From b4457b5c567f681d9e844f688d2672dcc1b3ce7b Mon Sep 17 00:00:00 2001 From: gutteridge Date: Sat, 16 Jan 2021 00:25:33 +0000 Subject: dia: apply an upstream security fix Fix endless loop on filenames with invalid encoding (CVE-2019-19451). --- graphics/dia/Makefile | 4 ++-- graphics/dia/distinfo | 3 ++- graphics/dia/patches/patch-app_app__procs.c | 15 +++++++++++++++ 3 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 graphics/dia/patches/patch-app_app__procs.c diff --git a/graphics/dia/Makefile b/graphics/dia/Makefile index ee012014a06..c7aea996837 100644 --- a/graphics/dia/Makefile +++ b/graphics/dia/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.111 2020/11/05 09:08:19 ryoon Exp $ +# $NetBSD: Makefile,v 1.112 2021/01/16 00:25:33 gutteridge Exp $ -PKGREVISION= 20 +PKGREVISION= 21 .include "Makefile.common" .include "options.mk" diff --git a/graphics/dia/distinfo b/graphics/dia/distinfo index 062efa67236..44955761369 100644 --- a/graphics/dia/distinfo +++ b/graphics/dia/distinfo @@ -1,10 +1,11 @@ -$NetBSD: distinfo,v 1.35 2020/05/01 20:19:23 rillig Exp $ +$NetBSD: distinfo,v 1.36 2021/01/16 00:25:33 gutteridge Exp $ SHA1 (dia-0.97.3.tar.xz) = 316393951daebd186ba387e1cd6e34160a458c39 RMD160 (dia-0.97.3.tar.xz) = a984efa1663cc154f4394060af37fab146f99175 SHA512 (dia-0.97.3.tar.xz) = 34298980be930b87cb4a636344e4cb2a7e43eedc00b0969a5e446cee9b74b616fdc8c798efcb9a5832b98741f2e20632a44037b2bcb436f59591d531ef441efa Size (dia-0.97.3.tar.xz) = 5548500 bytes SHA1 (patch-aa) = bad171ff4f379030f05c613b362e669a53d7f6da +SHA1 (patch-app_app__procs.c) = 867ec641d96b30123e15af9faca09a9f66a60993 SHA1 (patch-app_load_save.c) = 2956f9ad67b8270cd84a8421abbb676af29338f2 SHA1 (patch-be) = fc6ba43fabefca18188ab0541f4be7f19d9726d6 SHA1 (patch-ca) = 8737f3ff19244e2f87ffb571da21159bc2248648 diff --git a/graphics/dia/patches/patch-app_app__procs.c b/graphics/dia/patches/patch-app_app__procs.c new file mode 100644 index 00000000000..17d51ba5b44 --- /dev/null +++ b/graphics/dia/patches/patch-app_app__procs.c @@ -0,0 +1,15 @@ +$NetBSD: patch-app_app__procs.c,v 1.1 2021/01/16 00:25:33 gutteridge Exp $ + +Fix endless loop on filenames with invalid encoding (CVE-2019-19451) +https://gitlab.gnome.org/GNOME/dia/issues/428 + +--- app/app_procs.c.orig 2014-08-24 15:46:01.000000000 +0000 ++++ app/app_procs.c +@@ -801,6 +801,7 @@ app_init (int argc, char **argv) + + if (!filename) { + g_print (_("Filename conversion failed: %s\n"), filenames[i]); ++ ++i; + continue; + } + -- cgit v1.2.3