head	1.2;
access;
symbols
	pkgsrc-2018Q1:1.1.0.4
	pkgsrc-2018Q1-base:1.1
	pkgsrc-2017Q4:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2018.06.26.23.29.24;	author maya;	state dead;
branches;
next	1.1;
commitid	cfCFN8PWBeONzQHA;

1.1
date	2018.03.16.23.25.56;	author maya;	state Exp;
branches
	1.1.2.1;
next	;
commitid	yJktUaOLWmYTQJuA;

1.1.2.1
date	2018.03.16.23.25.56;	author spz;	state dead;
branches;
next	1.1.2.2;
commitid	xNPInKLdLv6MPmvA;

1.1.2.2
date	2018.03.21.20.49.56;	author spz;	state Exp;
branches;
next	;
commitid	xNPInKLdLv6MPmvA;


desc
@@


1.2
log
@seamonkey: update to 2.49.3

remove patches for security fixes now upstream.


seamonkey is now based on firefox 52.7.3 ESR.
SeaMonkey 2.49.3 shares most parts of the mail and news code with Thunderbird.
Please read the Thunderbird 52.7.0 release notes for specific changes and
security fixes in this release.

SeaMonkey-specific changes
seamonkey official linux builds are based on GTK3 (no change for us)
@
text
@$NetBSD: patch-CVE-2018-5146,v 1.1 2018/03/16 23:25:56 maya Exp $

CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.

Codebooks that are not an exact divisor of the partition size are now
truncated to fit within the partition.

--- mozilla/media/libvorbis/lib/vorbis_codebook.c.orig	2018-02-05 11:49:22.000000000 +0000
+++ mozilla/media/libvorbis/lib/vorbis_codebook.c
@@@@ -387,7 +387,7 @@@@ long vorbis_book_decodevs_add(codebook *
       t[i] = book->valuelist+entry[i]*book->dim;
     }
     for(i=0,o=0;i<book->dim;i++,o+=step)
-      for (j=0;j<step;j++)
+      for (j=0;o+j<n && j<step;j++)
         a[o+j]+=t[j][i];
   }
   return(0);
@@@@ -399,41 +399,12 @@@@ long vorbis_book_decodev_add(codebook *b
     int i,j,entry;
     float *t;
 
-    if(book->dim>8){
-      for(i=0;i<n;){
-        entry = decode_packed_entry_number(book,b);
-        if(entry==-1)return(-1);
-        t     = book->valuelist+entry*book->dim;
-        for (j=0;j<book->dim;)
-          a[i++]+=t[j++];
-      }
-    }else{
-      for(i=0;i<n;){
-        entry = decode_packed_entry_number(book,b);
-        if(entry==-1)return(-1);
-        t     = book->valuelist+entry*book->dim;
-        j=0;
-        switch((int)book->dim){
-        case 8:
-          a[i++]+=t[j++];
-        case 7:
-          a[i++]+=t[j++];
-        case 6:
-          a[i++]+=t[j++];
-        case 5:
-          a[i++]+=t[j++];
-        case 4:
-          a[i++]+=t[j++];
-        case 3:
-          a[i++]+=t[j++];
-        case 2:
-          a[i++]+=t[j++];
-        case 1:
-          a[i++]+=t[j++];
-        case 0:
-          break;
-        }
-      }
+    for(i=0;i<n;){
+      entry = decode_packed_entry_number(book,b);
+      if(entry==-1)return(-1);
+      t     = book->valuelist+entry*book->dim;
+      for(j=0;i<n && j<book->dim;)
+        a[i++]+=t[j++];
     }
   }
   return(0);
@@@@ -471,12 +442,13 @@@@ long vorbis_book_decodevv_add(codebook *
   long i,j,entry;
   int chptr=0;
   if(book->used_entries>0){
-    for(i=offset/ch;i<(offset+n)/ch;){
+    int m=(offset+n)/ch;
+    for(i=offset/ch;i<m;){
       entry = decode_packed_entry_number(book,b);
       if(entry==-1)return(-1);
       {
         const float *t = book->valuelist+entry*book->dim;
-        for (j=0;j<book->dim;j++){
+        for (j=0;i<m && j<book->dim;j++){
           a[chptr++][i]+=t[j];
           if(chptr==ch){
             chptr=0;
@


1.1
log
@seamonkey: apply patch from firefox52 to fix CVE-2018-5146
remote code execution via ogg files.

Note firefox52 nor this patches tremor, so the vulnerability still exists
for ARM (which uses tremor rather than vorbis).

Blind commit. I don't have the resources to build so many firefoxes.
However it is based off firefox52.

PKGREVISION++
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-CVE-2018-5146 was added on branch pkgsrc-2017Q4 on 2018-03-21 20:49:56 +0000
@
text
@d1 82
@


1.1.2.2
log
@Pullup ticket #5726 - requested by maya
www/seamonkey-l10n: security patch
www/seamonkey: security patch

Revisions pulled up:
- www/seamonkey-l10n/Makefile                                   1.42
- www/seamonkey-l10n/distinfo                                   1.40
- www/seamonkey/Makefile                                        1.170,1.172-1.173
- www/seamonkey/PLIST                                           1.60
- www/seamonkey/distinfo                                        1.148-1.150
- www/seamonkey/patches/patch-CVE-2018-5146                     1.1
- www/seamonkey/patches/patch-CVE-2018-5147                     1.1

