b-depend.
+Author: David Suárez <david.sephirot@gmail.com>
+Origin: vendor
+Last-Update: 2024-03-24
+Forwarded: not-needed
+--- a/doc/Makefile
+++ b/doc/Makefile
+@@ -46,7 +46,7 @@
+ 	convert $^ -resize 50x50 $@
+ # Philosophical choice: the website gets the internal manual pages
+-allhtml: $(XMLALL:.xml=.html) giflib-logo.gif
+allhtml: $(XMLALL:.xml=.html)
+ manpages: $(XMLMAN1:.xml=.1) $(XMLMAN7:.xml=.7) $(XMLINTERNAL:.xml=.1)
--- a/main/giflib/giflib-restore-deprecated-functions.patch
+++ b/main/giflib/giflib-restore-deprecated-functions.patch
-Source: Gentoo, written by Gary Stein
-Upstream: No
-Reason: restores deprecated GifQuantizeBuffer which some packages (notably libgdiplus) still use
--- a/Makefile	2019-03-28 14:57:23.000000000 -0400
-+++ b/Makefile	2019-03-31 23:38:20.700603561 -0400
-@@ -67,8 +67,8 @@
- $(UTILS):: libgif.a libutil.a
-libgif.so: $(OBJECTS) $(HEADERS)
-	$(CC) $(CFLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,libgif.so.$(LIBMAJOR) -o libgif.so $(OBJECTS)
-+libgif.so: $(OBJECTS) $(HEADERS) $(UOBJECTS)
-+	$(CC) $(CFLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,libgif.so.$(LIBMAJOR) -o libgif.so $(OBJECTS) $(UOBJECTS)
- libgif.a: $(OBJECTS) $(HEADERS)
- 	$(AR) rcs libgif.a $(OBJECTS)