[Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1

Fabrice Fontaine fontaine.fabrice at gmail.com
Sun Aug 18 12:04:32 UTC 2019


- Switch to generic-package (autotools has been dropped since version
  5.1.5)
- Remove hook and instead use dedicated makefile targets to build only
  shared or static library and not binaries or documentation (added by
  an upstreamble patch)
- ac_cv_prog_have_xmlto=no can be removed as doc is not built anymore
- Fix CVE-2018-11490: The DGifDecompressLine function in dgif_lib.c in
  GIFLIB (possibly version 3.0.x), as later shipped in cgif.c in sam2p
  0.49.4, has a heap-based buffer overflow because a certain
  "Private->RunningCode - 2" array index is not checked. This will lead
  to a denial of service or possibly unspecified other impact.
- Fix CVE-2019-15133: In GIFLIB before 2019-02-16, a malformed GIF file
  triggers a divide-by-zero exception in the decoder function DGifSlurp
  in dgif_lib.c if the height field of the ImageSize data structure is
  equal to zero.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
---
 ...dd-targets-to-manage-static-building.patch | 69 +++++++++++++++++++
 package/giflib/giflib.hash                    |  4 +-
 package/giflib/giflib.mk                      | 47 +++++++++----
 3 files changed, 104 insertions(+), 16 deletions(-)
 create mode 100644 package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch

diff --git a/package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch b/package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
new file mode 100644
index 0000000000..384457d0bd
--- /dev/null
+++ b/package/giflib/0001-Makefile-add-targets-to-manage-static-building.patch
@@ -0,0 +1,69 @@
+From 487407d722714f13e8a06d1a9d89f48a5738191e Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice at gmail.com>
+Date: Fri, 12 Jul 2019 12:20:38 +0200
+Subject: [PATCH] Makefile: add targets to manage static building
+
+Add static-lib, shared-lib, install-static-lib and install-shared-lib
+targets to allow the user to build giflib when dynamic library support
+is not available or enable on the toolchain
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
+[Upstream status:
+https://sourceforge.net/p/giflib/code/merge-requests/7]
+---
+ Makefile | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index b2bf6de..111f52f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -61,10 +61,17 @@ UTILS = $(INSTALLABLE) \
+ 
+ LDLIBS=libgif.a -lm
+ 
+-all: libgif.so libgif.a libutil.so libutil.a $(UTILS)
++SHARED_LIBS = libgif.so libutil.so
++STATIC_LIBS = libgif.a libutil.a
++
++all: shared-lib static-lib $(UTILS)
+ 	$(MAKE) -C doc
+ 
+-$(UTILS):: libgif.a libutil.a
++$(UTILS):: $(STATIC_LIBS)
++
++shared-lib: $(SHARED_LIBS)
++
++static-lib: $(STATIC_LIBS)
+ 
+ libgif.so: $(OBJECTS) $(HEADERS)
+ 	$(CC) $(CFLAGS) -shared $(LDFLAGS) -Wl,-soname -Wl,libgif.so.$(LIBMAJOR) -o libgif.so $(OBJECTS)
+@@ -79,7 +86,7 @@ libutil.a: $(UOBJECTS) $(UHEADERS)
+ 	$(AR) rcs libutil.a $(UOBJECTS)
+ 
+ clean:
+-	rm -f $(UTILS) $(TARGET) libgetarg.a libgif.a libgif.so libutil.a libutil.so *.o
++	rm -f $(UTILS) $(TARGET) libgetarg.a $(SHARED_LIBS) $(STATIC_LIBS) *.o
+ 	rm -f libgif.so.$(LIBMAJOR).$(LIBMINOR).$(LIBPOINT)
+ 	rm -f libgif.so.$(LIBMAJOR)
+ 	rm -fr doc/*.1 *.html doc/staging
+@@ -96,12 +103,15 @@ install-bin: $(INSTALLABLE)
+ install-include:
+ 	$(INSTALL) -d "$(DESTDIR)$(INCDIR)"
+ 	$(INSTALL) -m 644 gif_lib.h "$(DESTDIR)$(INCDIR)"
+-install-lib:
++install-static-lib:
+ 	$(INSTALL) -d "$(DESTDIR)$(LIBDIR)"
+ 	$(INSTALL) -m 644 libgif.a "$(DESTDIR)$(LIBDIR)/libgif.a"
++install-shared-lib:
++	$(INSTALL) -d "$(DESTDIR)$(LIBDIR)"
+ 	$(INSTALL) -m 755 libgif.so "$(DESTDIR)$(LIBDIR)/libgif.so.$(LIBVER)"
+ 	ln -sf libgif.so.$(LIBVER) "$(DESTDIR)$(LIBDIR)/libgif.so.$(LIBMAJOR)"
+ 	ln -sf libgif.so.$(LIBMAJOR) "$(DESTDIR)$(LIBDIR)/libgif.so"
++install-lib: install-static-lib install-shared-lib
+ install-man:
+ 	$(INSTALL) -d "$(DESTDIR)$(MANDIR)/man1"
+ 	$(INSTALL) -m 644 doc/*.1 "$(DESTDIR)$(MANDIR)/man1"
+-- 
+2.20.1
+
diff --git a/package/giflib/giflib.hash b/package/giflib/giflib.hash
index 189dca9f19..f7db1626df 100644
--- a/package/giflib/giflib.hash
+++ b/package/giflib/giflib.hash
@@ -1,5 +1,5 @@
 # From http://sourceforge.net/projects/giflib/files
-md5	2c171ced93c0e83bb09e6ccad8e3ba2b	giflib-5.1.4.tar.bz2
-sha1	5f1157cfc377916280849e247b8e34fa0446513f	giflib-5.1.4.tar.bz2
+md5	6f03aee4ebe54ac2cc1ab3e4b0a049e5	giflib-5.2.1.tar.gz
+sha1	c3f774dcbdf26afded7788979c8081d33c6426dc	giflib-5.2.1.tar.gz
 # Locally computed
 sha256	0c9b7990ecdca88b676db232c226548ac408b279f550d424d996f0d83591dd8e	COPYING
diff --git a/package/giflib/giflib.mk b/package/giflib/giflib.mk
index 29666eebea..67523abac2 100644
--- a/package/giflib/giflib.mk
+++ b/package/giflib/giflib.mk
@@ -4,27 +4,46 @@
 #
 ################################################################################
 
