diff options
| author | Mark H Weaver <mhw@netris.org> | 2018-02-11 04:05:07 -0500 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2018-02-11 04:05:07 -0500 |
| commit | a7fb29866520d5661e0ac8e47957c91a2a43e11e (patch) | |
| tree | 50a169b022edbb31db49f09809d30dfe8597b862 /gnu/packages/patches | |
| parent | 6730d895d3992f37f35f5351332f51a4be2fda50 (diff) | |
| parent | 31c7002b466c6d09400a95bc15774f232b51ce0b (diff) | |
| download | gnu-guix-a7fb29866520d5661e0ac8e47957c91a2a43e11e.tar gnu-guix-a7fb29866520d5661e0ac8e47957c91a2a43e11e.tar.gz | |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/clementine-remove-crypto++-dependency.patch | 19 | ||||
| -rw-r--r-- | gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch | 59 | ||||
| -rw-r--r-- | gnu/packages/patches/java-xerces-bootclasspath.patch | 38 | ||||
| -rw-r--r-- | gnu/packages/patches/java-xerces-build_dont_unzip.patch | 44 | ||||
| -rw-r--r-- | gnu/packages/patches/java-xerces-xjavac_taskdef.patch | 45 | ||||
| -rw-r--r-- | gnu/packages/patches/libtasn1-CVE-2018-6003.patch | 73 | ||||
| -rw-r--r-- | gnu/packages/patches/libtiff-CVE-2017-18013.patch | 45 | ||||
| -rw-r--r-- | gnu/packages/patches/libtiff-CVE-2017-9935.patch | 162 | ||||
| -rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5974.patch | 28 | ||||
| -rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5975.patch | 32 | ||||
| -rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5976.patch | 61 | ||||
| -rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5978.patch | 37 | ||||
| -rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5979.patch | 19 | ||||
| -rw-r--r-- | gnu/packages/patches/zziplib-CVE-2017-5981.patch | 19 |
14 files changed, 485 insertions, 196 deletions
diff --git a/gnu/packages/patches/clementine-remove-crypto++-dependency.patch b/gnu/packages/patches/clementine-remove-crypto++-dependency.patch new file mode 100644 index 0000000000..e7cf80ddee --- /dev/null +++ b/gnu/packages/patches/clementine-remove-crypto++-dependency.patch @@ -0,0 +1,19 @@ +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 3202b8b..473ecb9 100755 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -279,14 +279,6 @@ optional_component(LIBPULSE ON "Pulse audio integration" + + optional_component(VISUALISATIONS ON "Visualisations") + +-if(NOT HAVE_SPOTIFY_BLOB AND NOT CRYPTOPP_FOUND) +- message(FATAL_ERROR "Either crypto++ must be available or the non-GPL Spotify " +- "code must be compiled in") +-elseif(CRYPTOPP_FOUND) +- set(HAVE_CRYPTOPP ON) +- set(HAVE_SPOTIFY_DOWNLOADER ON) +-endif() +- + # Find DBus if it's enabled + if (HAVE_DBUS) + find_package(Qt5 COMPONENTS DBus) diff --git a/gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch b/gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch new file mode 100644 index 0000000000..b90017fdb4 --- /dev/null +++ b/gnu/packages/patches/emacs-browse-at-remote-cgit-gnu.patch @@ -0,0 +1,59 @@ +Copyright © 2018 Oleg Pykhalov <go.wigust@gmail.com> + +This patch adds a support for Git repositories hosted on git.savannah.gnu.org. + +Upstream bug URL: + +https://github.com/rmuslimov/browse-at-remote/pull/46 + +From cd2ccdaef8b1d97337d790175f71cc3dbcfcff64 Mon Sep 17 00:00:00 2001 +From: Oleg Pykhalov <go.wigust@gmail.com> +Date: Fri, 26 Jan 2018 00:05:30 +0300 +Subject: [PATCH] Add support for repositories that are hosted on gnu cgit + +--- + browse-at-remote.el | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/browse-at-remote.el