snailed
/
void-packages
2
0
Fork 0
Code Issues 1 Pull Requests 5 Actions Activity

graphviz: fix CVE-2014-9157, enable lefty, reduce package size by 45MB. 

Patches from Debian.
This commit is contained in:
Christian Neukirchen 2016-03-05 16:58:51 +01:00
parent 8218ccc90b
commit e3c55dd053
3 changed files with 55 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
srcpkgs/graphviz/patches/CVE-2014-9157.patch Normal file
View File

@ -0,0 +1,22 @@
Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine
Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081
Bug-Debian: https://bugs.debian.org/772648
Forwarded: no
Author: Emden R. Gansner
Last-Update: 2014-12-10
---
lib/cgraph/scan.l | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- lib/cgraph/scan.l
+++ lib/cgraph/scan.l
@@ -225,7 +225,7 @@ void yyerror(char *str)
agxbput (&xb, buf);
agxbput (&xb, yytext);
agxbput (&xb,"'\n");
- agerr(AGERR,agxbuse(&xb));
+ agerr(AGERR, "%s", agxbuse(&xb));
agxbfree(&xb);
}
/* must be here to see flex's macro defns */

30
srcpkgs/graphviz/patches/reduce_lab_color.patch Normal file
View File

@ -0,0 +1,30 @@
Description: Use a signed char instead of a double for lab_struct
The massive data structure was using a double for each struct member,
which makes the resulting object extremely large. By switching it to a
signed char we reduce the size from around 20 MiB to 2.5 MiB, so an order
of magnitude. The new data type should be fine as the number literals do
not exceed the type range.
.
In any case this gets embedded into at least three binaries, one of which
contais an extremely generic filename(!). Which is still rather ridiculous
as this should most possibly be computable at run-time, or stored in a
shared data file, or in a single shared library or plugin.
Author: Guillem Jover <guillem@debian.org>
Origin: vendor
Bug-Debian:
Forwarded: no
Last-Update: 2014-07-18
---
--- lib/edgepaint/lab.h
+++ lib/edgepaint/lab.h
@@ -21,7 +21,7 @@ struct xyz_struct {
typedef struct xyz_struct color_xyz;
struct lab_struct {
- double l, a, b;/* l: 0 to 100, a,b: -128 tp 128 */
+ signed char l, a, b;/* l: 0 to 100, a,b: -128 tp 128 */
};
typedef struct lab_struct color_lab;

5
srcpkgs/graphviz/template
View File

@ -1,11 +1,12 @@
# Template file for 'graphviz'
pkgname=graphviz
version=2.38.0
revision=3
revision=4
replaces="graphviz-libs<2.38.0_3"
build_style=gnu-configure
hostmakedepends="automake libtool flex pkg-config libltdl-devel"
makedepends="libpng-devel gd-devel gtk+-devel librsvg-devel libltdl-devel"
makedepends="libpng-devel gd-devel gtk+-devel librsvg-devel libltdl-devel
libXaw-devel"
short_desc="Graph Visualization Software"
configure_args="--disable-rpath --enable-ltdl --disable-ltdl-install
--disable-swig --disable-sharp --disable-guile --disable-io --disable-java