rpms
/
ocaml-camlimages
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

End of life. 

This is the note from dead.package:

----------------------------------------------------------------------

This package has known security issues, and I got no help from
upstream to solve them.  In fact upstream is mostly silent / dead.
Therefore I have removed it from Fedora.

If you want to add the package back to Fedora, please note that
you are going to need to fix all the security problems and
take an active role in maintaining the package too.

----------------------------------------------------------------------
This commit is contained in:
Richard W.M. Jones 2011-02-03 14:23:13 +00:00
parent 372776ef5d
commit f068b499ad
7 changed files with 10 additions and 385 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
camlimages-3.0.2-display-module.patch
View File

@ -1,23 +0,0 @@
--- camlimages-3.0.2/examples/liv/liv.ml 2009-10-26 12:42:03.000000000 +0000
+++ camlimages-3.0.2.display/examples/liv/liv.ml 2010-01-12 15:13:21.414300958 +0000
@@ -19,7 +19,7 @@
;;
*)
-module D = Display
+module D = Livdisplay
open D
open Gc
diff -ur camlimages-3.0.1.orig/examples/liv/Makefile.am camlimages-3.0.1/examples/liv/Makefile.am
--- camlimages-3.0.1.orig/examples/liv/Makefile.am 2007-05-21 19:54:32.000000000 +0100
+++ camlimages-3.0.1/examples/liv/Makefile.am 2008-11-03 17:15:54.000000000 +0000
@@ -23,7 +23,7 @@
seq.ml \
tout.ml \
enhance.ml \
- display.ml \
+ livdisplay.ml \
viewer.ml \
edge.ml \
pathfind.ml \

12
camlimages-3.0.2-ocaml-autoconf.patch
View File

@ -1,12 +0,0 @@
--- camlimages-3.0.2/configure.ac 2009-10-26 12:42:04.000000000 +0000
+++ camlimages-3.0.2.autoconf/configure.ac 2010-01-12 15:23:49.179300765 +0000
@@ -4,8 +4,7 @@
AM_INIT_AUTOMAKE([foreign])
# Check ocaml
-AC_PROG_OCAML([3.08])
-AC_PROG_OCAML_TOOL(OCAMLMKLIB, ocamlmklib)
+AC_PROG_OCAML
AC_SUBST(OCAMLLIB)
# Check versions to build

81
camlimages-oversized-png-check-CVE-2009-2295.patch
View File

@ -1,81 +0,0 @@
--- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100
@@ -15,6 +15,8 @@
#include "config.h"
#endif
+#include <limits.h>
+
#include <png.h>
#include <caml/mlvalues.h>
@@ -26,6 +28,12 @@
#define PNG_TAG_INDEX16 2
#define PNG_TAG_INDEX4 3
+/* Test if x or y are negative, or if multiplying x * y would cause an
+ * arithmetic overflow.
+ */
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
value read_png_file_as_rgb24( name )
value name;
{
@@ -81,6 +89,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -102,10 +113,16 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
{
int i;
png_bytep *row_pointers;
+ if (oversized (sizeof (png_bytep), height))
+ failwith ("png error: image contains oversized or bogus height");
+
row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
res = alloc_tuple(3);
@@ -235,6 +252,9 @@
png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (oversized (width, height))
+ failwith ("png error: image contains oversized or bogus width and height");
+
if ( color_type == PNG_COLOR_TYPE_GRAY ||
color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
png_set_gray_to_rgb(png_ptr);
@@ -251,6 +271,9 @@
rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+ if (oversized (rowbytes, height))
+ failwith ("png error: image contains oversized or bogus rowbytes and height");
+
/*
fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
*/
@@ -259,6 +282,9 @@
png_bytep *row_pointers;
char mesg[256];
+ if (oversized (sizeof (png_bytep), height))
+ failwith ("png error: image contains oversized or bogus height");
+
row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
res = alloc_tuple(3);

27
camlimages-oversized-tiff-check-CVE-2009-3296.patch
View File

@ -1,27 +0,0 @@
--- camlimages-3.0.1.old/src/tiffread.c 2007-01-18 10:29:57.000000000 +0000
+++ camlimages-3.0.1/src/tiffread.c 2009-10-16 10:26:53.841258260 +0100
@@ -21,6 +21,13 @@
#include <caml/memory.h>
#include <caml/fail.h>
+#include <limits.h>
+#define oversized(x, y) \
+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
+
+#define failwith_oversized(lib) \
+ failwith("#lib error: image contains oversized or bogus width and height");
+
/* These are defined in caml/config.h */
#define int16 int16tiff
#define uint16 uint16tiff
@@ -64,6 +71,10 @@
TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres);
TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric);
+ if (oversized (imagewidth, imagelength)) {
+ failwith_oversized("tiff");
+ }
+
if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){
if( imagebits != 8 ){
failwith("Sorry, tiff rgb file must be 24bit-color");

