head 1.2; access; symbols pkgsrc-2017Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2018.03.26.23.33.24; author maya; state dead; branches; next 1.1; commitid qMRKoNhSQgtwz1wA; 1.1 date 2018.03.17.00.23.15; author maya; state Exp; branches 1.1.2.1; next ; commitid cRmOoNCrMkOOaKuA; 1.1.2.1 date 2018.03.17.00.23.15; author spz; state dead; branches; next 1.1.2.2; commitid i1ahO9NyqOZqcnvA; 1.1.2.2 date 2018.03.21.21.56.28; author spz; state Exp; branches; next ; commitid i1ahO9NyqOZqcnvA; desc @@ 1.2 log @firefox52: update to 52.7.3 CVE-2018-5148: Use-after-free in compositor A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash. @ text @$NetBSD: patch-CVE-2018-5147,v 1.1 2018/03/17 00:23:15 maya Exp $ CVE-2018-5147: Prevent out-of-bounds write in codebook decoding. Codebooks that are not an exact divisor of the partition size are now truncated to fit within the partition. --- media/libtremor/lib/tremor_codebook.c.orig 2017-04-11 02:13:12.000000000 +0000 +++ media/libtremor/lib/tremor_codebook.c @@@@ -258,7 +258,7 @@@@ long vorbis_book_decodevs_add(codebook * t[i] = book->valuelist+entry[i]*book->dim; } for(i=0,o=0;idim;i++,o+=step) - for (j=0;j>shift; }else{ for (i = 0; i < step; i++) { @@@@ -267,7 +267,7 @@@@ long vorbis_book_decodevs_add(codebook * t[i] = book->valuelist+entry[i]*book->dim; } for(i=0,o=0;idim;i++,o+=step) - for (j=0;jvaluelist+entry*book->dim; - for (j=0;jdim;) + for (j=0;idim;) a[i++]+=t[j++]>>shift; } }else{ @@@@ -295,7 +295,7 @@@@ long vorbis_book_decodev_add(codebook *b entry = decode_packed_entry_number(book,b); if(entry==-1)return(-1); t = book->valuelist+entry*book->dim; - for (j=0;jdim;) + for (j=0;idim;) a[i++]+=t[j++]<<-shift; } } @@@@ -352,15 +352,15 @@@@ long vorbis_book_decodevv_add(codebook * long i,j,entry; int chptr=0; int shift=point-book->binarypoint; - + int m=offset+n; if(shift>=0){ - for(i=offset;ivaluelist+entry*book->dim; - for (j=0;jdim;j++){ + for (j=0;idim;j++){ a[chptr++][i]+=t[j]>>shift; if(chptr==ch){ chptr=0; @@@@ -371,12 +371,12 @@@@ long vorbis_book_decodevv_add(codebook * } }else{ - for(i=offset;ivaluelist+entry*book->dim; - for (j=0;jdim;j++){ + for (j=0;idim;j++){ a[chptr++][i]+=t[j]<<-shift; if(chptr==ch){ chptr=0; @ 1.1 log @firefox52: provide a patch for tremor as well (ARM-specific) upstream commit: https://hg.mozilla.org/releases/mozilla-esr52/rev/5cd5586a2f48 PKGREVISION++ @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-CVE-2018-5147 was added on branch pkgsrc-2017Q4 on 2018-03-21 21:56:28 +0000 @ text @d1 79 @ 1.1.2.2 log @Pullup ticket #5727 - requested by maya www/firefox52-l10n: security update www/firefox52: security update Revisions pulled up: - www/firefox52-l10n/Makefile 1.9 - www/firefox52-l10n/PLIST 1.3 - www/firefox52-l10n/distinfo 1.9 - www/firefox52/Makefile 1.19 - www/firefox52/distinfo 1.12 - www/firefox52/patches/patch-CVE-2018-5147 1.1 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: maya Date: Sat Mar 17 00:23:15 UTC 2018 Modified Files: pkgsrc/www/firefox52: Makefile distinfo Added Files: pkgsrc/www/firefox52/patches: patch-CVE-2018-5147 Log Message: firefox52: provide a patch for tremor as well (ARM-specific) upstream commit: https://hg.mozilla.org/releases/mozilla-esr52/rev/5cd5586a2f48 PKGREVISION++ To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 pkgsrc/www/firefox52/Makefile cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/firefox52/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/www/firefox52/patches/patch-CVE-2018-5147 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Mar 17 01:01:49 UTC 2018 Modified Files: pkgsrc/www/firefox52-l10n: Makefile PLIST distinfo Log Message: Update to 57.0.2 * Sync with www/firefo52-52.7.2 To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/firefox52-l10n/Makefile \ pkgsrc/www/firefox52-l10n/distinfo cvs rdiff -u -r1.2 -r1.3 pkgsrc/www/firefox52-l10n/PLIST @ text @a0 79 $NetBSD$ CVE-2018-5147: Prevent out-of-bounds write in codebook decoding. Codebooks that are not an exact divisor of the partition size are now truncated to fit within the partition. --- media/libtremor/lib/tremor_codebook.c.orig 2017-04-11 02:13:12.000000000 +0000 +++ media/libtremor/lib/tremor_codebook.c @@@@ -258,7 +258,7 @@@@ long vorbis_book_decodevs_add(codebook * t[i] = book->valuelist+entry[i]*book->dim; } for(i=0,o=0;idim;i++,o+=step) - for (j=0;j>shift; }else{ for (i = 0; i < step; i++) { @@@@ -267,7 +267,7 @@@@ long vorbis_book_decodevs_add(codebook * t[i] = book->valuelist+entry[i]*book->dim; } for(i=0,o=0;idim;i++,o+=step) - for (j=0;jvaluelist+entry*book->dim; - for (j=0;jdim;) + for (j=0;idim;) a[i++]+=t[j++]>>shift; } }else{ @@@@ -295,7 +295,7 @@@@ long vorbis_book_decodev_add(codebook *b entry = decode_packed_entry_number(book,b); if(entry==-1)return(-1); t = book->valuelist+entry*book->dim; - for (j=0;jdim;) + for (j=0;idim;) a[i++]+=t[j++]<<-shift; } } @@@@ -352,15 +352,15 @@@@ long vorbis_book_decodevv_add(codebook * long i,j,entry; int chptr=0; int shift=point-book->binarypoint; - + int m=offset+n; if(shift>=0){ - for(i=offset;ivaluelist+entry*book->dim; - for (j=0;jdim;j++){ + for (j=0;idim;j++){ a[chptr++][i]+=t[j]>>shift; if(chptr==ch){ chptr=0; @@@@ -371,12 +371,12 @@@@ long vorbis_book_decodevv_add(codebook * } }else{ - for(i=offset;ivaluelist+entry*book->dim; - for (j=0;jdim;j++){ + for (j=0;idim;j++){ a[chptr++][i]+=t[j]<<-shift; if(chptr==ch){ chptr=0; @