From owner-freebsd-ports@FreeBSD.ORG  Sat Oct 13 21:54:34 2007
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1E0E716A420
	for <ports@freebsd.org>; Sat, 13 Oct 2007 21:54:34 +0000 (UTC)
	(envelope-from stsp@stsp.name)
Received: from fallback-mx.in-berlin.de (fallback-mx.in-berlin.de
	[192.109.42.17])
	by mx1.freebsd.org (Postfix) with ESMTP id 8159A13C43E
	for <ports@freebsd.org>; Sat, 13 Oct 2007 21:54:33 +0000 (UTC)
	(envelope-from stsp@stsp.name)
Received: from einhorn.in-berlin.de (einhorn.in-berlin.de [192.109.42.8])
	by fallback-mx.in-berlin.de (8.14.1/8.13.6/Debian-1) with ESMTP id
	l9DGJIvw011018
	for <ports@freebsd.org>; Sat, 13 Oct 2007 18:19:18 +0200
X-Envelope-From: stsp@stsp.name
X-Envelope-To: <ports@freebsd.org>
Received: from stsp.lan (stsp.in-vpn.de [217.197.85.96])
	(authenticated bits=128)
	by einhorn.in-berlin.de (8.13.6/8.13.6/Debian-1) with ESMTP id
	l9DGCIMK008762
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <ports@freebsd.org>; Sat, 13 Oct 2007 18:12:20 +0200
Received: from jack.stsp.lan (stsp@localhost.stsp.lan [127.0.0.1])
	by stsp.lan (8.14.1/8.14.1) with ESMTP id l9DGAZPb000693
	for <ports@freebsd.org>; Sat, 13 Oct 2007 18:10:36 +0200 (CEST)
Received: (from stsp@localhost)
	by jack.stsp.lan (8.14.1/8.14.0/Submit) id l9DGAYhb012845
	for ports@freebsd.org; Sat, 13 Oct 2007 18:10:34 +0200 (CEST)
X-Authentication-Warning: jack.stsp.lan: stsp set sender to stsp@stsp.name
	using -f
Date: Sat, 13 Oct 2007 18:10:34 +0200
From: Stefan Sperling <stsp@stsp.name>
To: ports@freebsd.org
Message-ID: <20071013161034.GA21850@jack.stsp.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+"
Content-Disposition: inline
User-Agent: Mutt/1.5.16 (2007-06-09)
X-Scanned-By: MIMEDefang_at_IN-Berlin_e.V. on 192.109.42.8
Cc: 
Subject: quick fix for graphics/libpng
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Oct 2007 21:54:34 -0000


--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I just ran into not being able to install anything that
depends on libpng because of the recently discovered
security vulnerabilites:
http://www.freebsd.org/ports/portaudit/172acf78-780c-11dc-b3f4-0016179b2dd5=
=2Ehtml

I scooped up a quick patch to upgrade the port to libpng-1.2.22rc1,
which apparently fixes the vulnerabilities:
http://www.securityfocus.com/bid/25957/solution

I won't submit this to the PR database because I guess the maintainer
is already aware of the issue and working on a proper fix.
I'm just posting this here in case it comes in handy for someone.

It compiles for me, so far nothing broke. YMMV.


