main/libexif: security upgrade to 0.6.22

fixes #11539

main/libexif: security upgrade to 0.6.22
fixes #11539
cc9c8ab4 · Leo · Natanael Copa · 19e97437 · cc9c8ab4 · 19e97437
Commit cc9c8ab4 authored May 19, 2020 by Leo Committed by Natanael Copa May 19, 2020
--- a/main/libexif/APKBUILD
+++ b/main/libexif/APKBUILD
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libexif
-pkgver=0.6.21
-pkgrel=3
+pkgver=0.6.22
+pkgrel=0
 pkgdesc="A library to parse an EXIF file and read the data from those tags"
 url="https://sourceforge.net/projects/libexif"
 arch="all"
-license="LGPL-2.0+"
+license="LGPL-2.0-or-later"
 subpackages="$pkgname-dev $pkgname-doc"
-depends=
-makedepends=
-source="https://downloads.sf.net/sourceforge/$pkgname/$pkgname-$pkgver.tar.bz2
-	CVE-2017-7544.patch
-	"
+source="https://github.com/libexif/libexif/releases/download/libexif-${pkgver//./_}-release/libexif-$pkgver.tar.xz"

 # secfixes:
+#   0.6.22-r0:
+#     - CVE-2018-20030
+#     - CVE-2020-13114
+#     - CVE-2020-13113
+#     - CVE-2020-13112
+#     - CVE-2020-0093
+#     - CVE-2019-9278
+#     - CVE-2020-12767
+#     - CVE-2016-6328
 #   0.6.21-r3:
 #     - CVE-2017-7544
+#   0.6.21-r0:
+#     - CVE-2012-2812
+#     - CVE-2012-2813
+#     - CVE-2012-2814
+#     - CVE-2012-2836
+#     - CVE-2012-2837
+#     - CVE-2012-2840
+#     - CVE-2012-2841
+#     - CVE-2012-2845
+#   0.6.19-r0:
+#     - CVE-2009-3895

 prepare() {
-	cd "$builddir"
-	update_config_sub
 	default_prepare
+
+	# The tarballs upstream provides uses /usr/bin/sh instead of /bin/sh
+	# most likely as a result of a poor usrmerge
+	grep -l '^#!/usr/bin/sh' -r . | xargs sed -i 's|^#!/usr/bin/sh|#!/bin/sh|g'
 }

 build() {
-	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -33,13 +50,10 @@ build() {
 }

 check() {
-	cd "$builddir"
 	make check
 }

 package() {
-	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 }
-sha512sums="4e0fe2abe85d1c95b41cb3abe1f6333dc3a9eb69dba106a674a78d74a4d5b9c5a19647118fa1cc2d72b98a29853394f1519eda9e2889eb28d3be26b21c7cfc35  libexif-0.6.21.tar.bz2
-5475c9e0f4a05448a571077d24d545cfaa0a7b15978345e92440107770077158b994fc0c785a81bb95ad6b409929c4c516c6e002cd65c9d35eb0e91161750e48  CVE-2017-7544.patch"
+sha512sums="0a9e7bf0258ed98a794b667d45e8fc65299101a2a2d2e39c358715b20b003beff258782f0736cd5b53978428a2f878a989f303bee249a978850a065f33c534af  libexif-0.6.22.tar.xz"
--- a/main/libexif/CVE-2017-7544.patch
+++ b/main/libexif/CVE-2017-7544.patch
-Index: libexif/exif-data.c
-===================================================================
-RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v
-retrieving revision 1.131
-diff -u -r1.131 exif-data.c
--- a/libexif/exif-data.c	12 Jul 2012 17:28:26 -0000	1.131
-+++ b/libexif/exif-data.c	25 Jul 2017 21:34:06 -0000
-@@ -255,6 +255,12 @@
- 			exif_mnote_data_set_offset (data->priv->md, *ds - 6);
- 			exif_mnote_data_save (data->priv->md, &e->data, &e->size);
- 			e->components = e->size;
-+			if (exif_format_get_size (e->format) != 1) {
-+				/* e->format is taken from input code,
-+				 * but we need to make sure it is a 1 byte
-+				 * entity due to the multiplication below. */
-+				e->format = EXIF_FORMAT_UNDEFINED;
-+			}
- 		}
- 	}
-