bump for security bug #549344

Package-Manager: portage-2.2.19
Manifest-Sign-Key: 072AD062

3 files changed, 138 insertions, 3 deletions

diff --git a/media-gfx/ufraw/Manifest b/media-gfx/ufraw/Manifest
index 4399cc4..4fe7b97 100644
--- a/media-gfx/ufraw/Manifest
+++ b/media-gfx/ufraw/Manifest
@@ -3,16 +3,18 @@ Hash: SHA256
 
 AUX ufraw-0.17-cfitsio-automagic.patch 933 SHA256 d489abaa6da90a46f4b3b23e2e5400c1eeb7d2e5532835df4d5ad244167e7d18 SHA512 84aadb7dc41927a26ac37a801e136628380e79f032f87a925e737ec76c349c96c410750234f4870fe2fa61680085472a028e47c13cf01b2bd7fc7a55dad6de1b WHIRLPOOL 7815f44171243408468347a6acdadbda239931b2f2a810e4f0a8e98023506d9761e73f3db137aad7930dd5814f7ffcc2c670cf572d50caf394e88d85cafef03b
 AUX ufraw-0.20-gimp.patch 943 SHA256 8d1f64085455655b8a3e99d40403e2a3c7c40d633406e8b5f8f5ee1e717d23e4 SHA512 225d87467ba0ccf7a8c4a985c62ef94d89cb51166f37c2abc616bf280730aa1a214989a91a9e8a4bb3173413640dc1b2f8de410e4897e60dccc332e7a9536e29 WHIRLPOOL d16b677b0a0c54e65deb68a0427b5a65b3d8f428f4c3cb5e83b712a14eb260505acf487305eb9b83a39fb9375935cd7e3d137d4b990d83b9f6e501575c2f74b4
+AUX ufraw-0.21-CVE-2015-3885.patch 1598 SHA256 97c1e29455bf1dabdb7a0e92bbca3b87ed8cfbd2f5f98c597e121c44d4320178 SHA512 128e1b35d7f2024964bfb303f8130aa2028f08b4146be91c4f8869678dae7c91158755c8b0260233ab8aa268cf1589e1bb9a57c262689da5fd4772c74dbddf8a WHIRLPOOL 9c6609aef43b6632ad4e0db5c5a72d8650085d73ea3a52a1584766dfb75675a49aaa69d6fc109721104a873f25337e4b545bd1570d19a0e0141ffd088115b2d4
 DIST ufraw-0.20.tar.gz 1086969 SHA256 6dcd30f73238f56641ec87ae07807a6ebeab141a1a481aafe3ddab6f3db8a1e0 SHA512 d18ecc257f9d88c77fca0e7a8641ee1e78abd28e73c34bd98def2d0dbd65f8fbaa677deca34ac4ed3ce7775764b6baca2896a023d690573057e4659de6dc3b1a WHIRLPOOL fedecf66ef22bdffe667408ac0b8106ec99ee2a1dd29fab53877229ec375bdeab37cc6fe942d7e3ef2c3de38a5770eaf4f49c44367ca1677acfda13bb4c85a1d
 DIST ufraw-0.21.tar.gz 1016298 SHA256 2a6a1bcc633bdc8e15615cf726befcd7f27ab00e7c2a518469a24e1a96964d87 SHA512 e1fbfcf7b6f15089d51626a3e2d3dc694aa79edfc0bdfe4a8be6f684d4a31a91c56502942174c0708de91413fe907acb5d2fa2ad9d1a5404eb66b14764909ae9 WHIRLPOOL 84e96894f9ecc9d3a81f96f7c58165e095553b9bab69343754c8a89ef18480f751745cb48e8846ea5db26d1077ace4104ef18d0c0546b2b54439819b81ee3a7c
 EBUILD ufraw-0.20-r1.ebuild 1884 SHA256 4b8b98e07982e1f9996e04667a9fc483e3c05fafc1d954e713ad170036315578 SHA512 f8767f44e376eecfc7be9285cf26ae344de39f03b597816c0f617da74e766aac2bbe7730a02136343ab75b96d348991be882fab49428bf31e3dcc86f6faef167 WHIRLPOOL cc4a4bd974b17d2a132bc8ef6560488cecf2ac136476eb823035a15aae700f7cbb4a3c210f598152cb965cffb5c051c40001cf5bc35816d9253b526f9ae005e6