-GIFLIB_VERSION = 5.1.4
-GIFLIB_SOURCE = giflib-$(GIFLIB_VERSION).tar.bz2
+GIFLIB_VERSION = 5.2.1
+GIFLIB_SOURCE = giflib-$(GIFLIB_VERSION).tar.gz
 GIFLIB_SITE = http://downloads.sourceforge.net/project/giflib
 GIFLIB_INSTALL_STAGING = YES
 GIFLIB_LICENSE = MIT
 GIFLIB_LICENSE_FILES = COPYING
 
-GIFLIB_BINS = \
-	gif2epsn gif2ps gif2rgb gif2x11 gifasm gifbg gifbuild gifburst gifclip \
-	gifclrmp gifcolor gifcomb gifcompose gifecho giffiltr giffix gifflip \
-	gifhisto gifinfo gifinter gifinto gifovly gifpos gifrotat \
-	gifrsize gifspnge giftext giftool gifwedge icon2gif raw2gif rgb2gif \
-	text2gif
+ifeq ($(BR2_STATIC_LIBS),y)
+GIFLIB_BUILD_LIBS = static-lib
+GIFLIB_INSTALL_LIBS = install-static-lib
+else ifeq ($(BR2_SHARED_LIBS),y)
+GIFLIB_BUILD_LIBS = shared-lib
+GIFLIB_INSTALL_LIBS = install-shared-lib
+else
+GIFLIB_BUILD_LIBS = static-lib shared-lib
+GIFLIB_INSTALL_LIBS = install-lib
+endif
 
-GIFLIB_CONF_ENV = ac_cv_prog_have_xmlto=no
+define GIFLIB_BUILD_CMDS
+	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) $(GIFLIB_BUILD_LIBS)
+endef
+
+define HOST_GIFLIB_BUILD_CMDS
+	$(HOST_CONFIGURE_OPTS) $(MAKE) -C $(@D)
+endef
 
-define GIFLIB_BINS_CLEANUP
-	rm -f $(addprefix $(TARGET_DIR)/usr/bin/,$(GIFLIB_BINS))
+define GIFLIB_INSTALL_STAGING_CMDS
+	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) \
+		PREFIX=/usr install-include $(GIFLIB_INSTALL_LIBS)
 endef
 
-GIFLIB_POST_INSTALL_TARGET_HOOKS += GIFLIB_BINS_CLEANUP
+define GIFLIB_INSTALL_TARGET_CMDS
+	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) \
+		PREFIX=/usr install-include $(GIFLIB_INSTALL_LIBS)
+endef
+
+define HOST_GIFLIB_INSTALL_CMDS
+	$(HOST_CONFIGURE_OPTS) $(MAKE) -C $(@D) DESTDIR=$(HOST_DIR) \
+		PREFIX=/usr install
+endef
 
-$(eval $(autotools-package))
-$(eval $(host-autotools-package))
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
2.20.1



More information about the buildroot mailing list