[70031] trunk/dports/print/ghostscript
takanori at macports.org
takanori at macports.org
Tue Jul 27 06:15:21 PDT 2010
Revision: 70031
http://trac.macports.org/changeset/70031
Author: takanori at macports.org
Date: 2010-07-27 06:15:19 -0700 (Tue, 27 Jul 2010)
Log Message:
-----------
ghostscript: security patches for CVE-2010-2055
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2055
- http://bugs.ghostscript.com/show_bug.cgi?id=691350
Modified Paths:
--------------
trunk/dports/print/ghostscript/Portfile
Added Paths:
-----------
trunk/dports/print/ghostscript/files/patch-Makefile.in.diff
trunk/dports/print/ghostscript/files/patch-doc_Use.htm.diff
trunk/dports/print/ghostscript/files/patch-psi_zfile.c.diff
Modified: trunk/dports/print/ghostscript/Portfile
===================================================================
--- trunk/dports/print/ghostscript/Portfile 2010-07-27 13:11:43 UTC (rev 70030)
+++ trunk/dports/print/ghostscript/Portfile 2010-07-27 13:15:19 UTC (rev 70031)
@@ -4,7 +4,7 @@
name ghostscript
version 8.71
-revision 3
+revision 4
categories print
maintainers takanori openmaintainer
description GPL Ghostscript, An interpreter for PostScript and PDF
@@ -23,7 +23,10 @@
mappingresources4pdf_other-20091208.tar.Z:misc
patchfiles patch-base_unix-dll.mak.diff \
patch-base_stdpre.h.diff \
- libpng14-compat.diff
+ libpng14-compat.diff \
+ patch-psi_zfile.c.diff \
+ patch-Makefile.in.diff \
+ patch-doc_Use.htm.diff
checksums ${distname}.tar.gz rmd160 efce74cf22cf99b2b1a145df466e79a86e3dfefb \
ghostscript-fonts-other-6.0.tar.gz rmd160 ab60dbf71e7d91283a106c3df381cadfe173082f \
mappingresources4pdf_2unicode-20091208.tar.Z rmd160 bc1b86e6a5f0e022f88070195eb3e01e167114a7 \
Added: trunk/dports/print/ghostscript/files/patch-Makefile.in.diff
===================================================================
--- trunk/dports/print/ghostscript/files/patch-Makefile.in.diff (rev 0)
+++ trunk/dports/print/ghostscript/files/patch-Makefile.in.diff 2010-07-27 13:15:19 UTC (rev 70031)
@@ -0,0 +1,17 @@
+--- Makefile.in.orig 2009-12-18 16:04:10.000000000 +0900
++++ Makefile.in 2010-07-27 21:50:52.000000000 +0900
+@@ -96,12 +96,9 @@
+
+ # Define whether or not searching for initialization files should always
+ # look in the current directory first. This leads to well-known security
+-# and confusion problems, but users insist on it.
+-# NOTE: this also affects searching for files named on the command line:
+-# see the "File searching" section of Use.htm for full details.
+-# Because of this, setting SEARCH_HERE_FIRST to 0 is not recommended.
++# and confusion problems, but may be convenient sometimes.
+
+-SEARCH_HERE_FIRST=1
++SEARCH_HERE_FIRST=0
+
+ # Define the name of the interpreter initialization file.
+ # (There is no reason to change this.)
Added: trunk/dports/print/ghostscript/files/patch-doc_Use.htm.diff
===================================================================
--- trunk/dports/print/ghostscript/files/patch-doc_Use.htm.diff (rev 0)
+++ trunk/dports/print/ghostscript/files/patch-doc_Use.htm.diff 2010-07-27 13:15:19 UTC (rev 70031)
@@ -0,0 +1,48 @@
+--- doc/Use.htm.orig 2010-02-11 03:17:48.000000000 +0900
++++ doc/Use.htm 2010-07-27 21:55:47.000000000 +0900
+@@ -823,8 +823,8 @@
+ using the name given. Otherwise it tries directories in this order:
+
+ <ol>
+-<li>The current directory (unless disabled by the
+-<a href="#P-_switch"><code>-P-</code> switch</a>);
++<li>The current directory if enabled by the
++<a href="#P-_switch"><code>-P</code> switch</a>;
+
+ <li>The directories specified by <a href="#I_switch"><code>-I</code>
+ switches</a> in the command line, if any;
+@@ -847,13 +847,10 @@
+ directory or a list of directories separated by a character appropriate for
+ the operating system ("<code>:</code>" on Unix systems,
+ "<code>,</code>" on VMS systems, and
+-"<code>;</code>" on MS Windows systems). We think that trying
+-the current directory first is a very bad idea -- it opens serious security
+-loopholes and can lead to very confusing errors if one has more than one
+-version of Ghostscript in one's environment -- but when we attempted to
+-change it, users insisted that we change it back. You can disable looking
+-in the current directory first by using the
+-<a href="#P_switch"><code>-P-</code> switch</a>.
