From f068b499adfa7b5c6ac4537cd5d1144e6e35874f Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 3 Feb 2011 14:23:13 +0000 Subject: [PATCH] End of life. This is the note from dead.package: ---------------------------------------------------------------------- This package has known security issues, and I got no help from upstream to solve them. In fact upstream is mostly silent / dead. Therefore I have removed it from Fedora. If you want to add the package back to Fedora, please note that you are going to need to fix all the security problems and take an active role in maintaining the package too. ---------------------------------------------------------------------- --- camlimages-3.0.2-display-module.patch | 23 -- camlimages-3.0.2-ocaml-autoconf.patch | 12 - ...es-oversized-png-check-CVE-2009-2295.patch | 81 ------ ...s-oversized-tiff-check-CVE-2009-3296.patch | 27 -- dead.package | 10 + ocaml-camlimages.spec | 240 ------------------ sources | 2 - 7 files changed, 10 insertions(+), 385 deletions(-) delete mode 100644 camlimages-3.0.2-display-module.patch delete mode 100644 camlimages-3.0.2-ocaml-autoconf.patch delete mode 100644 camlimages-oversized-png-check-CVE-2009-2295.patch delete mode 100644 camlimages-oversized-tiff-check-CVE-2009-3296.patch create mode 100644 dead.package delete mode 100644 ocaml-camlimages.spec delete mode 100644 sources diff --git a/camlimages-3.0.2-display-module.patch b/camlimages-3.0.2-display-module.patch deleted file mode 100644 index b204046..0000000 --- a/camlimages-3.0.2-display-module.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- camlimages-3.0.2/examples/liv/liv.ml 2009-10-26 12:42:03.000000000 +0000 -+++ camlimages-3.0.2.display/examples/liv/liv.ml 2010-01-12 15:13:21.414300958 +0000 -@@ -19,7 +19,7 @@ - ;; - *) - --module D = Display -+module D = Livdisplay - open D - - open Gc -diff -ur camlimages-3.0.1.orig/examples/liv/Makefile.am camlimages-3.0.1/examples/liv/Makefile.am ---- camlimages-3.0.1.orig/examples/liv/Makefile.am 2007-05-21 19:54:32.000000000 +0100 -+++ camlimages-3.0.1/examples/liv/Makefile.am 2008-11-03 17:15:54.000000000 +0000 -@@ -23,7 +23,7 @@ - seq.ml \ - tout.ml \ - enhance.ml \ -- display.ml \ -+ livdisplay.ml \ - viewer.ml \ - edge.ml \ - pathfind.ml \ diff --git a/camlimages-3.0.2-ocaml-autoconf.patch b/camlimages-3.0.2-ocaml-autoconf.patch deleted file mode 100644 index d7ed2bd..0000000 --- a/camlimages-3.0.2-ocaml-autoconf.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- camlimages-3.0.2/configure.ac 2009-10-26 12:42:04.000000000 +0000 -+++ camlimages-3.0.2.autoconf/configure.ac 2010-01-12 15:23:49.179300765 +0000 -@@ -4,8 +4,7 @@ - AM_INIT_AUTOMAKE([foreign]) - - # Check ocaml --AC_PROG_OCAML([3.08]) --AC_PROG_OCAML_TOOL(OCAMLMKLIB, ocamlmklib) -+AC_PROG_OCAML - AC_SUBST(OCAMLLIB) - - # Check versions to build diff --git a/camlimages-oversized-png-check-CVE-2009-2295.patch b/camlimages-oversized-png-check-CVE-2009-2295.patch deleted file mode 100644 index 7f2fc00..0000000 --- a/camlimages-oversized-png-check-CVE-2009-2295.patch +++ /dev/null @@ -1,81 +0,0 @@ ---- camlimages-3.0.1.orig/src/pngread.c 2007-01-18 10:29:57.000000000 +0000 -+++ camlimages-3.0.1.oversized/src/pngread.c 2009-07-03 15:51:00.000000000 +0100 -@@ -15,6 +15,8 @@ - #include "config.h" - #endif - -+#include -+ - #include - - #include -@@ -26,6 +28,12 @@ - #define PNG_TAG_INDEX16 2 - #define PNG_TAG_INDEX4 3 - -+/* Test if x or y are negative, or if multiplying x * y would cause an -+ * arithmetic overflow. -+ */ -+#define oversized(x, y) \ -+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) -+ - value read_png_file_as_rgb24( name ) - value name; - { -@@ -81,6 +89,9 @@ - png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, - &interlace_type, NULL, NULL); - -+ if (oversized (width, height)) -+ failwith ("png error: image contains oversized or bogus width and height"); -+ - if ( color_type == PNG_COLOR_TYPE_GRAY || - color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { - png_set_gray_to_rgb(png_ptr); -@@ -102,10 +113,16 @@ - - rowbytes = png_get_rowbytes(png_ptr, info_ptr); - -+ if (oversized (rowbytes, height)) -+ failwith ("png error: image contains oversized or bogus rowbytes and height"); -+ - { - int i; - png_bytep *row_pointers; - -+ if (oversized (sizeof (png_bytep), height)) -+ failwith ("png error: image contains oversized or bogus height"); -+ - row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); - - res = alloc_tuple(3); -@@ -235,6 +252,9 @@ - png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, - &interlace_type, NULL, NULL); - -+ if (oversized (width, height)) -+ failwith ("png error: image contains oversized or bogus width and height"); -+ - if ( color_type == PNG_COLOR_TYPE_GRAY || - color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { - png_set_gray_to_rgb(png_ptr); -@@ -251,6 +271,9 @@ - - rowbytes = png_get_rowbytes(png_ptr, info_ptr); - -+ if (oversized (rowbytes, height)) -+ failwith ("png error: image contains oversized or bogus rowbytes and height"); -+ - /* - fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); - */ -@@ -259,6 +282,9 @@ - png_bytep *row_pointers; - char mesg[256]; - -+ if (oversized (sizeof (png_bytep), height)) -+ failwith ("png error: image contains oversized or bogus height"); -+ - row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height); - res = alloc_tuple(3); - diff --git a/camlimages-oversized-tiff-check-CVE-2009-3296.patch b/camlimages-oversized-tiff-check-CVE-2009-3296.patch deleted file mode 100644 index be59d24..0000000 --- a/camlimages-oversized-tiff-check-CVE-2009-3296.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- camlimages-3.0.1.old/src/tiffread.c 2007-01-18 10:29:57.000000000 +0000 -+++ camlimages-3.0.1/src/tiffread.c 2009-10-16 10:26:53.841258260 +0100 -@@ -21,6 +21,13 @@ - #include - #include - -+#include -+#define oversized(x, y) \ -+ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) -+ -+#define failwith_oversized(lib) \ -+ failwith("#lib error: image contains oversized or bogus width and height"); -+ - /* These are defined in caml/config.h */ - #define int16 int16tiff - #define uint16 uint16tiff -@@ -64,6 +71,10 @@ - TIFFGetField(tif, TIFFTAG_YRESOLUTION, &yres); - TIFFGetField(tif, TIFFTAG_PHOTOMETRIC, &photometric); - -+ if (oversized (imagewidth, imagelength)) { -+ failwith_oversized("tiff"); -+ } -+ - if( imagesample == 3 && photometric == PHOTOMETRIC_RGB ){ - if( imagebits != 8 ){ - failwith("Sorry, tiff rgb file must be 24bit-color"); diff --git a/dead.package b/dead.package new file mode 100644 index 0000000..d19fb5a --- /dev/null +++ b/dead.package @@ -0,0 +1,10 @@ + +This package has known security issues, and I got no help from +upstream to solve them. In fact upstream is mostly silent / dead. +Therefore I have removed it from Fedora. + +If you want to add the package back to Fedora, please note that +you are going to need to fix all the security problems and +take an active role in maintaining the package too. + +- Richard W.M. Jones, 2011-02-03 diff --git a/ocaml-camlimages.spec b/ocaml-camlimages.spec deleted file mode 100644 index d7e3094..0000000 --- a/ocaml-camlimages.spec +++ /dev/null @@ -1,240 +0,0 @@ -%global opt %(test -x %{_bindir}/ocamlopt && echo 1 || echo 0) -%global debug_package %{nil} -%global _default_patch_fuzz 2 - -Name: ocaml-camlimages -Version: 3.0.2 -Release: 7%{?dist} -Summary: OCaml image processing library - -Group: Development/Libraries -License: LGPLv2 with exceptions -URL: http://cristal.inria.fr/camlimages/eng.html -Source0: http://cristal.inria.fr/camlimages/camlimages-%{version}.tgz -Source1: camlimages-2.2.0-htmlref.