b/browse-at-remote.el +index 66967b3..e210d18 100644 +--- a/browse-at-remote.el ++++ b/browse-at-remote.el +@@ -44,7 +44,8 @@ + (defcustom browse-at-remote-remote-type-domains + '(("bitbucket.org" ."bitbucket") + ("github.com" . "github") +- ("gitlab.com" . "gitlab")) ++ ("gitlab.com" . "gitlab") ++ ("git.savannah.gnu.org" . "gnu")) + "Alist of domain patterns to remote types." + + :type '(alist :key-type (string :tag "Domain") +@@ -199,6 +200,24 @@ If HEAD is detached, return nil." + (if (fboundp formatter) + formatter nil))) + ++(defun browse-at-remote-gnu-format-url (repo-url) ++ "Get a gnu formatted URL." ++ (replace-regexp-in-string ++ (concat "https://" (car (rassoc "gnu" browse-at-remote-remote-type-domains)) ++ "/\\(git\\).*\\'") ++ "cgit" repo-url nil nil 1)) ++ ++(defun browse-at-remote--format-region-url-as-gnu (repo-url location filename &optional linestart lineend) ++ "URL formatter for gnu." ++ (let ((repo-url (browse-at-remote-gnu-format-url repo-url))) ++ (cond ++ (linestart (format "%s.git/tree/%s?h=%s#n%d" repo-url filename location linestart)) ++ (t (format "%s.git/tree/%s?h=%s" repo-url filename location))))) ++ ++(defun browse-at-remote--format-commit-url-as-gnu (repo-url commithash) ++ "Commit URL formatted for gnu" ++ (format "%s.git/commit/?id=%s" (browse-at-remote-gnu-format-url repo-url) commithash)) ++ + (defun browse-at-remote--format-region-url-as-github (repo-url location filename &optional linestart lineend) + "URL formatted for github." + (cond +-- +2.15.1 + diff --git a/gnu/packages/patches/java-xerces-bootclasspath.patch b/gnu/packages/patches/java-xerces-bootclasspath.patch new file mode 100644 index 0000000000..efaa548a62 --- /dev/null +++ b/gnu/packages/patches/java-xerces-bootclasspath.patch @@ -0,0 +1,38 @@ +Based on https://anonscm.debian.org/viewvc/pkg-java/trunk/libxerces2-java/debian/patches/03_bootclasspath.patch?revision=14509, adopted for guix + +--- xerces-2_11_0/build.xml.orig 2010-11-26 21:42:11.000000000 +0100 ++++ xerces-2_11_0/build.xml 2017-03-28 14:04:41.946606996 +0200 +@@ -290,13 +290,14 @@ + destdir="${build.dest}"
+ source="${javac.source}"
+ target="${javac.target}"
+- classpath="${build.dir}/classes:${tools.dir}/${jar.apis}:${tools.dir}/${jar.resolver}:${tools.dir}/${jar.serializer}"
++ classpath="${build.dir}/classes:${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"
+ debug="${debug}" nowarn="true"
+ debuglevel="${debuglevel}"
+ deprecation="${deprecation}"
+ optimize="${optimize}"
+ includeAntRuntime="false"
+- includeJavaRuntime="false"
++ includeJavaRuntime="true"
++ bootclasspath="${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"
+ excludes="org/xml/sax/**
+ javax/xml/**
+ org/w3c/dom/*
+@@ -1451,13 +1452,14 @@ + destdir="${build.dest}"
+ source="${javac.source}"
+ target="${javac.target}"
+- classpath="${build.dir}/classes:${tools.dir}/${jar.apis}:${tools.dir}/${jar.resolver}:${tools.dir}/${jar.serializer}"
++ classpath="${build.dir}/classes:${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"
+ debug="${debug}"
+ debuglevel="${debuglevel}"
+ deprecation="${deprecation}"
+ optimize="${optimize}"
+ includeAntRuntime="false"
+- includeJavaRuntime="false"
++ includeJavaRuntime="true"
++ bootclasspath="${jar.jaxp}:${jar.apis-ext}:${jar.resolver}"
+ excludes="org/xml/sax/**
+ javax/xml/**
+ org/w3c/dom/*
