From 41ce1c58a67bd4279a1a8459f77382a76f6b2e5b Mon Sep 17 00:00:00 2001
From: J0WI <J0WI@users.noreply.github.com>
Date: Mon, 26 Feb 2024 00:33:28 +0100
Subject: [PATCH] main/giflib: security upgrade to 5.2.2
---
main/giflib/APKBUILD | 20 ++++---
main/giflib/CVE-2021-40633.patch | 30 ++++++++++
main/giflib/CVE-2022-28506.patch | 15 -----
.../correct-document-page-install.patch | 58 +++++++++++++++++++
.../giflib/dont-build-html-pages-images.patch | 18 ++++++
.../giflib-restore-deprecated-functions.patch | 17 ------
6 files changed, 119 insertions(+), 39 deletions(-)
create mode 100644 main/giflib/CVE-2021-40633.patch
delete mode 100644 main/giflib/CVE-2022-28506.patch
create mode 100644 main/giflib/correct-document-page-install.patch
create mode 100644 main/giflib/dont-build-html-pages-images.patch
delete mode 100644 main/giflib/giflib-restore-deprecated-functions.patch
diff --git a/main/giflib/APKBUILD b/main/giflib/APKBUILD
index db186cb68187..4d5a4ffd7539 100644
--- a/main/giflib/APKBUILD
+++ b/main/giflib/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=giflib
-pkgver=5.2.1
-pkgrel=2
+pkgver=5.2.2
+pkgrel=0
pkgdesc="A library for reading and writing GIF images"
url="https://sourceforge.net/projects/giflib/"
arch="all"
@@ -10,11 +10,16 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
makedepends="xmlto"
checkdepends="coreutils"
source="https://downloads.sourceforge.net/sourceforge/giflib/giflib-$pkgver.tar.gz
- CVE-2022-28506.patch
- giflib-restore-deprecated-functions.patch
+ CVE-2021-40633.patch
+ correct-document-page-install.patch
+ dont-build-html-pages-images.patch
"
# secfixes:
+# 5.2.2-r0:
+# - CVE-2023-39742
+# - CVE-2023-48161
+# - CVE-2021-40633
# 5.2.1-r2:
# - CVE-2022-28506
@@ -38,7 +43,8 @@ utils() {
}
sha512sums="
-4550e53c21cb1191a4581e363fc9d0610da53f7898ca8320f0d3ef6711e76bdda2609c2df15dc94c45e28bff8de441f1227ec2da7ea827cb3c0405af4faa4736 giflib-5.2.1.tar.gz
-1742eb5006628de4b4578fa4920b9ea849f4d340900f8acb1bf825d9d5041941770a2c21a2fadc467e8185696e9592d05486bfdcdd7102dba6f2eb18b5142410 CVE-2022-28506.patch
-fdc4a46e4a61e15e14ad712f164a3595902da700c3280ef3ec6fae345118c055eefb1eb73bb755078d0ea1f6112fa4a2b8edf9d918017e0bdf413497d15e1eaf giflib-restore-deprecated-functions.patch
+0865ab2b1904fa14640c655fdb14bb54244ad18a66e358565c00287875d00912343f9be8bfac7658cc0146200d626f7ec9160d7a339f20ba3be6b9941d73975f giflib-5.2.2.tar.gz
+33394cd01a5379ffadffa1a3c9ebd4fe2fddd3ea53fd3c713cc65b0ea0158d26aeb5148a9721c4892e944ef1a5694f54c23450118ab3b6f597e64eb6f3986731 CVE-2021-40633.patch
+6cb391eefc95f554ee83e89edf6fae365498597e370d684de5d020cb8f87f7bc3506afb30cbd36e9de2302d3301e33e044804c2d2a2c977d1bb7fa9e73f489cb correct-document-page-install.patch