++"<code>;</code>" on MS Windows systems).
++By default, Ghostscript no longer searches the current directory first
++but provides <a href="#P_switch"><code>-P</code> switch</a> for a degree
++of backward compatibility.
+
+ <p>
+ Note that Ghostscript does not use this file searching algorithm for the
+@@ -2061,14 +2058,14 @@
+ <dl>
+ <dt><a name="P_switch"></a><code>-P</code>
+ <dd>Makes Ghostscript look first in the current directory for library
+-files. This is currently the default.
++files.
+ </dl>
+
+ <dl>
+ <dt><a name="P-_switch"></a><code>-P-</code>
+ <dd>Makes Ghostscript <b><em>not</em></b> look first in the current
+ directory for library files (unless, of course, the first explicitly
+-supplied directory is "<code>.</code>").
++supplied directory is "<code>.</code>"). This is now the default.
+ </dl>
+
+ <h4><a name="Parameters"></a>Setting parameters</h4>
Added: trunk/dports/print/ghostscript/files/patch-psi_zfile.c.diff
===================================================================
--- trunk/dports/print/ghostscript/files/patch-psi_zfile.c.diff (rev 0)
+++ trunk/dports/print/ghostscript/files/patch-psi_zfile.c.diff 2010-07-27 13:15:19 UTC (rev 70031)
@@ -0,0 +1,208 @@
+--- psi/zfile.c.orig 2009-10-04 21:42:07.000000000 +0900
++++ psi/zfile.c 2010-07-27 21:14:55.000000000 +0900
+@@ -902,6 +902,90 @@
+ return 0;
+ }
+
++/* return zero for success, -ve for error, +1 for continue */
++static int
++lib_file_open_search_with_no_combine(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx_p,
++ const char *fname, uint flen, char *buffer, int blen, uint *pclen, ref *pfile,
++ gx_io_device *iodev, bool starting_arg_file, char *fmode)
++{
++ stream *s;
++ uint blen1 = blen;
++ if (gp_file_name_reduce(fname, flen, buffer, &blen1) != gp_combine_success)
++ goto skip;
++ if (iodev_os_open_file(iodev, (const char *)buffer, blen1,
++ (const char *)fmode, &s, (gs_memory_t *)mem) == 0) {
++ if (starting_arg_file ||
++ check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) {
++ *pclen = blen1;
++ make_stream_file(pfile, s, "r");
++ return 0;
++ }
++ sclose(s);
++ return_error(e_invalidfileaccess);
++ }
++ skip:;
++ return 1;
++}
++
++/* return zero for success, -ve for error, +1 for continue */
++static int
++lib_file_open_search_with_combine(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx_p,
++ const char *fname, uint flen, char *buffer, int blen, uint *pclen, ref *pfile,
++ gx_io_device *iodev, bool starting_arg_file, char *fmode)
++{
++ stream *s;
++ const gs_file_path *pfpath = lib_path;
++ uint pi;
++
++ for (pi = 0; pi < r_size(&pfpath->list); ++pi) {
++ const ref *prdir = pfpath->list.value.refs + pi;
++ const char *pstr = (const char *)prdir->value.const_bytes;
++ uint plen = r_size(prdir), blen1 = blen;
++ gs_parsed_file_name_t pname;
++ gp_file_name_combine_result r;
++
++ /* We need to concatenate and parse the file name here
++ * if this path has a %device% prefix. */
++ if (pstr[0] == '%') {
++ int code;
++
++ /* We concatenate directly since gp_file_name_combine_*
++ * rules are not correct for other devices such as %rom% */
++ code = gs_parse_file_name(&pname, pstr, plen);
++ if (code < 0)
++ continue;
++ memcpy(buffer, pname.fname, pname.len);
++ memcpy(buffer+pname.len, fname, flen);
++ code = pname.iodev->procs.open_file(pname.iodev, buffer, pname.len + flen, fmode,
++ &s, (gs_memory_t *)mem);
++ if (code < 0)
++ continue;
++ make_stream_file(pfile, s, "r");
++ /* fill in the buffer with the device concatenated */
++ memcpy(buffer, pstr, plen);
++ memcpy(buffer+plen, fname, flen);
++ *pclen = plen + flen;
++ return 0;
++ } else {
++ r = gp_file_name_combine(pstr, plen,
++ fname, flen, false, buffer, &blen1);
++ if (r != gp_combine_success)
++ continue;
++ if (iodev_os_open_file(iodev, (const char *)buffer, blen1, (const char *)fmode,
++ &s, (gs_memory_t *)mem) == 0) {
++ if (starting_arg_file ||
++ check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) {
++ *pclen = blen1;
++ make_stream_file(pfile, s, "r");
++ return 0;
++ }
