From 2b7ea32be5a67728a4b9ff5a4e8e980a52e2c6c9 Mon Sep 17 00:00:00 2001 From: prlw1 Date: Tue, 10 Dec 2013 00:25:18 +0000 Subject: Rerevert librsvg update to 2.40.1 --- graphics/librsvg/Makefile | 13 +-- graphics/librsvg/distinfo | 13 +-- graphics/librsvg/patches/patch-CVE-2013-1881 | 166 --------------------------- graphics/librsvg/patches/patch-ab | 4 +- graphics/librsvg/patches/patch-rsvg-base.c | 28 +++++ graphics/librsvg/patches/patch-rsvg-io.c | 17 --- 6 files changed, 43 insertions(+), 198 deletions(-) delete mode 100644 graphics/librsvg/patches/patch-CVE-2013-1881 create mode 100644 graphics/librsvg/patches/patch-rsvg-base.c delete mode 100644 graphics/librsvg/patches/patch-rsvg-io.c (limited to 'graphics/librsvg') diff --git a/graphics/librsvg/Makefile b/graphics/librsvg/Makefile index a057e598114..f0199ce53ac 100644 --- a/graphics/librsvg/Makefile +++ b/graphics/librsvg/Makefile @@ -1,14 +1,13 @@ -# $NetBSD: Makefile,v 1.77 2013/12/08 18:21:00 prlw1 Exp $ +# $NetBSD: Makefile,v 1.78 2013/12/10 00:25:18 prlw1 Exp $ -DISTNAME= librsvg-2.36.4 -PKGREVISION= 7 +DISTNAME= librsvg-2.40.1 CATEGORIES= graphics gnome -MASTER_SITES= ${MASTER_SITE_GNOME:=sources/librsvg/2.36/} +MASTER_SITES= ${MASTER_SITE_GNOME:=sources/librsvg/${PKGVERSION_NOREV:R}/} EXTRACT_SUFX= .tar.xz MAINTAINER= pkgsrc-users@NetBSD.org -HOMEPAGE= http://live.gnome.org/LibRsvg -COMMENT= SVG library for GNOME2 +HOMEPAGE= https://wiki.gnome.org/LibRsvg +COMMENT= SVG library for GNOME LICENSE= gnu-lgpl-v2 CONFLICTS+= librsvg2-gtk-[0-9]* librsvg2-[0-9]* @@ -18,7 +17,7 @@ USE_LIBTOOL= yes USE_TOOLS+= pkg-config USE_LANGUAGES+= c c++ GNU_CONFIGURE= yes -CONFIGURE_ARGS+= --disable-gtk-theme --disable-tools +CONFIGURE_ARGS+= --disable-tools CONFIGURE_ARGS+= --disable-introspection CONFIGURE_ARGS+= --enable-Bsymbolic=auto diff --git a/graphics/librsvg/distinfo b/graphics/librsvg/distinfo index eb5e8c48d3b..dd0f5994d16 100644 --- a/graphics/librsvg/distinfo +++ b/graphics/librsvg/distinfo @@ -1,8 +1,7 @@ -$NetBSD: distinfo,v 1.28 2013/12/08 18:21:00 prlw1 Exp $ +$NetBSD: distinfo,v 1.29 2013/12/10 00:25:18 prlw1 Exp $ -SHA1 (librsvg-2.36.4.tar.xz) = 1e0152e6745bac9632207252c67dda2299010db4 -RMD160 (librsvg-2.36.4.tar.xz) = b9765edaccd7e40997a3a141e4d21c5a13f6f2a1 -Size (librsvg-2.36.4.tar.xz) = 513028 bytes -SHA1 (patch-CVE-2013-1881) = 73e1d17960ce3e6da0bfd37ab5e4cd59326545ef -SHA1 (patch-ab) = 44985e1c02f925769f394007f924b8d6ec8151d5 -SHA1 (patch-rsvg-io.c) = 1bcb7164dda065eb2e231818dd9c5df8b98e49a5 +SHA1 (librsvg-2.40.1.tar.xz) = abbfed10433b26e88f18fe62a9b84d48fc00b9e1 +RMD160 (librsvg-2.40.1.tar.xz) = 6e0212214c7acc6d570d1dbb196bde3678e84525 +Size (librsvg-2.40.1.tar.xz) = 505664 bytes +SHA1 (patch-ab) = 684e885aec9af2cfeff9e9708e3be9e158bba3f9 +SHA1 (patch-rsvg-base.c) = ab9c0651dac03bc1e3fcd93242bf42a73616084f diff --git a/graphics/librsvg/patches/patch-CVE-2013-1881 b/graphics/librsvg/patches/patch-CVE-2013-1881 deleted file mode 100644 index f7af19f3237..00000000000 --- a/graphics/librsvg/patches/patch-CVE-2013-1881 +++ /dev/null @@ -1,166 +0,0 @@ -$NetBSD: patch-CVE-2013-1881,v 1.1 2013/10/03 13:39:12 