From 6520ae16cd540b70c477ce9b140b666f09d4e286 Mon Sep 17 00:00:00 2001 From: tron Date: Mon, 1 Dec 2014 22:47:13 +0000 Subject: Pullup ticket #4561 - requested by wiz graphics/graphviz: security patch Revisions pulled up: - graphics/graphviz/Makefile 1.146 via patch - graphics/graphviz/distinfo 1.53 - graphics/graphviz/patches/patch-lib_cgraph_scan.l 1.4 --- Module Name: pkgsrc Committed By: wiz Date: Mon Dec 1 08:45:04 UTC 2014 Modified Files: pkgsrc/graphics/graphviz: Makefile distinfo Added Files: pkgsrc/graphics/graphviz/patches: patch-lib_cgraph_scan.l Log Message: Fix format string vulnerability. >From upstream git. Bump PKGREVISION. --- graphics/graphviz/Makefile | 4 ++-- graphics/graphviz/distinfo | 3 ++- graphics/graphviz/patches/patch-lib_cgraph_scan.l | 16 ++++++++++++++++ 3 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 graphics/graphviz/patches/patch-lib_cgraph_scan.l diff --git a/graphics/graphviz/Makefile b/graphics/graphviz/Makefile index bcde20f5413..f83449e9ab5 100644 --- a/graphics/graphviz/Makefile +++ b/graphics/graphviz/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.143 2014/05/29 23:36:38 wiz Exp $ +# $NetBSD: Makefile,v 1.143.4.1 2014/12/01 22:47:13 tron Exp $ DISTNAME= graphviz-2.38.0 -PKGREVISION= 1 +PKGREVISION= 3 CATEGORIES= graphics MASTER_SITES= http://www.graphviz.org/pub/graphviz/stable/SOURCES/ diff --git a/graphics/graphviz/distinfo b/graphics/graphviz/distinfo index 8d78f0f8e8a..7c778742215 100644 --- a/graphics/graphviz/distinfo +++ b/graphics/graphviz/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.52 2014/05/16 12:29:04 ryoon Exp $ +$NetBSD: distinfo,v 1.52.4.1 2014/12/01 22:47:13 tron Exp $ SHA1 (graphviz-2.38.0.tar.gz) = 053c771278909160916ca5464a0a98ebf034c6ef RMD160 (graphviz-2.38.0.tar.gz) = a80c2fa6b9955444b2103a99167d7020b23e4c4e @@ -7,4 +7,5 @@ SHA1 (patch-cmd_lefty_os_unix_io.c) = 48f91c79b97928b54ae24af59a9fea173f34dfe5 SHA1 (patch-config_config__perl.pl) = 85d535282a819c1055386244f7b520387d0ddbb1 SHA1 (patch-configure) = f772bedfac63c3b473ebae1621b72982a13fe5a3 SHA1 (patch-configure.ac) = ec844ae85b6be9cf095ec800df6983b061d62b5d +SHA1 (patch-lib_cgraph_scan.l) = 72cc178acb369007a4a672d20af196bb6b6df35b SHA1 (patch-lib_gvc_Makefile.in) = 985ffe3efb0e7f876ece14dc0d2a719ec06357e2 diff --git a/graphics/graphviz/patches/patch-lib_cgraph_scan.l b/graphics/graphviz/patches/patch-lib_cgraph_scan.l new file mode 100644 index 00000000000..da2a5d47f43 --- /dev/null +++ b/graphics/graphviz/patches/patch-lib_cgraph_scan.l @@ -0,0 +1,16 @@ +$NetBSD: patch-lib_cgraph_scan.l,v 1.4.2.2 2014/12/01 22:47:13 tron Exp $ + +Add format string. +https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 + +--- lib/cgraph/scan.l.orig 2014-04-13 20:40:25.000000000 +0000 ++++ lib/cgraph/scan.l +@@ -149,7 +149,7 @@ static int chkNum(void) { + agxbput(&xb,buf); + agxbput(&xb,fname); + agxbput(&xb, " splits into two tokens\n"); +- agerr(AGWARN,agxbuse(&xb)); ++ agerr(AGWARN,"%s", agxbuse(&xb)); + + agxbfree(&xb); + return 1; -- cgit v1.2.3