diff --git a/gnu/packages/patches/java-xerces-build_dont_unzip.patch b/gnu/packages/patches/java-xerces-build_dont_unzip.patch new file mode 100644 index 0000000000..2ff5628865 --- /dev/null +++ b/gnu/packages/patches/java-xerces-build_dont_unzip.patch @@ -0,0 +1,44 @@ +Don't unzip the sources which were bundled originally. Guix strips them from +the source and uses pre-build packages. + +Taken from https://anonscm.debian.org/viewvc/pkg-java/trunk/libxerces2-java/debian/patches/02_build_dont_unzip.patch?revision=14507 + +Index: b/build.xml +=================================================================== +--- a/build.xml ++++ b/build.xml +@@ -247,7 +247,7 @@ + <copy file="${src.dir}/org/apache/xerces/impl/xpath/regex/message.properties"
+ tofile="${build.src}/org/apache/xerces/impl/xpath/regex/message_en.properties"/>
+
+- <!-- now deal with API's: -->
++ <!-- not needed for Debian
+ <unzip src="${src.apis.zip}" dest="${build.src}">
+ <patternset
+ includes="org/xml/sax/**
+@@ -270,6 +270,7 @@ + org/w3c/dom/xpath/**"
+ />
+ </unzip>
++ -->
+
+ <!-- substitute tokens as needed -->
+ <replace file="${build.dir}/src/org/apache/xerces/impl/Version.java"
+@@ -1232,7 +1233,7 @@ + <replace file="${build.dir}/src/org/apache/xerces/parsers/AbstractSAXParser.java"
+ token="return (fConfiguration instanceof XML11Configurable);" value="return false;"/>
+
+- <!-- now deal with API's: -->
++ <!-- not needed for Debian
+ <unzip src="${src.apis.zip}" dest="${build.src}">
+ <patternset
+ includes="org/xml/sax/**
+@@ -1255,7 +1256,7 @@ + org/w3c/dom/xpath/**"
+ />
+ </unzip>
+-
++ -->
+
+ <!-- substitute tokens as needed -->
+ <replace file="${build.dir}/src/org/apache/xerces/impl/Version.java"
diff --git a/gnu/packages/patches/java-xerces-xjavac_taskdef.patch b/gnu/packages/patches/java-xerces-xjavac_taskdef.patch new file mode 100644 index 0000000000..4f5d008c28 --- /dev/null +++ b/gnu/packages/patches/java-xerces-xjavac_taskdef.patch @@ -0,0 +1,45 @@ +This patch eliminates the need for providing "xjavac", which saves building a +package for the unmaintained "xerces-tools". + +Taken from https://anonscm.debian.org/viewvc/pkg-java/trunk/libxerces2-java/debian/patches/01_xjavac_taskdef.patch?revision=14507 + +Index: b/build.xml +=================================================================== +--- a/build.xml ++++ b/build.xml +@@ -39,7 +39,7 @@ + <property name="tools.dir" value="./tools"/>
+
+ <!-- enable compilation under JDK 1.4 and above -->
+- <taskdef name="xjavac" classname="org.apache.xerces.util.XJavac">
++ <taskdef name="xjavac" classname="org.apache.tools.ant.taskdefs.Javac">
+ <classpath>
+ <pathelement location="${tools.dir}/bin/xjavac.jar"/>
+ </classpath>
+@@ -291,7 +291,7 @@ + source="${javac.source}"
+ target="${javac.target}"
+ classpath="${build.dir}/classes:${tools.dir}/${jar.apis}:${tools.dir}/${jar.resolver}:${tools.dir}/${jar.serializer}"
+- debug="${debug}"
++ debug="${debug}" nowarn="true"
+ debuglevel="${debuglevel}"
+ deprecation="${deprecation}"
+ optimize="${optimize}"
+@@ -359,7 +359,7 @@ + source="${javac.source}"
+ target="${javac.target}"
+ classpath="${build.dir}/classes:${tools.dir}/${jar.apis}"
+- debug="${debug}"
++ debug="${debug}" nowarn="true"
+ debuglevel="${debuglevel}"
+ includeAntRuntime="false"
+ includeJavaRuntime="true"/>
+@@ -379,7 +379,7 @@ + source="${javac.source}"
+ target="${javac.target}"
+ classpath="${tools.dir}/${jar.apis}:${build.dir}/classes:./tools/junit.jar"
+- debug="${debug}"
++ debug="${debug}" nowarn="true"
+ debuglevel="${debuglevel}"
+ includeAntRuntime="false"
+ includeJavaRuntime="true"/>