+EBUILD ufraw-0.21-r1.ebuild 1766 SHA256 b5bd4e11928bd1fd38be3a6027c5eafc15d3cceec60f377e55eb62874593028b SHA512 3d60417e50d813d08e90e67b7895768969832e674e77ffd1783525cf9629590ecfb08b72228ef5757d259c2dd925d656ae24c75144aa4ca0b601374dba8999d9 WHIRLPOOL e39ffc3260807c02d511cff67908bea51320b150ae07a698a84e02f71751cc282706f73adbf32ca7e9768442df668d2f139dea224f9d9b4290be6489579527f1
 EBUILD ufraw-0.21.ebuild 1719 SHA256 9d109fe9efdfa6ceb29dbfce5567166887338e54846d2b7ad556806b0e1843bd SHA512 6fbc3000a73173c52f307b8959cfb79d9e5314d7199f3f6d05be317b79f3fc6d7f32891006fba47bcff2903a53ad9874f66a1e5ea6b7e4a206f287c74cb9efad WHIRLPOOL b0c541407a1f5612acb940a7a64e20dfad270815d82605772f7fe7b7395131dd2ca689023d94bf52dab875d52c4a23e5bedd318b9c6475436e4b3d6982aacb9a
 EBUILD ufraw-9999.ebuild 1783 SHA256 a82f95ef4d3fccbb559754821bc2a09e9bf03e1b2d2b925d9e3498acc0084f08 SHA512 9947de270714bce9dc45b1cb3b15f5f2b6071df2148a2025aa269a4deb421af01dfe3969334e721eb1dcf1c50a38f29bbb118e70f9025fad5c865ea71d283a69 WHIRLPOOL 590e3075de9b54cc89e3d035845caa9edfc3d1fbe05157604f2209edce4e08b9bfbcb5599cd006b056540dd3ec7178998f2f549599eec1666faa98d7c4129c51
 MISC metadata.xml 437 SHA256 101562af2e68f9ce05d05494d48c03aaae046560eab55d6c5d472ae85fe3e4bc SHA512 be7071c107a374d39fc92eab5b1b0ca0be19dc3ec847241e7bc56acadca27d0bbd803beaaf4a40f12e44d581642d5338a65dfa7d37f78a3d75bc756ad6782446 WHIRLPOOL cab4d10b64bc1fbb4c2c72ba3d63b0ea46033bcd371472401e703304d1e6b76dfa8934e02192047b388b772da2af2dddc343067e225a1bd882943321524a3f3c
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
-iEYEAREIAAYFAlVbWHAACgkQkKaRLQcq0GL45gCfRQxUmeKhQoGASkwOe9RmmKKK
-4WgAn20EOLRTEajjNjXf52w3GWk9JWo9
-=aJw3
+iEYEAREIAAYFAlVfnvAACgkQkKaRLQcq0GLilgCfVrquUCsA4sj+NeQPpWfm+HIW
+JhgAmgNQCRtIwnOiuxb1vNaC1DN/3qD5
+=nLo9
 -----END PGP SIGNATURE-----
diff --git a/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch b/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch
new file mode 100644
index 0000000..c17c66c
--- /dev/null
+++ b/media-gfx/ufraw/files/ufraw-0.21-CVE-2015-3885.patch
@@ -0,0 +1,52 @@
+From 6b4ff65c6fc1a88eaa7bfc1ee5a25413d171b5f7 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Thu, 21 May 2015 13:47:29 +0200
+Subject: [PATCH] patch: CVE-2015-3885
+
+Squashed commit of the following:
+
+commit 8f2a2348638f74e059069d98a6329fcc656ae4b5
+Author: Nils Philippsen <nils@redhat.com>
+Date:   Tue May 19 11:36:57 2015 +0200
+
+    CVE-2015-3885: avoid overflowing array
+
+    When reading raw image files containing lossless JPEG data, headers
+    could be manipulated to make the signed int variable 'len' negative
+    which specifies how much actual data follows. Interpreted as unsigned,
+    this could lead to reading file data past the 64k boundary of the array
+    used for storing it. To avoid that, make 'len' unsigned short, and bail
+    out early if its value would become invalid (i.e. <= 0).