++ sclose(s);
++ return_error(e_invalidfileaccess);
++ }
++ }
++ }
++ return 1;
++}
+
+ /* Return a file object of of the file searched for using the search paths. */
+ /* The fname cannot contain a device part (%...%) but the lib paths might. */
+@@ -919,6 +1003,8 @@
+ char fmode[4] = { 'r', 0, 0, 0 }; /* room for binary suffix */
+ stream *s;
+ gx_io_device *iodev = iodev_default;
++ gs_main_instance *minst = get_minst_from_memory(mem);
++ int code;
+
+ /* when starting arg files (@ files) iodev_default is not yet set */
+ if (iodev == 0)
+@@ -932,75 +1018,36 @@
+ search_with_no_combine = starting_arg_file;
+ search_with_combine = true;
+ }
+- if (search_with_no_combine) {
+- uint blen1 = blen;
+-
+- if (gp_file_name_reduce(fname, flen, buffer, &blen1) != gp_combine_success)
+- goto skip;
+- if (iodev_os_open_file(iodev, (const char *)buffer, blen1,
+- (const char *)fmode, &s, (gs_memory_t *)mem) == 0) {
+- if (starting_arg_file ||
+- check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) {
+- *pclen = blen1;
+- make_stream_file(pfile, s, "r");
+- return 0;
+- }
+- sclose(s);
+- return_error(e_invalidfileaccess);
+- }
+- skip:;
+- }
+- if (search_with_combine) {
+- const gs_file_path *pfpath = lib_path;
+- uint pi;
+-
+- for (pi = 0; pi < r_size(&pfpath->list); ++pi) {
+- const ref *prdir = pfpath->list.value.refs + pi;
+- const char *pstr = (const char *)prdir->value.const_bytes;
+- uint plen = r_size(prdir), blen1 = blen;
+- gs_parsed_file_name_t pname;
+- gp_file_name_combine_result r;
+-
+- /* We need to concatenate and parse the file name here
+- * if this path has a %device% prefix. */
+- if (pstr[0] == '%') {
+- int code;
+-
+- /* We concatenate directly since gp_file_name_combine_*
+- * rules are not correct for other devices such as %rom% */
+- code = gs_parse_file_name(&pname, pstr, plen);
+- if (code < 0)
+- continue;
+- memcpy(buffer, pname.fname, pname.len);
+- memcpy(buffer+pname.len, fname, flen);
+- code = pname.iodev->procs.open_file(pname.iodev, buffer, pname.len + flen, fmode,
+- &s, (gs_memory_t *)mem);
+- if (code < 0)
+- continue;
+- make_stream_file(pfile, s, "r");
+- /* fill in the buffer with the device concatenated */
+- memcpy(buffer, pstr, plen);
+- memcpy(buffer+plen, fname, flen);
+- *pclen = plen + flen;
+- return 0;
+- } else {
+- r = gp_file_name_combine(pstr, plen,
+- fname, flen, false, buffer, &blen1);
+- if (r != gp_combine_success)
+- continue;
+- if (iodev_os_open_file(iodev, (const char *)buffer, blen1, (const char *)fmode,
+- &s, (gs_memory_t *)mem) == 0) {
+- if (starting_arg_file ||
+- check_file_permissions_aux(i_ctx_p, buffer, blen1) >= 0) {
+- *pclen = blen1;
+- make_stream_file(pfile, s, "r");
+- return 0;
+- }
+- sclose(s);
+- return_error(e_invalidfileaccess);
+- }
+- }
+- }
++ if (minst->search_here_first) {
++ if (search_with_no_combine) {
++ code = lib_file_open_search_with_no_combine(lib_path, mem, i_ctx_p,
++ fname, flen, buffer, blen, pclen, pfile,
++ iodev, starting_arg_file, fmode);
++ if (code <= 0) /* +ve means continue continue */
++ return code;
++ }
++ if (search_with_combine) {
++ code = lib_file_open_search_with_combine(lib_path, mem, i_ctx_p,
++ fname, flen, buffer, blen, pclen, pfile,
++ iodev, starting_arg_file, fmode);
++ if (code <= 0) /* +ve means continue searching */
++ return code;
++ }
++ } else {
++ if (search_with_combine) {
++ code = lib_file_open_search_with_combine(lib_path, mem, i_ctx_p,
++ fname, flen, buffer, blen, pclen, pfile,
++ iodev, starting_arg_file, fmode);
++ if (code <= 0) /* +ve means continue searching */
++ return code;
++ }
++ if (search_with_no_combine) {
++ code = lib_file_open_search_with_no_combine(lib_path, mem, i_ctx_p,
++ fname, flen, buffer, blen, pclen, pfile,
++ iodev, starting_arg_file, fmode);
++ if (code <= 0) /* +ve means continue searching */
++ return code;
++ }
+ }
+ return_error(e_undefinedfilename);
+ }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20100727/e094402b/attachment.html>
More information about the macports-changes
mailing list