diff --git a/gnu/packages/patches/libtasn1-CVE-2018-6003.patch b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch new file mode 100644 index 0000000000..3e6140518d --- /dev/null +++ b/gnu/packages/patches/libtasn1-CVE-2018-6003.patch @@ -0,0 +1,73 @@ +Fix CVE-2018-6003: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6003 +https://lists.gnu.org/archive/html/help-libtasn1/2018-01/msg00000.html + +Patch copied from upstream source repository: + +https://gitlab.com/gnutls/libtasn1/commit/c593ae84cfcde8fea45787e53950e0ac71e9ca97 + +From c593ae84cfcde8fea45787e53950e0ac71e9ca97 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos <nmav@redhat.com> +Date: Thu, 4 Jan 2018 10:52:05 +0100 +Subject: [PATCH] _asn1_decode_simple_ber: restrict the levels of recursion to 3 + +On indefinite string decoding, setting a maximum level of recursions +protects the BER decoder from a stack exhaustion due to large amounts +of recursion. + +Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> +--- + lib/decoding.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/lib/decoding.c b/lib/decoding.c +index 2240b09..0ee35d3 100644 +--- a/lib/decoding.c ++++ b/lib/decoding.c +@@ -45,6 +45,13 @@ + + #define DECODE_FLAG_HAVE_TAG 1 + #define DECODE_FLAG_INDEFINITE (1<<1) ++/* On indefinite string decoding, allow this maximum levels ++ * of recursion. Allowing infinite recursion, makes the BER ++ * decoder susceptible to stack exhaustion due to that recursion. ++ */ ++#define DECODE_FLAG_LEVEL1 (1<<2) ++#define DECODE_FLAG_LEVEL2 (1<<3) ++#define DECODE_FLAG_LEVEL3 (1<<4) + + #define DECR_LEN(l, s) do { \ + l -= s; \ +@@ -2216,7 +2223,8 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der, + } + + /* indefinite constructed */ +- if (((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) ++ if ((((dflags & DECODE_FLAG_INDEFINITE) || class == ASN1_CLASS_STRUCTURED) && ETYPE_IS_STRING(etype)) && ++ !(dflags & DECODE_FLAG_LEVEL3)) + { + len_len = 1; + +@@ -2236,8 +2244,17 @@ _asn1_decode_simple_ber (unsigned int etype, const unsigned char *der, + do + { + unsigned tmp_len; ++ unsigned flags = DECODE_FLAG_HAVE_TAG; ++ ++ if (dflags & DECODE_FLAG_LEVEL1) ++ flags |= DECODE_FLAG_LEVEL2; ++ else if (dflags & DECODE_FLAG_LEVEL2) ++ flags |= DECODE_FLAG_LEVEL3; ++ else ++ flags |= DECODE_FLAG_LEVEL1; + +- result = asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len); ++ result = _asn1_decode_simple_ber(etype, p, der_len, &out, &out_len, &tmp_len, ++ flags); + if (result != ASN1_SUCCESS) + { + warn(); +-- +libgit2 0.26.0 + diff --git a/gnu/packages/patches/libtiff-CVE-2017-18013.patch b/gnu/packages/patches/libtiff-CVE-2017-18013.patch new file mode 100644 index 0000000000..ba03c83847 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-18013.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-18013: + +http://bugzilla.maptools.org/show_bug.cgi?id=2770 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18013 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 + +From c6f41df7b581402dfba3c19a1e3df4454c551a01 Mon Sep 17 00:00:00 2001 +From: Even Rouault <even.rouault@spatialys.com> +Date: Sun, 31 Dec 2017 15:09:41 +0100 +Subject: [PATCH] libtiff/tif_print.c: TIFFPrintDirectory(): fix null pointer + dereference on corrupted file. Fixes + http://bugzilla.maptools.org/show_bug.cgi?id=2770 + +--- + libtiff/tif_print.