head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.4 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.2 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.1.0.8 pkgsrc-2011Q4-base:1.1 pkgsrc-2011Q3:1.1.0.6 pkgsrc-2011Q3-base:1.1 pkgsrc-2011Q2:1.1.0.4 pkgsrc-2011Q2-base:1.1 pkgsrc-2011Q1:1.1.0.2; locks; strict; comment @# @; 1.2 date 2012.02.04.21.10.45; author adam; state dead; branches; next 1.1; 1.1 date 2011.04.15.16.39.09; author drochner; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2011.04.15.16.39.09; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2011.04.20.18.39.44; author tron; state Exp; branches; next ; desc @@ 1.2 log @Changes 2.6.12: Bug fixes: * GIMP 2.6.10 segfaults when CTRL-left click on a layer mask * GIMP fails to import a path from SVG * Crash or Gtk-CRITICAL on File->Open * [abrt] gimp-2:2.6.11-1.fc14: py-slice.py:172:slice:TypeError: integer argument expected, got float * gimp(1) manpage fixes * Sample Colorize does not function non-interactively * file-pdf-load: Don't use deprecated API * file-psp: fix for bogus input data * Fixes for some buffer overflow problems * Guard against crash due to quitting while DND is processed * fails to build with -Werror=format-security * script-fu: make server IPv6 aware @ text @$NetBSD: patch-bb,v 1.1 2011/04/15 16:39:09 drochner Exp $ CVE-2010-4541 --- plug-ins/common/sphere-designer.c.orig 2010-07-02 22:51:56.000000000 +0000 +++ plug-ins/common/sphere-designer.c @@@@ -1992,6 +1992,7 @@@@ loadit (const gchar * fn) gchar endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)]; gchar *end = endbuf; gchar line[1024]; + gchar fmt_str[16]; gint i; texture *t; gint majtype, type; @@@@ -2016,6 +2017,8 @@@@ loadit (const gchar * fn) s.com.numtexture = 0; + snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1); + while (!feof (f)) { @@@@ -2026,7 +2029,7 @@@@ loadit (const gchar * fn) t = &s.com.texture[i]; setdefaults (t); - if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3) + if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3) t->color1.x = g_ascii_strtod (end, &end); if (end && errno != ERANGE) t->color1.y = g_ascii_strtod (end, &end); @ 1.1 log @add patches from upstream, via Debian/Ubuntu: -possible buffer overflows when parsing config files of plugins (CVE-2010-4540, CVE-2010-4541, CVE-2010-4542) -possible buffer overflow in PSP image parser plugin (CVE-2010-4543) bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-bb was added on branch pkgsrc-2011Q1 on 2011-04-20 18:39:44 +0000 @ text @d1 32 @ 1.1.2.2 log @Pullup ticket #3417 - requested by drochner graphics/gimp: security patch Revisions pulled up: - graphics/gimp/Makefile 1.204 - graphics/gimp/distinfo 1.62 - graphics/gimp/patches/patch-ba 1.1 - graphics/gimp/patches/patch-bb 1.1 - graphics/gimp/patches/patch-bc 1.1 - graphics/gimp/patches/patch-bd 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Fri Apr 15 16:39:10 UTC 2011 Modified Files: pkgsrc/graphics/gimp: Makefile distinfo Added Files: pkgsrc/graphics/gimp/patches: patch-ba patch-bb patch-bc patch-bd Log Message: add patches from upstream, via Debian/Ubuntu: -possible buffer overflows when parsing config files of plugins (CVE-2010-4540, CVE-2010-4541, CVE-2010-4542) -possible buffer overflow in PSP image parser plugin (CVE-2010-4543) bump PKGREV @ text @a0 32 $NetBSD$ CVE-2010-4541 --- plug-ins/common/sphere-designer.c.orig 2010-07-02 22:51:56.000000000 +0000 +++ plug-ins/common/sphere-designer.c @@@@ -1992,6 +1992,7 @@@@ loadit (const gchar * fn) gchar endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)]; gchar *end = endbuf; gchar line[1024]; + gchar fmt_str[16]; gint i; texture *t; gint majtype, type; @@@@ -2016,6 +2017,8 @@@@ loadit (const gchar * fn) s.com.numtexture = 0; + snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1); + while (!feof (f)) { @@@@ -2026,7 +2029,7 @@@@ loadit (const gchar * fn) t = &s.com.texture[i]; setdefaults (t); - if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3) + if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3) t->color1.x = g_ascii_strtod (end, &end); if (end && errno != ERANGE) t->color1.y = g_ascii_strtod (end, &end); @