tez Exp $ - -from https://git.gnome.org/browse/librsvg/patch/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e - -From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001 -From: Christian Persch -Date: Mon, 11 Feb 2013 21:36:58 +0000 -Subject: io: Implement strict load policy - -Allow any file to load from data:, and any resource to load from other -resources. Only allow file: to load other file: URIs from below the path -of the base file. Any other loads are denied. - -Bug #691708. ---- -diff --git a/rsvg-base.c b/rsvg-base.c -index 1f88479..9d7c1ea 100644 ---- rsvg-base.c.orig 2013-10-03 07:33:50.579625000 -0500 -+++ rsvg-base.c 2013-10-03 07:35:26.518496200 -0500 -@@ -25,6 +25,7 @@ - */ - - #include "config.h" -+#define _GNU_SOURCE 1 - - #include "rsvg.h" - #include "rsvg-private.h" -@@ -1001,6 +1002,7 @@ - rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri) - { - gchar *uri; -+ GFile *file; - - g_return_if_fail (handle != NULL); - -@@ -1012,11 +1014,10 @@ - else - uri = rsvg_get_base_uri_from_filename (base_uri); - -- if (uri) { -- if (handle->priv->base_uri) -- g_free (handle->priv->base_uri); -- handle->priv->base_uri = uri; -- } -+ file = g_file_new_for_uri (uri ? uri : "data:"); -+ rsvg_handle_set_base_gfile (handle, file); -+ g_object_unref (file); -+ g_free (uri); - } - - /** -@@ -2146,12 +2147,79 @@ - const char *uri, - GError **error) - { -- RsvgLoadPolicy policy = handle->priv->load_policy; -+ RsvgHandlePrivate *priv = handle->priv; -+ GFile *base; -+ char *path, *dir; -+ char *scheme = NULL, *cpath = NULL, *cdir = NULL; -+ char cpath_buffer[PATH_MAX], cdir_buffer[PATH_MAX]; - -- if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE) -- return TRUE; -+ g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT); -+ -+ scheme = g_uri_parse_scheme (uri); -+ -+ /* Not a valid URI */ -+ if (scheme == NULL) -+ goto deny; -+ -+ /* Allow loads of data: from any location */ -+ if (g_str_equal (scheme, "data")) -+ goto allow; -+ -+ /* No base to compare to? */ -+ if (priv->base_gfile == NULL) -+ goto deny; -+ -+ /* Deny loads from differing URI schemes */ -+ if (!g_file_has_uri_scheme (priv->base_gfile, scheme)) -+ goto deny; -+ -+ /* resource: is allowed to load anything from other resources */ -+ if (g_str_equal (scheme, "resource")) -+ goto allow; - -+ /* Non-file: isn't allowed to load anything */ -+ if (!g_str_equal (scheme, "file")) -+ goto deny; -+ -+ base = g_file_get_parent (priv->base_gfile); -+ if (base == NULL) -+ goto deny; -+ -+ dir = g_file_get_path (base); -+ g_object_unref (base); -+ -+ cdir = realpath (dir,cdir_buffer); -+ g_free (dir); -+ if (cdir == NULL) -+ goto deny; -+ -+ path = g_filename_from_uri (uri, NULL, NULL); -+ if (path == NULL) -+ goto deny; -+ -+ cpath = realpath (path, cpath_buffer); -+ g_free (path); -+ -+ if (cpath == NULL) -+ goto deny; -+ -+ /* Now check that @cpath is below @cdir */ -+ if (!g_str_has_prefix (cpath, cdir) || -+ cpath[strlen (cdir)] != G_DIR_SEPARATOR) -+ goto deny; -+ -+ /* Allow load! */ -+ -+ allow: -+ g_free (scheme); - return TRUE; -+ -+ deny: -+ g_free (scheme); -+ -+ g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED, -+ "File may not link to URI \"%s\"", uri); -+ return FALSE; - } - - guint8* -diff --git a/rsvg-io.c b/rsvg-io.c -index 3d6c8b5..818d2ec 100644 ---- rsvg-io.c -+++ rsvg-io.c -@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri, - gboolean base64 = FALSE; - - g_assert (out_len != NULL); -- g_assert (g_str_has_prefix (uri, "data:")); -+ g_assert (strncmp (uri, "data:", 5) == 0); - - mime_type = NULL; - start = uri + 5; -diff --git a/rsvg-private.h b/rsvg-private.h -index 25283d4..1961eaf 100644 ---- rsvg-private.h -+++ rsvg-private.h -@@ -123,10 +123,10 @@ struct RsvgSaxHandler { - }; - - typedef enum { -- RSVG_LOAD_POLICY_ALL_PERMISSIVE -+ RSVG_LOAD_POLICY_STRICT - } RsvgLoadPolicy; - --#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE) -+#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT) - - struct RsvgHandlePrivate { - RsvgHandleFlags flags; --- -cgit v0.9.2 diff --git a/graphics/librsvg/patches/patch-ab b/graphics/librsvg/patches/patch-ab index f3eaa36a0b3..c16398004e4 100644 --- a/graphics/librsvg/patches/patch-ab +++ b/graphics/librsvg/patches/patch-ab @@ -1,4 +1,6 @@ -$NetBSD: patch-ab,v 1.9 2012/04/30 14:17:12 drochner Exp $ +$NetBSD: patch-ab,v 1.10 2013/12/10 00:25:18 prlw1 Exp $ + +Allow gdk-pixbuf2/loaders.mk to do its thing. --- gdk-pixbuf-loader/Makefile.in.orig 2012-04-16 17:07:37.000000000 +0000 +++ gdk-pixbuf-loader/Makefile.in diff --git a/graphics/librsvg/patches/patch-rsvg-base.c b/graphics/librsvg/patches/patch-rsvg-base.c new file mode 100644 index 00000000000..85baae02928 --- /dev/null +++ b/graphics/librsvg/patches/patch-rsvg-base.c @@ -0,0 +1,28 @@ +$NetBSD: patch-rsvg-base.c,v 1.1 2013/12/10 00:25:18 prlw1 Exp $ + +Allow rsvg to built on other systems than just Linux. + +https://bugzilla.gnome.org/show_bug.cgi?id=710163 +Finally committed as 02cb1983 +--- rsvg-base.c.orig 2013-05-11 09:19:07.000000000 +0000 ++++ rsvg-base.c +@@ -2190,8 +2190,7 @@ _rsvg_handle_allow_load (RsvgHandle *han + dir = g_file_get_path (base); + g_object_unref (base); + +- /* FIXME portability */ +- cdir = canonicalize_file_name (dir); ++ cdir = realpath (dir, NULL); + g_free (dir); + if (cdir == NULL) + goto deny; +@@ -2200,8 +2199,7 @@ _rsvg_handle_allow_load (RsvgHandle *han + if (path == NULL) + goto deny; + +- /* FIXME portability */ +- cpath = canonicalize_file_name (path); ++ cpath = realpath (path, NULL); + g_free (path); + + if (cpath == NULL) diff --git a/graphics/librsvg/patches/patch-rsvg-io.c b/graphics/librsvg/patches/patch-rsvg-io.c deleted file mode 100644 index b0cb78ce7a2..00000000000 --- a/graphics/librsvg/patches/patch-rsvg-io.c +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-rsvg-io.c,v 1.1 2012/07/08 23:03:17 wiz Exp $ - -rsvg_get_file_path is an externally visible function. -Fixes NetBSD-5.1/amd64 build. -Patch from Matthew Dempsky in -https://bugzilla.gnome.org/show_bug.cgi?id=677661 - ---- rsvg-io.c.orig 2012-03-26 12:25:08.000000000 +0000 -+++ rsvg-io.c -@@ -24,6 +24,7 @@ - - #include "rsvg-io.h" - #include "rsvg-private.h" -+#include "rsvg-image.h" - - #include - -- cgit v1.2.3