Upstream patch for CVE-2013-6629 and CVE-2013-6630.

(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key 4868F14D)

3 files changed, 168 insertions, 1 deletions

diff --git a/media-libs/libjpeg-turbo/ChangeLog b/media-libs/libjpeg-turbo/ChangeLog
index 6b7ef1a1947b..a4e25144919e 100644
--- a/media-libs/libjpeg-turbo/ChangeLog
+++ b/media-libs/libjpeg-turbo/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for media-libs/libjpeg-turbo
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/libjpeg-turbo/ChangeLog,v 1.79 2013/08/18 13:28:24 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libjpeg-turbo/ChangeLog,v 1.80 2013/12/14 15:33:31 ssuominen Exp $
+
+*libjpeg-turbo-1.3.0-r3 (14 Dec 2013)
+
+  14 Dec 2013; Samuli Suominen <ssuominen@gentoo.org>
+  +files/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch,
+  +libjpeg-turbo-1.3.0-r3.ebuild:
+  Upstream patch for CVE-2013-6629 and CVE-2013-6630.
 
   18 Aug 2013; Agostino Sarubbo <ago@gentoo.org> libjpeg-turbo-1.3.0.ebuild:
   Stable for x86, wrt bug #479078
diff --git a/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch
new file mode 100644
index 000000000000..46eefad1604f
--- /dev/null
+++ b/media-libs/libjpeg-turbo/files/libjpeg-turbo-1.3.0-CVE-2013-6629-and-6630.patch
@@ -0,0 +1,38 @@
+http://bugzilla.redhat.com/show_bug.cgi?id=1031734
+http://bugzilla.redhat.com/show_bug.cgi?id=1031749
+http://sourceforge.net/p/libjpeg-turbo/code/1090/
+
+--- jdmarker.c
++++ jdmarker.c
+@@ -304,7 +304,7 @@
+ /* Process a SOS marker */
+ {
+   INT32 length;
+-  int i, ci, n, c, cc;
++  int i, ci, n, c, cc, pi;
+   jpeg_component_info * compptr;
+   INPUT_VARS(cinfo);
+ 
+@@ -348,6 +348,13 @@
+     
+     TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc,
+ 	     compptr->dc_tbl_no, compptr->ac_tbl_no);
++
++    /* This CSi (cc) should differ from the previous CSi */
++    for (pi = 0; pi < i; pi++) {
++      if (cinfo->cur_comp_info[pi] == compptr) {
++        ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
++      }
++    }
+   }
+ 
+   /* Collect the additional scan parameters Ss, Se, Ah/Al. */
+@@ -465,6 +472,8 @@
+     for (i = 0; i < count; i++)
+       INPUT_BYTE(cinfo, huffval[i], return FALSE);
+ 
++    MEMZERO(&huffval[count], (256 - count) * SIZEOF(UINT8));
++
+     length -= count;
+ 
+     if (index & 0x10) {		/* AC table definition */
diff --git a/media-libs/libjpeg-turbo/libjpeg-turbo-1.3.0-r3.ebuild b/media-libs/libjpeg-turbo/libjpeg-turbo-1.3.0-r3.ebuild
new file mode 100644
index 000000000000..b8d065be90ae
--- /dev/null
+++ b/media-libs/libjpeg-turbo/libjpeg-turbo-1.3.0-r3.ebuild
@@ -0,0 +1,122 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-libs/libjpeg-turbo/libjpeg-turbo-1.3.0-r3.ebuild,v 1.1 2013/12/14 15:33:31 ssuominen Exp $
+
+EAPI=5
+
+inherit autotools eutils java-pkg-opt-2 libtool toolchain-funcs multilib-minimal