+aa32ccce78120a50f84c2dec644d10996a0fdb41335b47a1d71b45d14ffc9efd14e6aca3f2392dd6713e3c216c07736e94d21d661a90cfe4d57422eb08a1fbc2 dont-build-html-pages-images.patch
"
diff --git a/main/giflib/CVE-2021-40633.patch b/main/giflib/CVE-2021-40633.patch
new file mode 100644
index 000000000000..9002088b67df
--- /dev/null
+++ b/main/giflib/CVE-2021-40633.patch
@@ -0,0 +1,30 @@
+From ccbc956432650734c91acb3fc88837f7b81267ff Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 21 Feb 2024 18:55:00 -0500
+Subject: [PATCH] Clean up memory better at end of run (CVE-2021-40633)
+
+---
+ gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index d51226d..fc2e683 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -515,10 +515,13 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag,
+ }
+
+ DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer,
+ GifFile->SWidth, GifFile->SHeight);
+
++ for (i = 0; i < GifFile->SHeight; i++) {
++ (void)free(ScreenBuffer[i]);
++ }
+ (void)free(ScreenBuffer);
+
+ {
+ int Error;
+ if (DGifCloseFile(GifFile, &Error) == GIF_ERROR) {
+--
+2.43.0
+
diff --git a/main/giflib/CVE-2022-28506.patch b/main/giflib/CVE-2022-28506.patch
deleted file mode 100644
index 7dbd669487d2..000000000000
--- a/main/giflib/CVE-2022-28506.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-https://sourceforge.net/p/giflib/code/merge-requests/12/
---- a/gif2rgb.c
-+++ b/gif2rgb.c
-@@ -294,6 +294,11 @@ static void DumpScreen2RGB(char *FileNam
- GifRow = ScreenBuffer[i];
- GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
- for (j = 0, BufferP = Buffer; j < ScreenWidth; j++) {
-+ /* Check if color is within color palete */
-+ if (GifRow[j] >= ColorMap->ColorCount)
-+ {
-+ GIF_EXIT(GifErrorString(D_GIF_ERR_IMAGE_DEFECT));
-+ }
- ColorMapEntry = &ColorMap->Colors[GifRow[j]];
- *BufferP++ = ColorMapEntry->Red;
- *BufferP++ = ColorMapEntry->Green;
diff --git a/main/giflib/correct-document-page-install.patch b/main/giflib/correct-document-page-install.patch
new file mode 100644
index 000000000000..4e10d86635e2
--- /dev/null
+++ b/main/giflib/correct-document-page-install.patch
@@ -0,0 +1,58 @@
+From 61f375082c80ee479eb8ff03189aea691a6a06aa Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 21 Feb 2024 08:33:51 -0500
+Subject: [PATCH] Correct document page install.
+
+---
+ Makefile | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 87966a9..f4ecb24 100644
+--- a/Makefile
++++ b/Makefile
+@@ -61,19 +61,23 @@ UTILS = $(INSTALLABLE) \
+ gifsponge \
+ gifwedge
+
+ LDLIBS=libgif.a -lm
+
+-MANUAL_PAGES = \
++MANUAL_PAGES_1 = \
+ doc/gif2rgb.xml \
+ doc/gifbuild.xml \
+ doc/gifclrmp.xml \
+ doc/giffix.xml \
+- doc/giflib.xml \
+ doc/giftext.xml \
+ doc/giftool.xml
+
++MANUAL_PAGES_7 = \
++ doc/giflib.xml
++
++MANUAL_PAGES = $(MANUAL_PAGES_1) $(MANUAL_PAGES_7)
++
+ SOEXTENSION = so
