diff options
author | tron <tron> | 2013-10-09 18:44:39 +0000 |
---|---|---|
committer | tron <tron> | 2013-10-09 18:44:39 +0000 |
commit | 33067de16659d463ae8e29d2262ec3f6143c4fc6 (patch) | |
tree | e22a9866e137527973e3129fcd60e2bdb0d25cf1 | |
parent | 33ef1487336dafb582d06874a2d7b3d087843efe (diff) | |
download | pkgsrc-33067de16659d463ae8e29d2262ec3f6143c4fc6.tar.gz |
Pullup ticket #4241 - requested by tez
graphics/librsvg: security patch
Revisions pulled up:
- graphics/librsvg/Makefile 1.74
- graphics/librsvg/distinfo 1.26
- graphics/librsvg/patches/patch-CVE-2013-1881 1.1
---
Module Name: pkgsrc
Committed By: tez
Date: Thu Oct 3 13:39:13 UTC 2013
Modified Files:
pkgsrc/graphics/librsvg: Makefile distinfo
Added Files:
pkgsrc/graphics/librsvg/patches: patch-CVE-2013-1881
Log Message:
Fix for CVE-2013-1881 (SA55088)
Modified (for portability) from
https://git.gnome.org/browse/librsvg/patch/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e
-rw-r--r-- | graphics/librsvg/Makefile | 4 | ||||
-rw-r--r-- | graphics/librsvg/distinfo | 3 | ||||
-rw-r--r-- | graphics/librsvg/patches/patch-CVE-2013-1881 | 166 |
3 files changed, 170 insertions, 3 deletions
diff --git a/graphics/librsvg/Makefile b/graphics/librsvg/Makefile index 1ae17496c0a..c7c839e11db 100644 --- a/graphics/librsvg/Makefile +++ b/graphics/librsvg/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.72 2013/09/02 19:50:38 adam Exp $ +# $NetBSD: Makefile,v 1.72.2.1 2013/10/09 18:44:39 tron Exp $ DISTNAME= librsvg-2.36.4 -PKGREVISION= 5 +PKGREVISION= 6 CATEGORIES= graphics gnome MASTER_SITES= ${MASTER_SITE_GNOME:=sources/librsvg/2.36/} EXTRACT_SUFX= .tar.xz diff --git a/graphics/librsvg/distinfo b/graphics/librsvg/distinfo index 5eedca8da8a..be24799642c 100644 --- a/graphics/librsvg/distinfo +++ b/graphics/librsvg/distinfo @@ -1,7 +1,8 @@ -$NetBSD: distinfo,v 1.25 2012/10/19 18:33:07 drochner Exp $ +$NetBSD: distinfo,v 1.25.8.1 2013/10/09 18:44:39 tron Exp $ SHA1 (librsvg-2.36.4.tar.xz) = 1e0152e6745bac9632207252c67dda2299010db4 RMD160 (librsvg-2.36.4.tar.xz) = b9765edaccd7e40997a3a141e4d21c5a13f6f2a1 Size (librsvg-2.36.4.tar.xz) = 513028 bytes +SHA1 (patch-CVE-2013-1881) = 73e1d17960ce3e6da0bfd37ab5e4cd59326545ef SHA1 (patch-ab) = 44985e1c02f925769f394007f924b8d6ec8151d5 SHA1 (patch-rsvg-io.c) = 1bcb7164dda065eb2e231818dd9c5df8b98e49a5 diff --git a/graphics/librsvg/patches/patch-CVE-2013-1881 b/graphics/librsvg/patches/patch-CVE-2013-1881 new file mode 100644 index 00000000000..84a5fb43403 --- /dev/null +++ b/graphics/librsvg/patches/patch-CVE-2013-1881 @@ -0,0 +1,166 @@ +$NetBSD: patch-CVE-2013-1881,v 1.1.2.2 2013/10/09 18:44:39 tron Exp $ + +from https://git.gnome.org/browse/librsvg/patch/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e + +From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001 +From: Christian Persch <chpe@gnome.org> +Date: Mon, 11 Feb 2013 21:36:58 +0000 +Subject: io: Implement strict load policy + +Allow any file to load from data:, and any resource to load from other +resources. Only allow file: to load other file: URIs from below the path +of the base file. Any other loads are denied. + +Bug #691708. +--- +diff --git a/rsvg-base.c b/rsvg-base.c +index 1f88479..9d7c1ea 100644 +--- rsvg-base.c.orig 2013-10-03 07:33:50.579625000 -0500 ++++ rsvg-base.c 2013-10-03 07:35:26.518496200 -0500 +@@ -25,6 +25,7 @@ + */ + + #include "config.h" ++#define _GNU_SOURCE 1 + + #include "rsvg.h" + #include "rsvg-private.h" +@@ -1001,6 +1002,7 @@ + rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri) + { + gchar *uri; ++ GFile *file; + + g_return_if_fail (handle != NULL); + +@@ -1012,11 +1014,10 @@ + else + uri = rsvg_get_base_uri_from_filename (base_uri); + +- if (uri) { +- if (handle->priv->base_uri) +- g_free (handle->priv->base_uri); +- handle->priv->base_uri = uri; +- } ++ file = g_file_new_for_uri (uri ? uri : "data:"); ++ rsvg_handle_set_base_gfile (handle, file); ++ g_object_unref (file); ++ g_free (uri); + } + + /** +@@ -2146,12 +2147,79 @@ + const char *uri, + GError **error) + { +- RsvgLoadPolicy policy = handle->priv->load_policy; ++ RsvgHandlePrivate *priv = handle->priv; ++ GFile *base; ++ char *path, *dir; ++ char *scheme = NULL, *cpath = NULL, *cdir = NULL; ++ char cpath_buffer[PATH_MAX], cdir_buffer[PATH_MAX]; + +- if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE) +- return TRUE; ++ g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT); ++ ++ scheme = g_uri_parse_scheme (uri); ++ ++ /* Not a valid URI */ ++ if (scheme == NULL) ++ goto deny; ++ ++ /* Allow loads of data: from any location */ ++ if (g_str_equal (scheme, "data")) ++ goto allow; ++ ++ /* No base to compare to? */ ++ if (priv->base_gfile == NULL) ++ goto deny; ++ ++ /* Deny loads from differing URI schemes */ ++ if (!g_file_has_uri_scheme (priv->base_gfile, scheme)) ++ goto deny; ++ ++ /* resource: is allowed to load anything from other resources */ ++ if (g_str_equal (scheme, "resource")) ++ goto allow; + ++ /* Non-file: isn't allowed to load anything */ ++ if (!g_str_equal (scheme, "file")) ++ goto deny; ++ ++ base = g_file_get_parent (priv->base_gfile); ++ if (base == NULL) ++ goto deny; ++ ++ dir = g_file_get_path (base); ++ g_object_unref (base); ++ ++ cdir = realpath (dir,cdir_buffer); ++ g_free (dir); ++ if (cdir == NULL) ++ goto deny; ++ ++ path = g_filename_from_uri (uri, NULL, NULL); ++ if (path == NULL) ++ goto deny; ++ ++ cpath = realpath (path, cpath_buffer); ++ g_free (path); ++ ++ if (cpath == NULL) ++ goto deny; ++ ++ /* Now check that @cpath is below @cdir */ ++ if (!g_str_has_prefix (cpath, cdir) || ++ cpath[strlen (cdir)] != G_DIR_SEPARATOR) ++ goto deny; ++ ++ /* Allow load! */ ++ ++ allow: ++ g_free (scheme); + return TRUE; ++ ++ deny: ++ g_free (scheme); ++ ++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, ++ "File may not link to URI \"%s\"", uri); ++ return FALSE; + } + + guint8* +diff --git a/rsvg-io.c b/rsvg-io.c +index 3d6c8b5..818d2ec 100644 +--- rsvg-io.c ++++ rsvg-io.c +@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri, + gboolean base64 = FALSE; + + g_assert (out_len != NULL); +- g_assert (g_str_has_prefix (uri, "data:")); ++ g_assert (strncmp (uri, "data:", 5) == 0); + + mime_type = NULL; + start = uri + 5; +diff --git a/rsvg-private.h b/rsvg-private.h +index 25283d4..1961eaf 100644 +--- rsvg-private.h ++++ rsvg-private.h +@@ -123,10 +123,10 @@ struct RsvgSaxHandler { + }; + + typedef enum { +- RSVG_LOAD_POLICY_ALL_PERMISSIVE ++ RSVG_LOAD_POLICY_STRICT + } RsvgLoadPolicy; + +-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE) ++#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT) + + struct RsvgHandlePrivate { + RsvgHandleFlags flags; +-- +cgit v0.9.2 |