Icns DOS fix -- CVE-2014-3589

from https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d
author: spz <spz> 2014-09-07 09:37:46 +0000
committer: spz <spz> 2014-09-07 09:37:46 +0000
commit: 682f6bb1d44089d519c2a221866c4e4cacad3667 (patch)
tree: a8f93312136012b56de0dda91b7c3ea050a23339 /graphics/py-imaging
parent: e12aef9f313b1461ccab2623e9958d22ec46cd39 (diff)
download: pkgsrc-682f6bb1d44089d519c2a221866c4e4cacad3667.tar.gz
3 files changed, 20 insertions, 3 deletions
diff --git a/graphics/py-imaging/Makefile b/graphics/py-imaging/Makefile
index fca2e6e1331..4fc4d27d22d 100644
--- a/graphics/py-imaging/Makefile
+++ b/graphics/py-imaging/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.49 2014/05/15 06:23:05 spz Exp $
+# $NetBSD: Makefile,v 1.50 2014/09/07 09:37:46 spz Exp $
 
 DISTNAME=	Imaging-1.1.7
 PKGNAME=	${PYPKGPREFIX}-imaging-1.1.7
-PKGREVISION=	8
+PKGREVISION=	9
 CATEGORIES=	graphics python
 MASTER_SITES=	http://effbot.org/media/downloads/
 
diff --git a/graphics/py-imaging/distinfo b/graphics/py-imaging/distinfo
index 3b1e7179033..85f099c29bf 100644
--- a/graphics/py-imaging/distinfo
+++ b/graphics/py-imaging/distinfo
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.16 2014/05/15 06:23:05 spz Exp $
+$NetBSD: distinfo,v 1.17 2014/09/07 09:37:46 spz Exp $
 
 SHA1 (python/Imaging-1.1.7.tar.gz) = 76c37504251171fda8da8e63ecb8bc42a69a5c81
 RMD160 (python/Imaging-1.1.7.tar.gz) = 9af570fe100e250a4860314341fe3e6d695d7fde
 Size (python/Imaging-1.1.7.tar.gz) = 498749 bytes
 SHA1 (patch-PIL_EpsImagePlugin.py) = fbeb7b6091a3011363197c68be999280ba7282aa
+SHA1 (patch-PIL_IcnsImagePlugin.py) = 04d5ff3c666413178071eea2512162d6954bfc01
 SHA1 (patch-PIL_Image.py) = 871994b3c8823c90ae23e6248762e403192e33fc
 SHA1 (patch-PIL_IptcImagePlugin.py) = bb809394b8c6f6e5b79aa1c90f429c3362e812e3
 SHA1 (patch-PIL_JpegImagePlugin.py) = d4fd6d5d60ea011def2e42460d7faa2e0f47b65e
diff --git a/graphics/py-imaging/patches/patch-PIL_IcnsImagePlugin.py b/graphics/py-imaging/patches/patch-PIL_IcnsImagePlugin.py
new file mode 100644
index 00000000000..b725262ffa5
--- /dev/null
+++ b/graphics/py-imaging/patches/patch-PIL_IcnsImagePlugin.py
@@ -0,0 +1,16 @@
+$NetBSD: patch-PIL_IcnsImagePlugin.py,v 1.1 2014/09/07 09:37:46 spz Exp $
+
+Icns DOS fix -- CVE-2014-3589 
+from https://github.com/python-pillow/Pillow/commit/205e056f8f9b06ed7b925cf8aa0874bc4aaf8a7d
+
+--- PIL/IcnsImagePlugin.py.orig	2009-11-01 00:44:11.000000000 +0000
++++ PIL/IcnsImagePlugin.py
+@@ -115,6 +115,8 @@ class IcnsFile:
+         i = HEADERSIZE
+         while i < filesize:
+             sig, blocksize = nextheader(fobj)
++            if blocksize <= 0:
++                raise SyntaxError('invalid block header')
+             i = i + HEADERSIZE
+             blocksize = blocksize - HEADERSIZE
+             dct[sig] = (i, blocksize)
author	spz <spz>	2014-09-07 09:37:46 +0000
committer	spz <spz>	2014-09-07 09:37:46 +0000
commit	682f6bb1d44089d519c2a221866c4e4cacad3667 (patch)
tree	a8f93312136012b56de0dda91b7c3ea050a23339 /graphics/py-imaging
parent	e12aef9f313b1461ccab2623e9958d22ec46cd39 (diff)
download	pkgsrc-682f6bb1d44089d519c2a221866c4e4cacad3667.tar.gz