+
+DESCRIPTION="MMX, SSE, and SSE2 SIMD accelerated JPEG library"
+HOMEPAGE="http://libjpeg-turbo.virtualgl.org/ http://sourceforge.net/projects/libjpeg-turbo/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz
+	mirror://debian/pool/main/libj/libjpeg8/libjpeg8_8d-1.debian.tar.gz"
+
+LICENSE="BSD IJG"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~x64-macos ~x86-macos"
+IUSE="java static-libs"
+
+ASM_DEPEND="|| ( dev-lang/nasm dev-lang/yasm )"
+COMMON_DEPEND="!media-libs/jpeg:0
+	!media-libs/jpeg:62
+	abi_x86_32? ( !<=app-emulation/emul-linux-x86-baselibs-20130224-r5
+		!app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] )"
+RDEPEND="${COMMON_DEPEND}
+	java? ( >=virtual/jre-1.5 )"
+DEPEND="${COMMON_DEPEND}
+	amd64? ( ${ASM_DEPEND} )
+	x86? ( ${ASM_DEPEND} )
+	amd64-fbsd? ( ${ASM_DEPEND} )
+	x86-fbsd? ( ${ASM_DEPEND} )
+	amd64-linux? ( ${ASM_DEPEND} )
+	x86-linux? ( ${ASM_DEPEND} )
+	x64-macos? ( ${ASM_DEPEND} )
+	java? ( >=virtual/jdk-1.5 )"
+
+MULTILIB_WRAPPED_HEADERS=( /usr/include/jconfig.h )
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-1.2.0-x32.patch #420239
+	epatch "${FILESDIR}"/${P}-CVE-2013-6629-and-6630.patch
+
+	if [[ -x ./configure ]]; then
+		elibtoolize
+	else
+		eautoreconf
+	fi
+
+	epunt_cxx #424689
+
+	java-pkg-opt-2_src_prepare
+}
+
+multilib_src_configure() {
+	local myconf=()
+	if multilib_is_native_abi; then
+		myconf+=( $(use_with java) )
+		if use java; then
+			export JAVACFLAGS="$(java-pkg_javac-args)"
+			export JNI_CFLAGS="$(java-pkg_get-jni-cflags)"
+		fi
+	else
+		myconf+=( --without-java )
+	fi
+	[[ ${ABI} == "x32" ]] && myconf+=( --without-simd ) #420239
+
+	ECONF_SOURCE=${S} \
+	econf \
+		$(use_enable static-libs static) \
+		--with-mem-srcdst \
+		"${myconf[@]}"
+}
+
+multilib_src_compile() {
+	local _java_makeopts
+	use java && _java_makeopts="-j1"
+	emake ${_java_makeopts}
+
+	if multilib_is_native_abi; then
+		pushd ../debian/extra >/dev/null
+		emake CC="$(tc-getCC)" CFLAGS="${LDFLAGS} ${CFLAGS}"
+		popd >/dev/null
+	fi
+}
+
+multilib_src_test() {
+	emake test
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		docdir="${EPREFIX}"/usr/share/doc/${PF} \
+		exampledir="${EPREFIX}"/usr/share/doc/${PF} \
+		install
+
+	if multilib_is_native_abi; then
+		pushd "${WORKDIR}"/debian/extra >/dev/null
+		emake \
+			DESTDIR="${D}" prefix="${EPREFIX}"/usr \
+			INSTALL="install -m755" INSTALLDIR="install -d -m755" \
+			install
+		popd >/dev/null
+
+		if use java; then
+			rm -rf "${ED}"/usr/classes
+			java-pkg_dojar java/turbojpeg.jar
+		fi
+	fi
+}
+
+multilib_src_install_all() {
+	prune_libtool_files
+
+	insinto /usr/share/doc/${PF}/html
+	doins -r "${S}"/doc/html/*
+	newdoc "${WORKDIR}"/debian/changelog changelog.debian
+	if use java; then
+		insinto /usr/share/doc/${PF}/html/java
+		doins -r "${S}"/java/doc/*
+		newdoc "${S}"/java/README README.java
+	fi
+}