10
dead.package Normal file
View File

@ -0,0 +1,10 @@
This package has known security issues, and I got no help from
upstream to solve them. In fact upstream is mostly silent / dead.
Therefore I have removed it from Fedora.
If you want to add the package back to Fedora, please note that
you are going to need to fix all the security problems and
take an active role in maintaining the package too.
- Richard W.M. Jones, 2011-02-03

240
ocaml-camlimages.spec
View File

@ -1,240 +0,0 @@
%global opt %(test -x %{_bindir}/ocamlopt && echo 1 || echo 0)
%global debug_package %{nil}
%global _default_patch_fuzz 2
Name: ocaml-camlimages
Version: 3.0.2
Release: 7%{?dist}
Summary: OCaml image processing library
Group: Development/Libraries
License: LGPLv2 with exceptions
URL: http://cristal.inria.fr/camlimages/eng.html
Source0: http://cristal.inria.fr/camlimages/camlimages-%{version}.tgz
Source1: camlimages-2.2.0-htmlref.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
ExcludeArch: sparc64 s390 s390x
Patch0: camlimages-3.0.2-display-module.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4
# Now upstream in 3.0.2.
#Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=528732
# NOT upstream in 3.0.2.
Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch
# This is paradoxically only needed because we are rerunning aclocal
# which will use the new ocaml-autoconf that has slightly different
# macros.
Patch3: camlimages-3.0.2-ocaml-autoconf.patch
BuildRequires: ocaml >= 3.10.1
BuildRequires: ocaml-lablgtk-devel
BuildRequires: ocaml-x11
BuildRequires: lablgtk, libpng-devel, libjpeg-devel
BuildRequires: libXpm-devel, ghostscript-devel, freetype-devel
BuildRequires: giflib-devel
BuildRequires: libtiff-devel
BuildRequires: gtk2-devel
BuildRequires: libtool, automake, autoconf
BuildRequires: ocaml-autoconf
%global __ocaml_requires_opts -i Image_intf
%description
CamlImages is an image processing library for Objective CAML, which provides:
basic functions for image processing and loading/saving, various image file
formats (hence providing a translation facility from format to format),
and an interface with the Caml graphics library allows to display images
in the Graphics module screen and to mix them with Caml drawings
In addition, the library can handle huge images that cannot be (or can hardly
be) stored into the main memory (the library then automatically creates swap
files and escapes them to reduce the memory usage).
%package devel
Summary: Development files for camlimages
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
The camlimages-devel package provides libraries and headers for
developing applications using camlimages
Includes documentation provided by ocamldoc
%prep
%setup -q -n camlimages-%{version} -a 1
# Gdk.Display submodule clashes with the Display module in
# the examples/liv directory, so rename it:
%patch0 -p1
%patch2 -p1
%patch3 -p1
aclocal -I .
automake
autoconf
mv examples/liv/display.ml examples/liv/livdisplay.ml
%build
%configure
# Hack to fix RHBZ#564798. It's completely unclear why this fails
# in Koji when it works perfectly well for me locally.
echo image_intf.cmi: image_intf.mli >> src/.depend
echo mylazy.cmi: mylazy.mli >> examples/liv/.depend
make
%install
rm -rf $RPM_BUILD_ROOT
make install ocamlsitelibdir=%{_libdir}/ocaml/camlimages DESTDIR=$RPM_BUILD_ROOT
strip $RPM_BUILD_ROOT%{_libdir}/ocaml/stublibs/dllcamlimages.so \
$RPM_BUILD_ROOT%{_libdir}/ocaml/stublibs/dllcamlimages_core.so
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root,-)
%doc INSTALL README
%{_libdir}/ocaml/camlimages
%{_libdir}/ocaml/stublibs/*.so
%if %opt
%exclude %{_libdir}/ocaml/camlimages/*.a
%exclude %{_libdir}/ocaml/camlimages/*.cmxa
%endif
%exclude %{_libdir}/ocaml/camlimages/*.mli
%files devel
%defattr(-,root,root,-)
%doc doc/*.{html,jpg}
%if %opt
%{_libdir}/ocaml/camlimages/*.a
%{_libdir}/ocaml/camlimages/*.cmxa
%endif
%{_libdir}/ocaml/camlimages/*.mli
%changelog
