Pullup ticket #4241 - requested by tez

graphics/librsvg: security patch

Revisions pulled up:
- graphics/librsvg/Makefile                                     1.74
- graphics/librsvg/distinfo                                     1.26
- graphics/librsvg/patches/patch-CVE-2013-1881                  1.1

---
   Module Name:    pkgsrc
   Committed By:   tez
   Date:           Thu Oct  3 13:39:13 UTC 2013

   Modified Files:
           pkgsrc/graphics/librsvg: Makefile distinfo
   Added Files:
           pkgsrc/graphics/librsvg/patches: patch-CVE-2013-1881

   Log Message:
   Fix for CVE-2013-1881 (SA55088)
   Modified (for portability) from
   https://git.gnome.org/browse/librsvg/patch/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e

3 files changed, 170 insertions, 3 deletions

diff --git a/graphics/librsvg/Makefile b/graphics/librsvg/Makefile
index 1ae17496c0a..c7c839e11db 100644
--- a/graphics/librsvg/Makefile
+++ b/graphics/librsvg/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.72 2013/09/02 19:50:38 adam Exp $
+# $NetBSD: Makefile,v 1.72.2.1 2013/10/09 18:44:39 tron Exp $
 
 DISTNAME=	librsvg-2.36.4
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	graphics gnome
 MASTER_SITES=	${MASTER_SITE_GNOME:=sources/librsvg/2.36/}
 EXTRACT_SUFX=	.tar.xz
diff --git a/graphics/librsvg/distinfo b/graphics/librsvg/distinfo
index 5eedca8da8a..be24799642c 100644
--- a/graphics/librsvg/distinfo
+++ b/graphics/librsvg/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.25 2012/10/19 18:33:07 drochner Exp $
+$NetBSD: distinfo,v 1.25.8.1 2013/10/09 18:44:39 tron Exp $
 
