Security fix:

"Matthias Clasen has reported a vulnerability in libexif, which can be
exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an infinite recursion in the
"exif_data_load_data_content()" function and can be exploited to
cause a stack overflow when parsing a specially crafted image.

Successful exploitation may crash an application linked against the
vulnerable library."

Bump PKGREVISION.  Patch from:
http://sourceforge.net/tracker/index.php?func=detail&aid=1196787&group_id=12272&atid=112272

4 files changed, 77 insertions, 4 deletions

diff --git a/graphics/libexif/Makefile b/graphics/libexif/Makefile
index 1e90d265881..45c2a858802 100644
--- a/graphics/libexif/Makefile
+++ b/graphics/libexif/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.24 2005/04/20 12:40:40 adam Exp $
+# $NetBSD: Makefile,v 1.25 2005/05/13 11:57:59 salo Exp $
 
 DISTNAME=	libexif-0.6.12
+PKGREVISION=	1
 CATEGORIES=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=libexif/}
 EXTRACT_SUFX=	.tar.bz2
diff --git a/graphics/libexif/buildlink3.mk b/graphics/libexif/buildlink3.mk
index 56200d3412f..7ff01d4d2a4 100644
--- a/graphics/libexif/buildlink3.mk
+++ b/graphics/libexif/buildlink3.mk
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.6 2005/03/10 22:21:56 salo Exp $
+# $NetBSD: buildlink3.mk,v 1.7 2005/05/13 11:57:59 salo Exp $
 
 BUILDLINK_DEPTH:=	${BUILDLINK_DEPTH}+
 LIBEXIF_BUILDLINK3_MK:=	${LIBEXIF_BUILDLINK3_MK}+
@@ -12,7 +12,7 @@ BUILDLINK_PACKAGES+=	libexif
 
 .if !empty(LIBEXIF_BUILDLINK3_MK:M+)
 BUILDLINK_DEPENDS.libexif+=	libexif>=0.6.11
-BUILDLINK_RECOMMENDED.libexif+=	libexif>=0.6.11nb1
+BUILDLINK_RECOMMENDED.libexif+=	libexif>=0.6.12nb1
 BUILDLINK_PKGSRCDIR.libexif?=	../../graphics/libexif
 .endif	# LIBEXIF_BUILDLINK3_MK
 
diff --git a/graphics/libexif/distinfo b/graphics/libexif/distinfo
index b66ba9c41e1..7b14cffce0a 100644
--- a/graphics/libexif/distinfo
+++ b/graphics/libexif/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.14 2005/05/09 13:21:16 minskim Exp $
+$NetBSD: distinfo,v 1.15 2005/05/13 11:57:59 salo Exp $
 
 SHA1 (libexif-0.6.12.tar.bz2) = 5d2c5976521e179d41ff8908b678b14f2e8e690b
 RMD160 (libexif-0.6.12.tar.bz2) = 24cfdb7663f0566f2907987e5dbc472c21b583d9
 Size (libexif-0.6.12.tar.bz2) = 378650 bytes
 SHA1 (patch-aa) = e32ab9cad1720f0b4d6178240e78193a97c4c876
 SHA1 (patch-ab) = 973ca09fc059d74e3221bba12e6e8f4630db20bb
+SHA1 (patch-ac) = 5c61cb1135b7254f0cd01127929a1bdea1de1053
diff --git a/graphics/libexif/patches/patch-ac b/graphics/libexif/patches/patch-ac
new file mode 100644
index 00000000000..2c65330f534
--- /dev/null
+++ b/graphics/libexif/patches/patch-ac
@@ -0,0 +1,71 @@
+$NetBSD: patch-ac,v 1.1 2005/05/13 11:57:59 salo Exp $
+
+--- libexif/exif-data.c.orig	2005-03-13 03:27:13.000000000 +0100
++++ libexif/exif-data.c	2005-05-13 13:48:13.000000000 +0200
+@@ -284,9 +284,10 @@
+ }
+ 
+ static void
+-exif_data_load_data_content (ExifData *data, ExifContent *ifd,
++exif_data_load_data_content_recurse (ExifData *data, ExifContent *ifd,
+ 			     const unsigned char *d,
+-			     unsigned int ds, unsigned int offset)
++				     unsigned int ds, unsigned int offset,
++				     unsigned int level)
+ {
+ 	ExifLong o, thumbnail_offset = 0, thumbnail_length = 0;
+ 	ExifShort n;
+@@ -296,6 +297,13 @@
+ 
+ 	if (!data || !data->priv) return;
+ 
++	if (level > 150)
++	  {
++	    exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, "ExifData",
++		      "Deep recursion in exif_data_load_data_content");
++	    return 0;
++	  }
++
+ 	/* Read the number of entries */
+ 	if (offset >= ds - 1) return;
+ 	n = exif_get_short (d + offset, data->priv->order);
+@@ -320,18 +328,18 @@
+ 			switch (tag) {
+ 			case EXIF_TAG_EXIF_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_EXIF);
+-				exif_data_load_data_content (data,
+-					data->ifd[EXIF_IFD_EXIF], d, ds, o);
++				exif_data_load_data_content_recurse (data,
++					data->ifd[EXIF_IFD_EXIF], d, ds, o, level + 1);
+ 				break;
+ 			case EXIF_TAG_GPS_INFO_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_GPS);
+-				exif_data_load_data_content (data,
+-					data->ifd[EXIF_IFD_GPS], d, ds, o);
++				exif_data_load_data_content_recurse (data,
++					data->ifd[EXIF_IFD_GPS], d, ds, o, level + 1);
+ 				break;
+ 			case EXIF_TAG_INTEROPERABILITY_IFD_POINTER:
+ 				CHECK_REC (EXIF_IFD_INTEROPERABILITY);
+-				exif_data_load_data_content (data,
+-					data->ifd[EXIF_IFD_INTEROPERABILITY], d, ds, o);
++				exif_data_load_data_content_recurse (data,
++					data->ifd[EXIF_IFD_INTEROPERABILITY], d, ds, o, level + 1);
+ 				break;
+ 			case EXIF_TAG_JPEG_INTERCHANGE_FORMAT:
+ 				thumbnail_offset = o;
+@@ -373,6 +381,14 @@
+ }
+ 
+ static void
++exif_data_load_data_content (ExifData *data, ExifContent *ifd,
++			     const unsigned char *d,
++			     unsigned int ds, unsigned int offset)
++{
++  exif_data_load_data_content_recurse (data, ifd, d, ds, offset, 0);
++}
++
++static void
+ exif_data_save_data_content (ExifData *data, ExifContent *ifd,
+ 			     unsigned char **d, unsigned int *ds,
+ 			     unsigned int offset)