* Wed Jan 12 2010 Richard W.M. Jones <rjones@redhat.com> - 3.0.2-7
- Fix FTBFS RHBZ#564798.
* Wed Jan 12 2010 Richard W.M. Jones <rjones@redhat.com> - 3.0.2-2
- Ignore broken dependency from submodule (Image_intf).
* Tue Jan 12 2010 Richard W.M. Jones <rjones@redhat.com> - 3.0.2-1
- New upstream version 3.0.2.
- Fix URL and source URL.
- Rebase Display->Livdisplay patch.
- Remove png check CVE patch (now upstream).
- RETAIN tiff check CVE patch (NOT upstream).
- Replace %%define with %%global.
- Use upstream RPM 4.8 OCaml dependency generator.
- Fix configure.ac, also we now BR ocaml-autoconf.
- Recheck package with rpmlint:
. Strip dllcamlimages_core.so
* Wed Dec 30 2009 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-15
- Rebuild for OCaml 3.11.2.
* Fri Oct 16 2009 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-14
- ocaml-camlimages: TIFF reader multiple integer overflows
(CVE 2009-3296 / RHBZ#528732).
* Tue Sep 29 2009 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-12
- Force rebuild against newer lablgtk.
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0.1-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Fri Jul 3 2009 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-10
- ocaml-camlimages: PNG reader multiple integer overflows
(CVE 2009-2295 / RHBZ#509531).
* Sat May 23 2009 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-8
- Rebuild for OCaml 3.11.1
* Thu Apr 16 2009 S390x secondary arch maintainer <fedora-s390x@lists.fedoraproject.org>
- ExcludeArch sparc64, s390, s390x as we don't have OCaml on those archs
(added sparc64 per request from the sparc maintainer)
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Sat Feb 7 2009 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-6
- Rebuild against updated lablgtk.
* Fri Dec 5 2008 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-5
- Rebuild.
* Thu Dec 4 2008 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-4
- Rebuild.
* Mon Nov 3 2008 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-3
- +BR gtk2-devel.
- +BR ocaml-x11.
* Mon Nov 3 2008 Richard W.M. Jones <rjones@redhat.com> - 3.0.1-1
- Home page moved (fixes rhbz 468158).
- New upstream version 3.0.1 and multiple build fixes for this.
- License is really LGPLv2 with the OCaml linking exception.
- Removed the DESTDIR patch.
- Build tiff support.
- Run it through rpmlint and fix all problems.
* Thu Aug 28 2008 Richard W.M. Jones <rjones@redhat.com> - 2.2.0-13
- Rebuild with patch fuzz.
* Mon Aug 11 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 2.2.0-12
- fix license tag
* Wed Apr 23 2008 Richard W.M. Jones <rjones@redhat.com> - 2.2.0-11
- Rebuild for OCaml 3.10.2
* Sat Mar 1 2008 Richard W.M. Jones <rjones@redhat.com> 2.2.0-10
- Rebuild for ppc64.
* Wed Feb 13 2008 Richard W.M. Jones <rjones@redhat.com> 2.2.0-9
- Rebuild for OCaml 3.10.1
- Fix paths to conform to packaging policy.
* Wed May 09 2007 Nigel Jones <dev@nigelj.com> 2.2.0-8
- Exclude ppc64 builds due to missing ocaml
* Fri May 04 2007 Nigel Jones <dev@nigelj.com> 2.2.0-7
- Change to Makefile patch to move .so files to stublibs
- Rename to ocaml-camlimages
- Other changes per review
* Thu May 03 2007 Nigel Jones <dev@nigelj.com> 2.2.0-6
- Include .*a files just to make sure
* Thu May 03 2007 Nigel Jones <dev@nigelj.com> 2.2.0-5
- Revert -4 changes
- Remove excludedirs patch, replace with a sed
- Provide html documentation generated from running ocaml-ocamldoc
* Thu Apr 26 2007 Nigel Jones <dev@nigelj.com> 2.2.0-4
- Add Provides: camlimages-static, and LICENSE to -devel docs
* Thu Apr 12 2007 Nigel Jones <dev@nigelj.com> 2.2.0-3
- Remove .a & .o files
* Wed Apr 11 2007 Nigel Jones <dev@nigelj.com> 2.2.0-2
- Add missing dependencies
* Tue Apr 10 2007 Nigel Jones <dev@nigelj.com> 2.2.0-1
- Initial spec file

2
sources
View File

@ -1,2 +0,0 @@
fb1633c9c8df0b2b2d0f892d8c4ac2ee camlimages-2.2.0-htmlref.tar.gz
ccb2551232df255f6306941d26d07615 camlimages-3.0.2.tgz