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar  3 22:14:41 UTC 2018

   Modified Files:
           pkgsrc/www/seamonkey: Makefile PLIST distinfo

   Log Message:
   Update to 2.49.2

   Changelog:
   * Based on Firefox 52.6 and Thunderbird 52.6


   To generate a diff of this commit:
   cvs rdiff -u -r1.169 -r1.170 pkgsrc/www/seamonkey/Makefile
   cvs rdiff -u -r1.59 -r1.60 pkgsrc/www/seamonkey/PLIST
   cvs rdiff -u -r1.147 -r1.148 pkgsrc/www/seamonkey/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar  3 22:15:36 UTC 2018

   Modified Files:
           pkgsrc/www/seamonkey-l10n: Makefile distinfo

   Log Message:
   Update to 2.49.2

   Sync with www/seamonkey-2.49.2


   To generate a diff of this commit:
   cvs rdiff -u -r1.41 -r1.42 pkgsrc/www/seamonkey-l10n/Makefile
   cvs rdiff -u -r1.39 -r1.40 pkgsrc/www/seamonkey-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Fri Mar 16 23:25:56 UTC 2018

   Modified Files:
           pkgsrc/www/seamonkey: Makefile distinfo
   Added Files:
           pkgsrc/www/seamonkey/patches: patch-CVE-2018-5146

   Log Message:
   seamonkey: apply patch from firefox52 to fix CVE-2018-5146
   remote code execution via ogg files.

   Note firefox52 nor this patches tremor, so the vulnerability still exists
   for ARM (which uses tremor rather than vorbis).

   Blind commit. I don't have the resources to build so many firefoxes.
   However it is based off firefox52.

   PKGREVISION++


   To generate a diff of this commit:
   cvs rdiff -u -r1.171 -r1.172 pkgsrc/www/seamonkey/Makefile
   cvs rdiff -u -r1.148 -r1.149 pkgsrc/www/seamonkey/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/www/seamonkey/patches/patch-CVE-2018-5146

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Sat Mar 17 00:06:17 UTC 2018

   Modified Files:
           pkgsrc/www/seamonkey: Makefile distinfo
   Added Files:
           pkgsrc/www/seamonkey/patches: patch-CVE-2018-5147

   Log Message:
   seamonkey: also provide patch for tremor (i.e. relevant for ARM) vulnerability

   Also backported upstream after the release:
   https://hg.mozilla.org/releases/mozilla-esr52/rev/5cd5586a2f48

   PKGREVISION++


   To generate a diff of this commit:
   cvs rdiff -u -r1.172 -r1.173 pkgsrc/www/seamonkey/Makefile
   cvs rdiff -u -r1.149 -r1.150 pkgsrc/www/seamonkey/distinfo
   cvs rdiff -u -r0 -r1.1 pkgsrc/www/seamonkey/patches/patch-CVE-2018-5147
@
text
@a0 82
$NetBSD$

CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.

Codebooks that are not an exact divisor of the partition size are now
truncated to fit within the partition.

--- mozilla/media/libvorbis/lib/vorbis_codebook.c.orig	2018-02-05 11:49:22.000000000 +0000
+++ mozilla/media/libvorbis/lib/vorbis_codebook.c
@@@@ -387,7 +387,7 @@@@ long vorbis_book_decodevs_add(codebook *
       t[i] = book->valuelist+entry[i]*book->dim;
     }
     for(i=0,o=0;i<book->dim;i++,o+=step)
-      for (j=0;j<step;j++)
+      for (j=0;o+j<n && j<step;j++)
         a[o+j]+=t[j][i];
   }
   return(0);
@@@@ -399,41 +399,12 @@@@ long vorbis_book_decodev_add(codebook *b
     int i,j,entry;
     float *t;
 
-    if(book->dim>8){
-      for(i=0;i<n;){
-        entry = decode_packed_entry_number(book,b);
-        if(entry==-1)return(-1);
-        t     = book->valuelist+entry*book->dim;
-        for (j=0;j<book->dim;)
-          a[i++]+=t[j++];
-      }
-    }else{
-      for(i=0;i<n;){
-        entry = decode_packed_entry_number(book,b);
-        if(entry==-1)return(-1);
-        t     = book->valuelist+entry*book->dim;
-        j=0;
-        switch((int)book->dim){
-        case 8:
-          a[i++]+=t[j++];
-        case 7:
-          a[i++]+=t[j++];
-        case 6:
-          a[i++]+=t[j++];
-        case 5:
-          a[i++]+=t[j++];
-        case 4:
-          a[i++]+=t[j++];
-        case 3:
-          a[i++]+=t[j++];
-        case 2:
-          a[i++]+=t[j++];
-        case 1:
-          a[i++]+=t[j++];
-        case 0:
-          break;
-        }
-      }
+    for(i=0;i<n;){
+      entry = decode_packed_entry_number(book,b);
+      if(entry==-1)return(-1);
+      t     = book->valuelist+entry*book->dim;
+      for(j=0;i<n && j<book->dim;)
+        a[i++]+=t[j++];
     }
   }
   return(0);
@@@@ -471,12 +442,13 @@@@ long vorbis_book_decodevv_add(codebook *
   long i,j,entry;
   int chptr=0;
   if(book->used_entries>0){
-    for(i=offset/ch;i<(offset+n)/ch;){
+    int m=(offset+n)/ch;
+    for(i=offset/ch;i<m;){
       entry = decode_packed_entry_number(book,b);
       if(entry==-1)return(-1);
       {
         const float *t = book->valuelist+entry*book->dim;
-        for (j=0;j<book->dim;j++){
+        for (j=0;i<m && j<book->dim;j++){
           a[chptr++][i]+=t[j];
           if(chptr==ch){
             chptr=0;
@