+---
+ dcraw.cc | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/dcraw.cc b/dcraw.cc
+index 75ea121..d9f96ff 100644
+--- a/dcraw.cc
++++ b/dcraw.cc
+@@ -934,7 +934,8 @@ struct jhead {
+ 
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+ 
+@@ -945,8 +946,9 @@ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+   do {
+     fread (data, 2, 2, ifp);
+     tag =  data[0] << 8 | data[1];
+-    len = (data[2] << 8 | data[3]) - 2;
+-    if (tag <= 0xff00) return 0;
++    len = (data[2] << 8 | data[3]);
++    if (tag <= 0xff00 || len <= 2) return 0;
++    len -= 2;
+     fread (data, 1, len, ifp);
+     switch (tag) {
+       case 0xffc3:
+-- 
+2.4.1
+
diff --git a/media-gfx/ufraw/ufraw-0.21-r1.ebuild b/media-gfx/ufraw/ufraw-0.21-r1.ebuild
new file mode 100644
index 0000000..6ea2079
--- /dev/null
+++ b/media-gfx/ufraw/ufraw-0.21-r1.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+EAPI=5
+inherit autotools eutils fdo-mime gnome2-utils toolchain-funcs
+
+DESCRIPTION="RAW Image format viewer and GIMP plugin"
+HOMEPAGE="http://ufraw.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~x64-solaris ~x86-solaris"
+IUSE="contrast fits gimp gnome gtk openmp timezone"
+
+REQUIRED_USE="gimp? ( gtk )"
+
+RDEPEND="
+	dev-libs/glib:2=
+	>=media-gfx/exiv2-0.11:0=
+	media-libs/lcms:2=
+	>=media-libs/lensfun-0.2.5:=
+	media-libs/libpng:0=
+	media-libs/tiff:0=
+	virtual/jpeg:0=
+	fits? ( sci-libs/cfitsio:0= )
+	gnome? ( >=gnome-base/gconf-2 )
+	gtk? ( >=x11-libs/gtk+-2.6:2
+		>=media-gfx/gtkimageview-1.5 )
+	gimp? ( >=media-gfx/gimp-2 )
+"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-0.17-cfitsio-automagic.patch
+	epatch "${FILESDIR}"/${P}-CVE-2015-3885.patch
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		$(use_enable contrast) \
+		$(use_with fits cfitsio) \
+		$(use_with gimp) \
+		$(use_enable gnome mime) \
+		$(use_with gtk) \
+		$(use_enable openmp) \
+		$(use_enable timezone dst-correction)
+}
+
+src_compile() {
+	emake AR="$(tc-getAR)"
+}
+
+src_install() {
+	emake DESTDIR="${D}" schemasdir=/etc/gconf/schemas install
+	dodoc README TODO
+}
+
+pkg_preinst() {
+	if use gnome; then
+		gnome2_gconf_savelist
+	fi
+}
+
+pkg_postinst() {
+	if use gnome; then
+		fdo-mime_mime_database_update
+		fdo-mime_desktop_database_update
+		gnome2_gconf_install
+	fi
+}
+
+pkg_postrm() {
+	if use gnome; then
+		fdo-mime_desktop_database_update
+		fdo-mime_mime_database_update
+	fi
+}