+ LIBGIFSO = libgif.$(SOEXTENSION)
+ LIBGIFSOMAJOR = libgif.$(SOEXTENSION).$(LIBMAJOR)
+ LIBGIFSOVER = libgif.$(SOEXTENSION).$(LIBVER)
+ LIBUTILSO = libutil.$(SOEXTENSION)
+@@ -146,12 +150,13 @@ install-lib:
+ $(INSTALL) -m 644 libgif.a "$(DESTDIR)$(LIBDIR)/libgif.a"
+ $(INSTALL) -m 755 $(LIBGIFSO) "$(DESTDIR)$(LIBDIR)/$(LIBGIFSOVER)"
+ ln -sf $(LIBGIFSOVER) "$(DESTDIR)$(LIBDIR)/$(LIBGIFSOMAJOR)"
+ ln -sf $(LIBGIFSOMAJOR) "$(DESTDIR)$(LIBDIR)/$(LIBGIFSO)"
+ install-man:
+- $(INSTALL) -d "$(DESTDIR)$(MANDIR)/man1"
+- $(INSTALL) -m 644 $(MANUAL_PAGES) "$(DESTDIR)$(MANDIR)/man1"
++ $(INSTALL) -d "$(DESTDIR)$(MANDIR)/man1" "$(DESTDIR)$(MANDIR)/man7"
++ $(INSTALL) -m 644 $(MANUAL_PAGES_1:xml=1) "$(DESTDIR)$(MANDIR)/man1"
++ $(INSTALL) -m 644 $(MANUAL_PAGES_7:xml=7) "$(DESTDIR)$(MANDIR)/man7"
+ uninstall: uninstall-man uninstall-include uninstall-lib uninstall-bin
+ uninstall-bin:
+ cd "$(DESTDIR)$(BINDIR)" && rm -f $(INSTALLABLE)
+ uninstall-include:
+ rm -f "$(DESTDIR)$(INCDIR)/gif_lib.h"
+--
+2.43.0
+
diff --git a/main/giflib/dont-build-html-pages-images.patch b/main/giflib/dont-build-html-pages-images.patch
new file mode 100644
index 000000000000..7d4fe356dcf8
--- /dev/null
+++ b/main/giflib/dont-build-html-pages-images.patch
@@ -0,0 +1,18 @@
+Description: Don't build the site HTML pages images.
+ It saves us to have ImageMagick as a b-depend.
+Author: David Suárez <david.sephirot@gmail.com>
+Origin: vendor
+Last-Update: 2024-03-24
+Forwarded: not-needed
+
+--- a/doc/Makefile
++++ b/doc/Makefile
+@@ -46,7 +46,7 @@
+ convert $^ -resize 50x50 $@
+
+ # Philosophical choice: the website gets the internal manual pages
+-allhtml: $(XMLALL:.xml=.html) giflib-logo.gif
++allhtml: $(XMLALL:.xml=.html)
+
+ manpages: $(XMLMAN1:.xml=.1) $(XMLMAN7:.xml=.7) $(XMLINTERNAL:.xml=.1)
+
diff --git a/main/giflib/giflib-restore-deprecated-functions.patch b/main/giflib/giflib-restore-deprecated-functions.patch
deleted file mode 100644
index 770cb16d5ac2..000000000000
--- a/main/giflib/giflib-restore-deprecated-functions.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-Source: Gentoo, written by Gary Stein
-Upstream: No
-Reason: restores deprecated GifQuantizeBuffer which some packages (notably libgdiplus) still use
---- a/Makefile 2019-03-28 14:57:23.000000000 -0400
-+++ b/Makefile 2019-03-31 23:38:20.700603561 -0400
-@@ -67,8 +67,8 @@
-
- $(UTILS):: libgif.a libutil.a
-
--libgif.so: $(OBJECTS) $(HEADERS)
-- $(CC) $(CFLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,libgif.so.$(LIBMAJOR) -o libgif.so $(OBJECTS)
-+libgif.so: $(OBJECTS) $(HEADERS) $(UOBJECTS)
-+ $(CC) $(CFLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,libgif.so.$(LIBMAJOR) -o libgif.so $(OBJECTS) $(UOBJECTS)
-
- libgif.a: $(OBJECTS) $(HEADERS)
- $(AR) rcs libgif.a $(OBJECTS)
-
--
GitLab