Index: Makefile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/ncvs/ports/graphics/png/Makefile,v
retrieving revision 1.80
diff -u -r1.80 Makefile
--- Makefile	21 May 2007 11:21:09 -0000	1.80
+++ Makefile	13 Oct 2007 15:26:54 -0000
@@ -6,11 +6,12 @@
 #
=20
 PORTNAME=3D	png
-PORTVERSION=3D	1.2.18
+PORTVERSION=3D	1.2.22
+PORTREVISION=3D	1
 CATEGORIES=3D	graphics
 MASTER_SITES=3D	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=3D	lib${PORTNAME}
-DISTNAME=3D	lib${PORTNAME}-${PORTVERSION}
+DISTNAME=3D	lib${PORTNAME}-${PORTVERSION}rc1
=20
 PATCH_SITES=3D	${MASTER_SITES}
 #PATCH_SITE_SUBDIR=3D	${MASTER_SITE_SUBDIR}
Index: distinfo
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/ncvs/ports/graphics/png/distinfo,v
retrieving revision 1.34
diff -u -r1.34 distinfo
--- distinfo	21 May 2007 11:21:09 -0000	1.34
+++ distinfo	13 Oct 2007 15:29:51 -0000
@@ -1,3 +1,3 @@
-MD5 (libpng-1.2.18.tar.bz2) =3D 25a7f2f101eaaf2eb18c4987e0fbe39d
-SHA256 (libpng-1.2.18.tar.bz2) =3D 6fce62f9e67e951c38672bf520c062a2be742e8=
93d240d150748a00c32f20c62
-SIZE (libpng-1.2.18.tar.bz2) =3D 623690
+MD5 (libpng-1.2.22rc1.tar.bz2) =3D 0b597c7f91eac87f3c300a8623f32208
+SHA256 (libpng-1.2.22rc1.tar.bz2) =3D 2f9c534ee6e2f49b5d69ce373e4a17cf6433=
50ea63afcd94c6510d4625b830cc
+SIZE (libpng-1.2.22rc1.tar.bz2) =3D 615355
Index: files/patch-aa
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/ncvs/ports/graphics/png/files/patch-aa,v
retrieving revision 1.29
diff -u -r1.29 patch-aa
--- files/patch-aa	21 May 2007 11:21:09 -0000	1.29
+++ files/patch-aa	13 Oct 2007 15:52:15 -0000
@@ -1,5 +1,5 @@
---- scripts/makefile.freebsd.orig	Sat Feb 25 15:37:11 2006
-+++ scripts/makefile.freebsd	Thu Jul 27 22:03:50 2006
+--- scripts/makefile.freebsd.orig	Thu Jun 21 00:10:26 2007
++++ scripts/makefile.freebsd	Sat Oct 13 17:52:12 2007
 @@ -8,27 +8,26 @@
  LIB=3D		png
  SHLIB_MAJOR=3D	${SHLIB_VER}
@@ -9,8 +9,7 @@
 +NO_OBJ=3D		YES
 +.else
  NOPROFILE=3D	YES
--NOOBJ=3D          YES
-+NOOBJ=3D		YES
+ NOOBJ=3D          YES
 +.endif
 =20
  # where make install puts libpng.a and png.h
@@ -29,14 +28,14 @@
  LDADD+=3D         -lm -lz
  DPADD+=3D         ${LIBM} ${LIBZ}
 =20
--CFLAGS+=3D -I. -DPNG_USE_PNGGCCRD
+-CFLAGS+=3D -I.
 -.if (${MACHINE_ARCH} !=3D "i386")
 -CFLAGS+=3D -DPNG_NO_MMX_CODE
 -.endif
 -
  SRCS=3D	png.c pngset.c pngget.c pngrutil.c pngtrans.c pngwutil.c \
  	pngread.c pngrio.c pngwio.c pngwrite.c pngrtran.c \
- 	pngwtran.c pngmem.c pngerror.c pngpread.c pnggccrd.c
+ 	pngwtran.c pngmem.c pngerror.c pngpread.c
 @@ -44,5 +43,23 @@
  DOCS =3D ANNOUNCE CHANGES INSTALL KNOWNBUG LICENSE README TODO Y2KINFO
  writelock:
Index: files/patch-ab
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/ncvs/ports/graphics/png/files/patch-ab,v
retrieving revision 1.7
diff -u -r1.7 patch-ab
--- files/patch-ab	21 May 2007 11:21:09 -0000	1.7
+++ files/patch-ab	13 Oct 2007 15:42:48 -0000
@@ -1,5 +1,5 @@
---- scripts/libpng.pc.in.orig	Wed Jun 28 00:22:40 2006
-+++ scripts/libpng.pc.in	Sun Jul 23 10:56:25 2006
+--- scripts/libpng.pc.in.orig	Mon Oct  8 17:47:40 2007
++++ scripts/libpng.pc.in	Sat Oct 13 17:42:36 2007
 @@ -1,10 +1,10 @@
 -prefix=3D@prefix@
 -exec_prefix=3D@exec_prefix@
@@ -12,7 +12,7 @@
 =20
  Name: libpng
  Description: Loads and saves PNG files
- Version: 1.2.18
+ Version: 1.2.22rc1
 -Libs: -L${libdir} -lpng12
 +Libs: -L${libdir} -lpng -lz -lm
  Cflags: -I${includedir}
Index: files/patch-ad
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /usr/ncvs/ports/graphics/png/files/patch-ad,v
retrieving revision 1.2
diff -u -r1.2 patch-ad
--- files/patch-ad	21 May 2007 11:21:09 -0000	1.2
+++ files/patch-ad	13 Oct 2007 15:45:33 -0000
@@ -1,9 +1,9 @@
---- pngconf.h.orig	Wed May 16 03:52:22 2007
-+++ pngconf.h	Mon May 21 13:25:03 2007
-@@ -729,7 +729,7 @@
-  * PNG_NO_MMX_CODE disables the use of MMX code without changing the API.
-  * When MMX code is off, then optimized C replacement functions are used.
- */
+--- pngconf.h.orig	Mon Oct  8 17:47:31 2007
++++ pngconf.h	Sat Oct 13 17:44:34 2007
+@@ -740,7 +740,7 @@
+ #  endif
+ #endif
+=20
 -#if defined(PNG_READ_SUPPORTED) && !defined(PNG_NO_ASSEMBLER_CODE)
 +#if defined(PNG_READ_SUPPORTED) && !defined(PNG_NO_ASSEMBLER_CODE) && def=
ined(__i386__)
  #  ifndef PNG_ASSEMBLER_CODE_SUPPORTED
Index: files/patch-ae
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: files/patch-ae
diff -N files/patch-ae
--- files/patch-ae	21 May 2007 11:21:09 -0000	1.1
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,18 +0,0 @@
---- pnggccrd.c.bak	Wed May 16 03:52:23 2007
-+++ pnggccrd.c	Mon May 21 13:04:54 2007
-@@ -359,6 +359,7 @@
-    _pctemp =3D _pctemp;
-    _MMXLength =3D _MMXLength;
- #endif
-+#if 0
-    _const4  =3D _const4;
-    _const6  =3D _const6;
-    _mask8_0  =3D _mask8_0;
-@@ -377,6 +378,7 @@
-    _mask48_2 =3D _mask48_2;
-    _mask48_1 =3D _mask48_1;
-    _mask48_0 =3D _mask48_0;
-+#endif
- }
- #endif /* PNG_MMX_CODE_SUPPORTED */
-=20

--=20
stefan
http://stsp.name                                         PGP Key: 0xF59D25F0

--mYCpIKhGyMATD0i+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (OpenBSD)

iD8DBQFHEO365dMCc/WdJfARAhWIAKDFrnOBkCDzjbTvYvJOsmzr1L7HTQCg70oL
ZfKv7gJyR0RSUC8qs1rfzlk=
=LzxA
-----END PGP SIGNATURE-----

--mYCpIKhGyMATD0i+--