[OpenEXR] - CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995) - CVE-2009-1721 OpenEXR: Invalid point

Rex Dieter rdieter at fedoraproject.org
Wed Aug 11 04:03:25 UTC 2010 

commit d84052e6dcec584028408faf722e2df82cc50231
Author: Rex Dieter <rdieter at fedoraproject.org>
Date:   Tue Aug 10 23:08:02 2010 -0500

    - CVE-2009-1720 OpenEXR: Multiple integer overflows (#513995)
    - CVE-2009-1721 OpenEXR: Invalid pointer free by image decompression (#514003)

 .gitignore                          |    4 +-
 OpenEXR.spec                        |   49 +++++++++++++----------------------
 openexr-1.6.1-CVE-2009-1720-1.patch |   22 ---------------
 openexr-1.6.1-CVE-2009-1720-2.patch |   39 ---------------------------
 openexr-1.6.1-CVE-2009-1721.patch   |   12 --------
 openexr-1.6.1-gcc43.patch           |   23 ----------------
 openexr-1.7.0-cstring.patch         |   11 ++++++++
 sources                             |    4 +-
 8 files changed, 33 insertions(+), 131 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 5692496..6e23733 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-openexr-1.6.1.tar.gz
-openexr-1.6.1.tar.gz.sig
+openexr-1.7.0.tar.gz
+openexr-1.7.0.tar.gz.sig
diff --git a/OpenEXR.spec b/OpenEXR.spec
index e61b937..0d29342 100644
--- a/OpenEXR.spec
+++ b/OpenEXR.spec
@@ -1,12 +1,8 @@
 
-%if 0%{?fedora} > 7 || 0%{?rhel} > 5
-# make -libs subpkg
-%define libs 1
-%endif
 
 Name:	 OpenEXR
-Version: 1.6.1
-Release: 8%{?dist}
+Version: 1.7.0
+Release: 1%{?dist}
 Summary: A high dynamic-range (HDR) image file format
 
 Group:	 System Environment/Libraries
@@ -19,25 +15,19 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Obsoletes: openexr < %{version}-%{release}
 Provides:  openexr = %{version}-%{release}
 
-Patch1: OpenEXR-1.6.1-pkgconfig.patch
-Patch2: openexr-1.6.1-gcc43.patch
+## upstreamable patches
+Patch50: OpenEXR-1.6.1-pkgconfig.patch
+# missing #include <cstring>
+Patch51: openexr-1.7.0-cstring.patch
 
 ## upstream patches
-Patch100: openexr-1.6.1-CVE-2009-1720-1.patch 
-Patch101: openexr-1.6.1-CVE-2009-1720-2.patch
-Patch102: openexr-1.6.1-CVE-2009-1721.patch
 
 BuildRequires:  automake libtool
-BuildRequires:  ilmbase-devel
+BuildRequires:  ilmbase-devel 
 BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig
 
-%if 0%{?libs}
-Requires: %{name}-libs = %{version}-%{release}
-%else
-Obsoletes: %{name}-libs < %{version}-%{release}
-Provides:  %{name}-libs = %{version}-%{release}
-%endif
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
 %description
 OpenEXR is a high dynamic-range (HDR) image file format developed by Industrial
@@ -65,25 +55,23 @@ Group:   System Environment/Libraries
 %prep
 %setup -q -n openexr-%{version}
 
-%patch1 -p1 -b .pkgconfig
-%patch2 -p1 -b .gcc43
-
-%patch100 -p1 -b .CVE-2009-1720-1
-%patch101 -p1 -b .CVE-2009-1720-2
-%patch102 -p1 -b .CVE-2009-1721
+%patch50 -p1 -b .pkgconfig
+%patch51 -p1 -b .cstring
 
+%if 0
 # work to remove rpaths, recheck on new releases
 aclocal -Im4
 libtoolize --force
 rm -f configure
 autoconf
+%endif
 
 
 %build
 %configure --disable-static
 
 # hack to omit unused-direct-shlib-dependencies
-sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool
+#sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool
 
 make %{?_smp_mflags}
 
@@ -104,27 +92,26 @@ rm -rf rpmdocs/examples/.deps
 
 
 %check
-# Not enabled, by default, takes a *very* long time. -- Rex
-%{?_with_check:make check}
+export PKG_CONFIG_PATH=%{buildroot}%{_datadir}/pkgconfig:%{buildroot}%{_libdir}/pkgconfig
+test "$(pkg-config --modversion OpenEXR)" = "%{version}"
+#make check
 
 
 %clean
 rm -rf $RPM_BUILD_ROOT
 
 
-%post %{?libs:libs} -p /sbin/ldconfig
+%post libs -p /sbin/ldconfig
 
-%postun %{?libs:libs}  -p /sbin/ldconfig
+%postun libs  -p /sbin/ldconfig
 
 
 %files
 %defattr(-,root,root,-)
 %{_bindir}/*
 
-%if 0%{?libs}
 %files libs
 %defattr(-,root,root,-)
-%endif
 %doc AUTHORS ChangeLog LICENSE NEWS README
 %{_libdir}/libIlmImf.so.6*
 
diff --git a/openexr-1.7.0-cstring.patch b/openexr-1.7.0-cstring.patch
new file mode 100644
index 0000000..f861321
--- /dev/null
+++ b/openexr-1.7.0-cstring.patch
@@ -0,0 +1,11 @@
+diff -up openexr-1.7.0/exrenvmap/blurImage.cpp.cstring openexr-1.7.0/exrenvmap/blurImage.cpp
+--- openexr-1.7.0/exrenvmap/blurImage.cpp.cstring	2009-02-25 17:39:27.000000000 -0600
++++ openexr-1.7.0/exrenvmap/blurImage.cpp	2010-07-28 10:22:38.972704975 -0500
+@@ -43,6 +43,7 @@
+ 
+ #include <resizeImage.h>
+ #include "Iex.h"
++#include <cstring>
+ #include <iostream>
+ #include <algorithm>
+ 
diff --git a/sources b/sources
index 83177f0..4c8b019 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-11951f164f9c872b183df75e66de145a  openexr-1.6.1.tar.gz
-2a45771c4d95eadbdf462561a70c24bb  openexr-1.6.1.tar.gz.sig
+27113284f7d26a58f853c346e0851d7a  openexr-1.7.0.tar.gz
+1ffd9feb14c373ebae68228b0495ada0  openexr-1.7.0.tar.gz.sig

More information about the scm-commits mailing list