aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2019-09-24 12:47:30 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-09-24 12:47:30 +0000
commit14226b276f668d5f0526a7c87e9d0d83b1e8da8e (patch)
treeabd560e43ad1867cd23b8adc801523e9f06d3c36
parentdce219bf646e039b45d81cec9e0f8016306c8bfd (diff)
downloadaports-14226b276f668d5f0526a7c87e9d0d83b1e8da8e.tar.gz
aports-14226b276f668d5f0526a7c87e9d0d83b1e8da8e.tar.bz2
aports-14226b276f668d5f0526a7c87e9d0d83b1e8da8e.tar.xz
main/poppler: security fix (CVE-2019-9959)
ref #10811
-rw-r--r--main/poppler/APKBUILD22
-rw-r--r--main/poppler/CVE-2019-9959.patch26
2 files changed, 38 insertions, 10 deletions
diff --git a/main/poppler/APKBUILD b/main/poppler/APKBUILD
index 95f69f97bd..597147d4c9 100644
--- a/main/poppler/APKBUILD
+++ b/main/poppler/APKBUILD
@@ -1,27 +1,27 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=poppler
pkgver=0.71.0
-pkgrel=0
+pkgrel=1
pkgdesc="PDF rendering library based on xpdf 3.0"
url="https://poppler.freedesktop.org/"
arch="all"
options="!check" # No test suite.
-license="GPL-2.0+"
+license="GPL-2.0-or-later"
depends=
depends_dev="cairo-dev glib-dev"
makedepends="$depends_dev cmake libjpeg-turbo-dev cairo-dev libxml2-dev
fontconfig-dev lcms2-dev gobject-introspection-dev
openjpeg-dev openjpeg-tools libpng-dev tiff-dev zlib-dev"
-subpackages="$pkgname-dev $pkgname-doc $pkgname-utils $pkgname-glib
+subpackages="$pkgname-dev $pkgname-doc $pkgname-utils $pkgname-glib"
+source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz
+ CVE-2019-9959.patch
"
-source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz"
-builddir="$srcdir/$pkgname-$pkgver/build"
prepare() {
local _linked_pkg=poppler-qt4
local _linked_apkbuild="$startdir"/../$_linked_pkg/APKBUILD
- mkdir -p "$builddir"
- cd "$builddir"
+ mkdir -p "$builddir/build"
+ cd "$builddir/build"
if [ -f "$_linked_apkbuild" ]; then
local _linked_ver=$( . "$_linked_apkbuild"; echo "$pkgver")
if [ "$_linked_ver" != "$pkgver" ]; then
@@ -29,10 +29,11 @@ prepare() {
return 1
fi
fi
+ default_prepare
}
build() {
- cd "$builddir"
+ cd "$builddir/build"
# JPEG2000Stream.cc:20:10: fatal error: openjpeg.h: No such file
sed -e "/^#include/s/openjpeg\.h/openjpeg-2.3\/openjpeg.h/" -i ../poppler/JPEG2000Stream.cc
@@ -47,7 +48,7 @@ build() {
}
package() {
- cd "$builddir"
+ cd "$builddir/build"
make DESTDIR="$pkgdir" install
}
@@ -73,4 +74,5 @@ _cpp() {
"$subpkgdir"/usr/lib/
}
-sha512sums="8e0ce95e7b58c37761c36a20f1282e63373a9557bf9f746ce2936562f12648506043d9559cf816944aa238814fc1b3f3a3c0a6cb002fd214b067e399bcc6ab1e poppler-0.71.0.tar.xz"
+sha512sums="8e0ce95e7b58c37761c36a20f1282e63373a9557bf9f746ce2936562f12648506043d9559cf816944aa238814fc1b3f3a3c0a6cb002fd214b067e399bcc6ab1e poppler-0.71.0.tar.xz
+66ba4e941717a27bc2915cb7ea850617a7e05715c7597cbbc03eafccb5f533f5df57135f9f72108632f098d43ef0b843bd64cc593a08340243655bd0c033655a CVE-2019-9959.patch"
diff --git a/main/poppler/CVE-2019-9959.patch b/main/poppler/CVE-2019-9959.patch
new file mode 100644
index 0000000000..a7388fae74
--- /dev/null
+++ b/main/poppler/CVE-2019-9959.patch
@@ -0,0 +1,26 @@
+From 68ef84e5968a4249c2162b839ca6d7975048a557 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 15 Jul 2019 23:24:22 +0200
+Subject: [PATCH] JPXStream::init: ignore dict Length if clearly broken
+
+Fixes issue #805
+---
+ poppler/JPEG2000Stream.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc
+index 0eea3a2d..8e6902f4 100644
+--- a/poppler/JPEG2000Stream.cc
++++ b/poppler/JPEG2000Stream.cc
+@@ -219,7 +219,7 @@ void JPXStream::init()
+ }
+
+ int bufSize = BUFFER_INITIAL_SIZE;
+- if (oLen.isInt()) bufSize = oLen.getInt();
++ if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt();
+
+ bool indexed = false;
+ if (cspace.isArray() && cspace.arrayGetLength() > 0) {
+--
+2.22.0
+