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_print.c b/libtiff/tif_print.c +index 9959d353..8deceb2b 100644 +--- a/libtiff/tif_print.c ++++ b/libtiff/tif_print.c +@@ -665,13 +665,13 @@ TIFFPrintDirectory(TIFF* tif, FILE* fd, long flags) + #if defined(__WIN32__) && (defined(_MSC_VER) || defined(__MINGW32__)) + fprintf(fd, " %3lu: [%8I64u, %8I64u]\n", + (unsigned long) s, +- (unsigned __int64) td->td_stripoffset[s], +- (unsigned __int64) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned __int64) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned __int64) td->td_stripbytecount[s] : 0); + #else + fprintf(fd, " %3lu: [%8llu, %8llu]\n", + (unsigned long) s, +- (unsigned long long) td->td_stripoffset[s], +- (unsigned long long) td->td_stripbytecount[s]); ++ td->td_stripoffset ? (unsigned long long) td->td_stripoffset[s] : 0, ++ td->td_stripbytecount ? (unsigned long long) td->td_stripbytecount[s] : 0); + #endif + } + } +-- +2.16.1 + diff --git a/gnu/packages/patches/libtiff-CVE-2017-9935.patch b/gnu/packages/patches/libtiff-CVE-2017-9935.patch new file mode 100644 index 0000000000..5685d81f68 --- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-9935.patch @@ -0,0 +1,162 @@ +Fix CVE-2017-9935 + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9935 +http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +Patch copied from upstream source repository: + +https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 + +From 3dd8f6a357981a4090f126ab9025056c938b6940 Mon Sep 17 00:00:00 2001 +From: Brian May <brian@linuxpenguins.xyz> +Date: Thu, 7 Dec 2017 07:46:47 +1100 +Subject: [PATCH] tiff2pdf: Fix CVE-2017-9935 + +Fix for http://bugzilla.maptools.org/show_bug.cgi?id=2704 + +This vulnerability - at least for the supplied test case - is because we +assume that a tiff will only have one transfer function that is the same +for all pages. This is not required by the TIFF standards. + +We than read the transfer function for every page. Depending on the +transfer function, we allocate either 2 or 4 bytes to the XREF buffer. +We allocate this memory after we read in the transfer function for the +page. + +For the first exploit - POC1, this file has 3 pages. For the first page +we allocate 2 extra extra XREF entries. Then for the next page 2 more +entries. Then for the last page the transfer function changes and we +allocate 4 more entries. + +When we read the file into memory, we assume we have 4 bytes extra for +each and every page (as per the last transfer function we read). Which +is not correct, we only have 2 bytes extra for the first 2 pages. As a +result, we end up writing past the end of the buffer. + +There are also some related issues that this also fixes. For example, +TIFFGetField can return uninitalized pointer values, and the logic to +detect a N=3 vs N=1 transfer function seemed rather strange. + +It is also strange that we declare the transfer functions to be of type +float, when the standard says they are unsigned 16 bit values. This is +fixed in another patch. + +This patch will check to ensure that the N value for every transfer +function is the same for every page. If this changes, we abort with an +error. In theory, we should perhaps check that the transfer function +itself is identical for every page, however we don't do that due to the +confusion of the type of the data in the transfer function. +--- + libtiff/tif_dir.c | 3 +++ + tools/tiff2pdf.c | 65 +++++++++++++++++++++++++++++++++++++------------------ + 2 files changed, 47 insertions(+), 21 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 2ccaf448..cbf2b693 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -1065,6 +1065,9 @@ _TIFFVGetField(TIFF* tif, uint32 tag, va_list ap) + if (td->td_samplesperpixel - td->td_extrasamples > 1) { + *va_arg(ap, uint16**) = td->td_transferfunction[1]; + *va_arg(ap, uint16**) = td->td_transferfunction[2]; ++ } else { ++ *va_arg(ap, uint16**) = NULL; ++ *va_arg(ap, uint16**) = NULL; + } + break; + case TIFFTAG_REFERENCEBLACKWHITE: +diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c +index d1a9b095..c3ec0746 100644 +--- a/tools/tiff2pdf.c ++++ b/tools/tiff2pdf.c +@@ -1047,6 +1047,8 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + uint16 pagen=0; + uint16 paged=0; + uint16 xuint16=0; ++ uint16 tiff_transferfunctioncount=0; ++ float* tiff_transferfunction[3]; + + directorycount=TIFFNumberOfDirectories(input); + t2p->tiff_pages = (T2P_PAGE*) _TIFFmalloc(TIFFSafeMultiply(tmsize_t,directorycount,sizeof(T2P_PAGE))); +@@ -1147,26 +1149,48 @@ void t2p_read_tiff_init(T2P* t2p, TIFF* input){ + } + #endif + if (TIFFGetField(input, TIFFTAG_TRANSFERFUNCTION, +- &(t2p->tiff_transferfunction[0]), +- &(t2p->tiff_transferfunction[1]), +- &(t2p->tiff_transferfunction[2]))) { +- if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { +- t2p->tiff_transferfunctioncount = 3; +- t2p->tiff_pages[i].page_extra += 4; +- t2p->pdf_xrefcount += 4; +- } else { +- t2p->tiff_transferfunctioncount = 1; +- t2p->tiff_pages[i].page_extra += 2; +- t2p->pdf_xrefcount += 2; +- } +- if(t2p->pdf_minorversion < 2) +- t2p->pdf_minorversion = 2; ++ &(tiff_transferfunction[0]), ++ &(tiff_transferfunction[1]), ++ &(tiff_transferfunction[2]))) { ++ ++ if((tiff_transferfunction[1] != (float*) NULL) && ++ (tiff_transferfunction[2] != (float*) NULL) ++ ) { ++ tiff_transferfunctioncount=3; ++ } else { ++ tiff_transferfunctioncount=1; ++ } + } else { +- t2p->tiff_transferfunctioncount=0; ++ tiff_transferfunctioncount=0; + } ++ ++ if (i > 0){ ++ if (tiff_transferfunctioncount != t2p->tiff_transferfunctioncount){ ++ TIFFError( ++ TIFF2PDF_MODULE, ++ "Different transfer function on page %d", ++ i); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } ++ } ++ ++ t2p->tiff_transferfunctioncount = tiff_transferfunctioncount; ++ t2p->tiff_transferfunction[0] = tiff_transferfunction[0]; ++ t2p->tiff_transferfunction[1] = tiff_transferfunction[1]; ++ t2p->tiff_transferfunction[2] = tiff_transferfunction[2]; ++ if(tiff_transferfunctioncount == 3){ ++ t2p->tiff_pages[i].page_extra += 4; ++ t2p->pdf_xrefcount += 4; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } else if (tiff_transferfunctioncount == 1){ ++ t2p->tiff_pages[i].page_extra += 2; ++ t2p->pdf_xrefcount += 2; ++ if(t2p->pdf_minorversion < 2) ++ t2p->pdf_minorversion = 2; ++ } ++ + if( TIFFGetField( + input, + TIFFTAG_ICCPROFILE, +@@ -1828,9 +1852,8 @@ void t2p_read_tiff_data(T2P* t2p, TIFF* input){ + &(t2p->tiff_transferfunction[1]), + &(t2p->tiff_transferfunction[2]))) { + if((t2p->tiff_transferfunction[1] != (float*) NULL) && +- (t2p->tiff_transferfunction[2] != (float*) NULL) && +- (t2p->tiff_transferfunction[1] != +- t2p->tiff_transferfunction[0])) { ++ (t2p->tiff_transferfunction[2] != (float*) NULL) ++ ) { + t2p->tiff_transferfunctioncount=3; + } else { + t2p->tiff_transferfunctioncount=1; +-- +2.16.1 + diff --git a/gnu/packages/patches/zziplib-CVE-2017-5974.patch b/gnu/packages/patches/zziplib-CVE-2017-5974.patch deleted file mode 100644 index 9ae02103e7..