From e3c55dd0534d24c51ca4615991520a0173a73bf4 Mon Sep 17 00:00:00 2001 From: Christian Neukirchen Date: Sat, 5 Mar 2016 16:58:51 +0100 Subject: [PATCH] graphviz: fix CVE-2014-9157, enable lefty, reduce package size by 45MB. Patches from Debian. --- srcpkgs/graphviz/patches/CVE-2014-9157.patch | 22 ++++++++++++++ .../graphviz/patches/reduce_lab_color.patch | 30 +++++++++++++++++++ srcpkgs/graphviz/template | 5 ++-- 3 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 srcpkgs/graphviz/patches/CVE-2014-9157.patch create mode 100644 srcpkgs/graphviz/patches/reduce_lab_color.patch diff --git a/srcpkgs/graphviz/patches/CVE-2014-9157.patch b/srcpkgs/graphviz/patches/CVE-2014-9157.patch new file mode 100644 index 00000000000..d8549c39111 --- /dev/null +++ b/srcpkgs/graphviz/patches/CVE-2014-9157.patch @@ -0,0 +1,22 @@ +Subject: Fix format string vulnerability (CVE-2014-9157) in yyerror() routine +Origin: https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 +Bug-Debian: https://bugs.debian.org/772648 +Forwarded: no +Author: Emden R. Gansner +Last-Update: 2014-12-10 + +--- + lib/cgraph/scan.l | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- lib/cgraph/scan.l ++++ lib/cgraph/scan.l +@@ -225,7 +225,7 @@ void yyerror(char *str) + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); +- agerr(AGERR,agxbuse(&xb)); ++ agerr(AGERR, "%s", agxbuse(&xb)); + agxbfree(&xb); + } + /* must be here to see flex's macro defns */ diff --git a/srcpkgs/graphviz/patches/reduce_lab_color.patch b/srcpkgs/graphviz/patches/reduce_lab_color.patch new file mode 100644 index 00000000000..782229e0366 --- /dev/null +++ b/srcpkgs/graphviz/patches/reduce_lab_color.patch @@ -0,0 +1,30 @@ +Description: Use a signed char instead of a double for lab_struct + The massive data structure was using a double for each struct member, + which makes the resulting object extremely large. By switching it to a + signed char we reduce the size from around 20 MiB to 2.5 MiB, so an order + of magnitude. The new data type should be fine as the number literals do + not exceed the type range. + . + In any case this gets embedded into at least three binaries, one of which + contais an extremely generic filename(!). Which is still rather ridiculous + as this should most possibly be computable at run-time, or stored in a + shared data file, or in a single shared library or plugin. +Author: Guillem Jover +Origin: vendor +Bug-Debian: +Forwarded: no +Last-Update: 2014-07-18 + +--- + +--- lib/edgepaint/lab.h ++++ lib/edgepaint/lab.h +@@ -21,7 +21,7 @@ struct xyz_struct { + typedef struct xyz_struct color_xyz; + + struct lab_struct { +- double l, a, b;/* l: 0 to 100, a,b: -128 tp 128 */ ++ signed char l, a, b;/* l: 0 to 100, a,b: -128 tp 128 */ + }; + typedef struct lab_struct color_lab; + diff --git a/srcpkgs/graphviz/template b/srcpkgs/graphviz/template index 034c03fd281..f9c8fb3c2dc 100644 --- a/srcpkgs/graphviz/template +++ b/srcpkgs/graphviz/template @@ -1,11 +1,12 @@ # Template file for 'graphviz' pkgname=graphviz version=2.38.0 -revision=3 +revision=4 replaces="graphviz-libs<2.38.0_3" build_style=gnu-configure hostmakedepends="automake libtool flex pkg-config libltdl-devel" -makedepends="libpng-devel gd-devel gtk+-devel librsvg-devel libltdl-devel" +makedepends="libpng-devel gd-devel gtk+-devel librsvg-devel libltdl-devel + libXaw-devel" short_desc="Graph Visualization Software" configure_args="--disable-rpath --enable-ltdl --disable-ltdl-install --disable-swig --disable-sharp --disable-guile --disable-io --disable-java