media-gfx/autotrace: add a patch to fix CVE-2016-7392, wrt bug #613992

Package-Manager: Portage-2.3.3, Repoman-2.3.1
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>

diff --git a/media-gfx/autotrace/autotrace-0.31.1-r8.ebuild b/media-gfx/autotrace/autotrace-0.31.1-r8.ebuild
new file mode 100644 (file)
index 0000000..685183f
--- /dev/null
+++ b/media-gfx/autotrace/autotrace-0.31.1-r8.ebuild
@@ -0,0 +1,63 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+inherit autotools eutils
+
+_dpatch=15
+
+DESCRIPTION="A program for converting bitmaps to vector graphics"
+HOMEPAGE="http://packages.qa.debian.org/a/autotrace.html http://autotrace.sourceforge.net/"
+SRC_URI="mirror://debian/pool/main/a/${PN}/${PN}_${PV}.orig.tar.gz
+       mirror://debian/pool/main/a/${PN}/${PN}_${PV}-${_dpatch}.diff.gz"
+
+LICENSE="GPL-2 LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd"
+IUSE="+imagemagick static-libs"
+
+RDEPEND="media-libs/libexif:=
+       media-libs/libpng:0=
+       >=media-libs/ming-0.4.2:=
+       >=media-gfx/pstoedit-3.50:=
+       imagemagick? ( >=media-gfx/imagemagick-6.6.2.5 )"
+DEPEND="${RDEPEND}
+       virtual/pkgconfig"
+
+DOCS=( AUTHORS ChangeLog NEWS README )
+
+src_prepare() {
+       epatch "${WORKDIR}"/${PN}_${PV}-${_dpatch}.diff
+
+       epatch \
+               "${FILESDIR}"/${P}-{m4,libpng14,pkgconfig}.patch \
+               "${FILESDIR}"/${P}-swf-output.patch \
+               "${FILESDIR}"/${P}-GetOnePixel.patch \
+               "${FILESDIR}"/${P}-libpng-1.5.patch
+
+       # Fix building on PowerPC with Altivec
+       epatch "${FILESDIR}"/${P}-bool.patch
+
+       # Addresses bug #466078
+       epatch "${FILESDIR}"/${P}-CVE-2013-1953.patch
+
+       # bug #613992
+       epatch "${FILESDIR}"/${P}-CVE-2016-7392.patch
+
+       sed -i -e 's:AM_CONFIG_HEADER:AC_CONFIG_HEADERS:' configure.in || die #468496
+
+       eautoreconf
+}
+
+src_configure() {
+       econf \
+               $(use_enable static-libs static) \
+               $(use_with imagemagick magick) \
+               --with-ming \
+               --with-pstoedit
+}
+
+src_install() {
+       default
+       prune_libtool_files --all
+}

diff --git a/media-gfx/autotrace/files/autotrace-0.31.1-CVE-2016-7392.patch b/media-gfx/autotrace/files/autotrace-0.31.1-CVE-2016-7392.patch
new file mode 100644 (file)
index 0000000..e3bb030
--- /dev/null
+++ b/media-gfx/autotrace/files/autotrace-0.31.1-CVE-2016-7392.patch
@@ -0,0 +1,15 @@
+Patch from debian to fix CVE-2016-7392
+https://blogs.gentoo.org/ago/2016/09/10/autotrace-heap-based-buffer-overflow-in-pstoedit_suffix_table_init-output-pstoedit-c/
+
+--- a/output-pstoedit.c
++++ b/output-pstoedit.c
+@@ -84,7 +84,7 @@
+       dd_tmp   = dd_start;
+       while (dd_tmp->symbolicname)
+       dd_tmp++;
+-      XMALLOC(pstoedit_suffix_table, sizeof(char *) * 2 * (dd_tmp - dd_start) + 1);
++      XMALLOC(pstoedit_suffix_table, sizeof(char *) * (2 * (dd_tmp - dd_start) + 1));
+ 
+ #if defined (OUTPUT_PSTOEDIT_DEBUG) && defined(__GNUC__)
+   fprintf(stderr, "OUTPUT PSTOEDIT BACKEND DEBUG(%s)\n", __FUNCTION__);
+