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5974.patch +++ /dev/null @@ -1,28 +0,0 @@ -Fix CVE-2017-5974: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - /* override sizes/offsets with zip64 values for largefile support */ - zzip_extra_zip64 *block = (zzip_extra_zip64 *) - zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64); -- if (block) -+ if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4)) - { -- item->zz_usize = __zzip_get64(block->z_usize); -- item->zz_csize = __zzip_get64(block->z_csize); -- item->zz_offset = __zzip_get64(block->z_offset); -- item->zz_diskstart = __zzip_get32(block->z_diskstart); -+ item->zz_usize = ZZIP_GET64(block->z_usize); -+ item->zz_csize = ZZIP_GET64(block->z_csize); -+ item->zz_offset = ZZIP_GET64(block->z_offset); -+ item->zz_diskstart = ZZIP_GET32(block->z_diskstart); - } - } - /* NOTE: diff --git a/gnu/packages/patches/zziplib-CVE-2017-5975.patch b/gnu/packages/patches/zziplib-CVE-2017-5975.patch deleted file mode 100644 index fad174b056..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5975.patch +++ /dev/null @@ -1,32 +0,0 @@ -Fix CVE-2017-5975: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -173,6 +173,8 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - return 0; /* errno=ENOMEM; */ - ___ struct zzip_file_header *header = - zzip_disk_entry_to_file_header(disk, entry); -+ if (!header) -+ { free(item); return 0; } - /* there is a number of duplicated information in the file header - * or the disk entry block. Theoretically some part may be missing - * that exists in the other, ... but we will prefer the disk entry. -Index: zziplib-0.13.62/zzip/mmapped.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/mmapped.c -+++ zziplib-0.13.62/zzip/mmapped.c -@@ -289,6 +289,8 @@ zzip_disk_entry_to_file_header(ZZIP_DISK - (disk->buffer + zzip_disk_entry_fileoffset(entry)); - if (disk->buffer > file_header || file_header >= disk->endbuf) - return 0; -+ if (ZZIP_GET32(file_header) != ZZIP_FILE_HEADER_MAGIC) -+ return 0; - return (struct zzip_file_header *) file_header; - } - diff --git a/gnu/packages/patches/zziplib-CVE-2017-5976.patch b/gnu/packages/patches/zziplib-CVE-2017-5976.patch deleted file mode 100644 index 17fc30e302..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5976.patch +++ /dev/null @@ -1,61 +0,0 @@ -Fix CVE-2017-5976: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - { - void *mem = malloc(ext1 + 2); - item->zz_ext[1] = mem; -+ item->zz_extlen[1] = ext1 + 2; - memcpy(mem, ptr1, ext1); - ((char *) (mem))[ext1 + 0] = 0; - ((char *) (mem))[ext1 + 1] = 0; -@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - { - void *mem = malloc(ext2 + 2); - item->zz_ext[2] = mem; -+ item->zz_extlen[2] = ext2 + 2; - memcpy(mem, ptr2, ext2); - ((char *) (mem))[ext2 + 0] = 0; - ((char *) (mem))[ext2 + 1] = 0; -@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR - while (1) - { - ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i]; -- if (ext) -+ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength)) - { -+ char *endblock = (char *)ext + entry->zz_extlen[i]; -+ - while (*(short *) (ext->z_datatype)) - { - if (datatype == zzip_extra_block_get_datatype(ext)) -@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR - e += zzip_extra_block_headerlength; - e += zzip_extra_block_get_datasize(ext); - ext = (void *) e; -+ if (e >= endblock) -+ { -+ break; -+ } - ____; - } - } -Index: zziplib-0.13.62/zzip/memdisk.h -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.h -+++ zziplib-0.13.62/zzip/memdisk.h -@@ -66,6 +66,7 @@ struct _zzip_mem_entry { - int zz_filetype; /* (from "z_filetype") */ - char* zz_comment; /* zero-terminated (from "comment") */ - ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */ -+ int zz_extlen[3]; /* length of zz_ext[i] in bytes */ - }; /* the extra blocks are NOT converted */ - - #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list) diff --git a/gnu/packages/patches/zziplib-CVE-2017-5978.patch b/gnu/packages/patches/zziplib-CVE-2017-5978.patch deleted file mode 100644 index 452b14f804..