 SHA1 (librsvg-2.36.4.tar.xz) = 1e0152e6745bac9632207252c67dda2299010db4
 RMD160 (librsvg-2.36.4.tar.xz) = b9765edaccd7e40997a3a141e4d21c5a13f6f2a1
 Size (librsvg-2.36.4.tar.xz) = 513028 bytes
+SHA1 (patch-CVE-2013-1881) = 73e1d17960ce3e6da0bfd37ab5e4cd59326545ef
 SHA1 (patch-ab) = 44985e1c02f925769f394007f924b8d6ec8151d5
 SHA1 (patch-rsvg-io.c) = 1bcb7164dda065eb2e231818dd9c5df8b98e49a5
diff --git a/graphics/librsvg/patches/patch-CVE-2013-1881 b/graphics/librsvg/patches/patch-CVE-2013-1881
new file mode 100644
index 00000000000..84a5fb43403
--- /dev/null
+++ b/graphics/librsvg/patches/patch-CVE-2013-1881
@@ -0,0 +1,166 @@
+$NetBSD: patch-CVE-2013-1881,v 1.1.2.2 2013/10/09 18:44:39 tron Exp $
+
+from https://git.gnome.org/browse/librsvg/patch/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e
+
+From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Mon, 11 Feb 2013 21:36:58 +0000
+Subject: io: Implement strict load policy
+
+Allow any file to load from data:, and any resource to load from other
+resources. Only allow file: to load other file: URIs from below the path
+of the base file. Any other loads are denied.
+
+Bug #691708.
+---
+diff --git a/rsvg-base.c b/rsvg-base.c
+index 1f88479..9d7c1ea 100644
+--- rsvg-base.c.orig	2013-10-03 07:33:50.579625000 -0500
++++ rsvg-base.c	2013-10-03 07:35:26.518496200 -0500
+@@ -25,6 +25,7 @@
+ */
+ 
+ #include "config.h"
++#define _GNU_SOURCE 1
+ 
+ #include "rsvg.h"
+ #include "rsvg-private.h"
+@@ -1001,6 +1002,7 @@
+ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
+ {
+     gchar *uri;
++    GFile *file;
+ 
+     g_return_if_fail (handle != NULL);
+ 
+@@ -1012,11 +1014,10 @@
+     else
+         uri = rsvg_get_base_uri_from_filename (base_uri);
+ 
+-    if (uri) {
+-        if (handle->priv->base_uri)
+-            g_free (handle->priv->base_uri);
+-        handle->priv->base_uri = uri;
+-    }
++    file = g_file_new_for_uri (uri ? uri : "data:");
++    rsvg_handle_set_base_gfile (handle, file);
++    g_object_unref (file);
++    g_free (uri);
+ }
+ 
+ /**
+@@ -2146,12 +2147,79 @@
+                          const char *uri,
+                          GError **error)
+ {
+-    RsvgLoadPolicy policy = handle->priv->load_policy;
++    RsvgHandlePrivate *priv = handle->priv;
++    GFile *base;
++    char *path, *dir;
++    char *scheme = NULL, *cpath = NULL, *cdir = NULL;
++    char cpath_buffer[PATH_MAX], cdir_buffer[PATH_MAX];
+ 
+-    if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE)
+-        return TRUE;
++    g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT);
++
++    scheme = g_uri_parse_scheme (uri);
++
++    /* Not a valid URI */
++    if (scheme == NULL)
++        goto deny;
++
++    /* Allow loads of data: from any location */
++    if (g_str_equal (scheme, "data"))
++        goto allow;
++
++    /* No base to compare to? */
++    if (priv->base_gfile == NULL)
++        goto deny;
++
++    /* Deny loads from differing URI schemes */
++    if (!g_file_has_uri_scheme (priv->base_gfile, scheme))
++        goto deny;
++
++    /* resource: is allowed to load anything from other resources */
++    if (g_str_equal (scheme, "resource"))
++        goto allow;
+ 
++    /* Non-file: isn't allowed to load anything */
++    if (!g_str_equal (scheme, "file"))
++        goto deny;
++
++    base = g_file_get_parent (priv->base_gfile);
++    if (base == NULL)
++        goto deny;
++
++    dir = g_file_get_path (base);
++    g_object_unref (base);
++
++    cdir = realpath (dir,cdir_buffer);
++    g_free (dir);
++    if (cdir == NULL)
++        goto deny;
++
++    path = g_filename_from_uri (uri, NULL, NULL);
++    if (path == NULL)
++        goto deny;
++
++    cpath = realpath (path, cpath_buffer);
++    g_free (path);
++
++    if (cpath == NULL)
++        goto deny;
++
++    /* Now check that @cpath is below @cdir */
++    if (!g_str_has_prefix (cpath, cdir) ||
++        cpath[strlen (cdir)] != G_DIR_SEPARATOR)
++        goto deny;
++
++    /* Allow load! */
++
++ allow:
++    g_free (scheme);
+     return TRUE;
++
++ deny:
++    g_free (scheme);
++
++    g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
++                 "File may not link to URI \"%s\"", uri);
++    return FALSE;
+ }
+ 
+ guint8* 
+diff --git a/rsvg-io.c b/rsvg-io.c
+index 3d6c8b5..818d2ec 100644
+--- rsvg-io.c
++++ rsvg-io.c
+@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri,
+     gboolean base64 = FALSE;
+ 
+     g_assert (out_len != NULL);
+-    g_assert (g_str_has_prefix (uri, "data:"));
++    g_assert (strncmp (uri, "data:", 5) == 0);
+ 
+     mime_type = NULL;
+     start = uri + 5;
+diff --git a/rsvg-private.h b/rsvg-private.h
+index 25283d4..1961eaf 100644
+--- rsvg-private.h
++++ rsvg-private.h
+@@ -123,10 +123,10 @@ struct RsvgSaxHandler {
+ };
+ 
+ typedef enum {
+-    RSVG_LOAD_POLICY_ALL_PERMISSIVE
++    RSVG_LOAD_POLICY_STRICT
+ } RsvgLoadPolicy;
+ 
+-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE)
++#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT)
+ 
+ struct RsvgHandlePrivate {
+     RsvgHandleFlags flags;
+--
+cgit v0.9.2