diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2015-01-27 11:07:52 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-01-27 11:09:15 +0000 |
| commit | a83bc79e8eb980e2ba38f97ea9b3d5f64e69a395 (patch) | |
| tree | 2be5736d482a19fefc7843db2fe51b92dc19d29d | |
| parent | 7b4cf250736eaac8c14be06e862cf584a166a01b (diff) | |
| download | aports-a83bc79e8eb980e2ba38f97ea9b3d5f64e69a395.tar.bz2 aports-a83bc79e8eb980e2ba38f97ea9b3d5f64e69a395.tar.xz | |
main/graphviz: security fix for CVE-2014-9157
ref #3752
fixes #3756
(cherry picked from commit 8c89f11b647949f06fbef635e60814476280caa9)
Conflicts:
main/graphviz/APKBUILD
| -rw-r--r-- | main/graphviz/APKBUILD | 12 | ||||
| -rw-r--r-- | main/graphviz/CVE-2014-9157.patch | 21 |
2 files changed, 29 insertions, 4 deletions
diff --git a/main/graphviz/APKBUILD b/main/graphviz/APKBUILD index 2909cb800..e6b64e4c1 100644 --- a/main/graphviz/APKBUILD +++ b/main/graphviz/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=graphviz pkgver=2.38.0 -pkgrel=1 +pkgrel=2 pkgdesc="Graph Visualization Tools" url="http://www.graphviz.org/" arch="all" @@ -18,6 +18,7 @@ subpackages="$pkgname-dev $pkgname-doc py-$pkgname:py lua-$pkgname:_lua source="http://www.graphviz.org/pub/graphviz/stable/SOURCES/graphviz-$pkgver.tar.gz 0001-clone-nameclash.patch musl-posix-grep.patch + CVE-2014-9157.patch " _builddir="$srcdir"/graphviz-$pkgver @@ -110,10 +111,13 @@ graphs() { } md5sums="5b6a829b2ac94efcd5fa3c223ed6d3ae graphviz-2.38.0.tar.gz bce8a9ae4c3a8c52c1bcf0e03d5ce364 0001-clone-nameclash.patch -f2e8e751d8b26dd659b51940f7210b8a musl-posix-grep.patch" +f2e8e751d8b26dd659b51940f7210b8a musl-posix-grep.patch +8da7607dfaaf0ea01e2618d647f79c45 CVE-2014-9157.patch" sha256sums="81aa238d9d4a010afa73a9d2a704fc3221c731e1e06577c2ab3496bdef67859e graphviz-2.38.0.tar.gz 2b6c8186bf2799658494428d68597f63b91799f37809cbe59d8adcab60c27363 0001-clone-nameclash.patch -c9629e3e5502450ff000af173d568147aee5d8e884d7d8d8754cb7dd94e90ba6 musl-posix-grep.patch" +c9629e3e5502450ff000af173d568147aee5d8e884d7d8d8754cb7dd94e90ba6 musl-posix-grep.patch +4289ed4dbcfc2e6d19131e029364eaf7bc728948bbed2b211e808868b7450752 CVE-2014-9157.patch" sha512sums="0e51a97dae595f4e80bc9e4a12ba3c48485fab19941a28d522f5a0624b6a767e0ba720e9e55bff8efe8308dd1cd3793e2c99cb5fdfceb2d5cafb0cbee907e531 graphviz-2.38.0.tar.gz aa4cbc341906a949a6bf78cadd96c437d6bcc90369941fe03519aa4447731ecbf6063a0dd0366d3e7aaadf22b69e4bcab3f8632a7da7a01f8e08a3be05c2bc5d 0001-clone-nameclash.patch -365ecb684b26c382f62b2c8bc075169eafd46478d21a49ecc433fcbf7b720027567438a01659fada7714433c1eced7f5662913179e6d59437fc5daba0d66b0cc musl-posix-grep.patch" +365ecb684b26c382f62b2c8bc075169eafd46478d21a49ecc433fcbf7b720027567438a01659fada7714433c1eced7f5662913179e6d59437fc5daba0d66b0cc musl-posix-grep.patch +0bd86ddab647ddc2c4b6b2ae8435b725c7e5a66028d51bae6f1111030be3f338b6b767327ad04e8f830cc2483812eee9e54943197ae5de06395d70c240e36552 CVE-2014-9157.patch" diff --git a/main/graphviz/CVE-2014-9157.patch b/main/graphviz/CVE-2014-9157.patch new file mode 100644 index 000000000..25f7b3f40 --- /dev/null +++ b/main/graphviz/CVE-2014-9157.patch @@ -0,0 +1,21 @@ +https://github.com/ellson/graphviz/commit/99eda421f7ddc27b14e4ac1d2126e5fe41719081 + +--- ./lib/cgraph/scan.l.orig ++++ ./lib/cgraph/scan.l +@@ -209,6 +209,7 @@ + <hstring>([^><\n]*) addstr(yytext); + . return (yytext[0]); + %% ++ + void yyerror(char *str) + { + unsigned char xbuf[BUFSIZ]; +@@ -225,7 +226,7 @@ + agxbput (&xb, buf); + agxbput (&xb, yytext); + agxbput (&xb,"'\n"); +- agerr(AGERR,agxbuse(&xb)); ++ agerr(AGERR, "%s", agxbuse(&xb)); + agxbfree(&xb); + } + /* must be here to see flex's macro defns */ |