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5978.patch +++ /dev/null @@ -1,37 +0,0 @@ -Fix CVE-2017-5978: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/memdisk.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/memdisk.c -+++ zziplib-0.13.62/zzip/memdisk.c -@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - * that exists in the other, ... but we will prefer the disk entry. - */ - item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry); -- item->zz_name = zzip_disk_entry_strdup_name(disk, entry); -+ item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup(""); - item->zz_data = zzip_file_header_to_data(header); - item->zz_flags = zzip_disk_entry_get_flags(entry); - item->zz_compr = zzip_disk_entry_get_compr(entry); -@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - int /* */ ext2 = zzip_file_header_get_extras(header); - char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header); - -- if (ext1) -+ if (ext1 && ((ptr1 + ext1) < disk->endbuf)) - { - void *mem = malloc(ext1 + 2); - item->zz_ext[1] = mem; -@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI - ((char *) (mem))[ext1 + 0] = 0; - ((char *) (mem))[ext1 + 1] = 0; - } -- if (ext2) -+ if (ext2 && ((ptr2 + ext2) < disk->endbuf)) - { - void *mem = malloc(ext2 + 2); - item->zz_ext[2] = mem; diff --git a/gnu/packages/patches/zziplib-CVE-2017-5979.patch b/gnu/packages/patches/zziplib-CVE-2017-5979.patch deleted file mode 100644 index b38f50b172..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5979.patch +++ /dev/null @@ -1,19 +0,0 @@ -Fix CVE-2017-5979: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979 - -Patch copied from Debian. - -Index: zziplib-0.13.62/zzip/fseeko.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/fseeko.c -+++ zziplib-0.13.62/zzip/fseeko.c -@@ -255,7 +255,7 @@ zzip_entry_findfirst(FILE * disk) - return 0; - /* we read out chunks of 8 KiB in the hope to match disk granularity */ - ___ zzip_off_t pagesize = PAGESIZE; /* getpagesize() */ -- ___ ZZIP_ENTRY *entry = malloc(sizeof(*entry)); -+ ___ ZZIP_ENTRY *entry = calloc(1, sizeof(*entry)); - if (! entry) - return 0; - ___ unsigned char *buffer = malloc(pagesize); diff --git a/gnu/packages/patches/zziplib-CVE-2017-5981.patch b/gnu/packages/patches/zziplib-CVE-2017-5981.patch deleted file mode 100644 index ed82cb3b91..0000000000 --- a/gnu/packages/patches/zziplib-CVE-2017-5981.patch +++ /dev/null @@ -1,19 +0,0 @@ -Fix CVE-2017-5981: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981 - -Patch copied from Debian. -Index: zziplib-0.13.62/zzip/fseeko.c -=================================================================== ---- zziplib-0.13.62.orig/zzip/fseeko.c -+++ zziplib-0.13.62/zzip/fseeko.c -@@ -311,7 +311,8 @@ zzip_entry_findfirst(FILE * disk) - } else - continue; - -- assert(0 <= root && root < mapsize); -+ if (root < 0 || root >= mapsize) -+ goto error; - if (fseeko(disk, root, SEEK_SET) == -1) - goto error; - if (fread(disk_(entry), 1, sizeof(*disk_(entry)), disk) |