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -ExcludeArch: sparc64 s390 s390x - -Patch0: camlimages-3.0.2-display-module.patch - -# https://bugzilla.redhat.com/show_bug.cgi?id=509531#c4 -# Now upstream in 3.0.2. -#Patch1: camlimages-oversized-png-check-CVE-2009-2295.patch - -# https://bugzilla.redhat.com/show_bug.cgi?id=528732 -# NOT upstream in 3.0.2. -Patch2: camlimages-oversized-tiff-check-CVE-2009-3296.patch - -# This is paradoxically only needed because we are rerunning aclocal -# which will use the new ocaml-autoconf that has slightly different -# macros. -Patch3: camlimages-3.0.2-ocaml-autoconf.patch - -BuildRequires: ocaml >= 3.10.1 -BuildRequires: ocaml-lablgtk-devel -BuildRequires: ocaml-x11 -BuildRequires: lablgtk, libpng-devel, libjpeg-devel -BuildRequires: libXpm-devel, ghostscript-devel, freetype-devel -BuildRequires: giflib-devel -BuildRequires: libtiff-devel -BuildRequires: gtk2-devel -BuildRequires: libtool, automake, autoconf -BuildRequires: ocaml-autoconf - -%global __ocaml_requires_opts -i Image_intf - - -%description -CamlImages is an image processing library for Objective CAML, which provides: -basic functions for image processing and loading/saving, various image file -formats (hence providing a translation facility from format to format), -and an interface with the Caml graphics library allows to display images -in the Graphics module screen and to mix them with Caml drawings - -In addition, the library can handle huge images that cannot be (or can hardly -be) stored into the main memory (the library then automatically creates swap -files and escapes them to reduce the memory usage). - - -%package devel -Summary: Development files for camlimages -Group: Development/Libraries -Requires: %{name} = %{version}-%{release} - - -%description devel -The camlimages-devel package provides libraries and headers for -developing applications using camlimages - -Includes documentation provided by ocamldoc - - -%prep -%setup -q -n camlimages-%{version} -a 1 - -# Gdk.Display submodule clashes with the Display module in -# the examples/liv directory, so rename it: -%patch0 -p1 -%patch2 -p1 -%patch3 -p1 -aclocal -I . -automake -autoconf -mv examples/liv/display.ml examples/liv/livdisplay.ml - - -%build -%configure - -# Hack to fix RHBZ#564798. It's completely unclear why this fails -# in Koji when it works perfectly well for me locally. -echo image_intf.cmi: image_intf.mli >> src/.depend -echo mylazy.cmi: mylazy.mli >> examples/liv/.depend - -make - - -%install -rm -rf $RPM_BUILD_ROOT -make install ocamlsitelibdir=%{_libdir}/ocaml/camlimages DESTDIR=$RPM_BUILD_ROOT - -strip $RPM_BUILD_ROOT%{_libdir}/ocaml/stublibs/dllcamlimages.so \ - $RPM_BUILD_ROOT%{_libdir}/ocaml/stublibs/dllcamlimages_core.so - - -%clean -rm -rf $RPM_BUILD_ROOT - - -%files -%defattr(-,root,root,-) -%doc INSTALL README -%{_libdir}/ocaml/camlimages -%{_libdir}/ocaml/stublibs/*.so -%if %opt -%exclude %{_libdir}/ocaml/camlimages/*.a -%exclude %{_libdir}/ocaml/camlimages/*.cmxa -%endif -%exclude %{_libdir}/ocaml/camlimages/*.mli - - -%files devel -%defattr(-,root,root,-) -%doc doc/*.{html,jpg} -%if %opt -%{_libdir}/ocaml/camlimages/*.a -%{_libdir}/ocaml/camlimages/*.cmxa -%endif -%{_libdir}/ocaml/camlimages/*.mli - - -%changelog -* Wed Jan 12 2010 Richard W.M. Jones - 3.0.2-7 -- Fix FTBFS RHBZ#564798. - -* Wed Jan 12 2010 Richard W.M. Jones - 3.0.2-2 -- Ignore broken dependency from submodule (Image_intf). - -* Tue Jan 12 2010 Richard W.M. Jones - 3.0.2-1 -- New upstream version 3.0.2. -- Fix URL and source URL. -- Rebase Display->Livdisplay patch. -- Remove png check CVE patch (now upstream). -- RETAIN tiff check CVE patch (NOT upstream). -- Replace %%define with %%global. -- Use upstream RPM 4.8 OCaml dependency generator. -- Fix configure.ac, also we now BR ocaml-autoconf. -- Recheck package with rpmlint: - . Strip dllcamlimages_core.so - -* Wed Dec 30 2009 Richard W.M. Jones - 3.0.1-15 -- Rebuild for OCaml 3.11.2. - -* Fri Oct 16 2009 Richard W.M. Jones - 3.0.1-14 -- ocaml-camlimages: TIFF reader multiple integer overflows - (CVE 2009-3296 / RHBZ#528732). - -* Tue Sep 29 2009 Richard W.M. Jones - 3.0.1-12 -- Force rebuild against newer lablgtk. - -* Sat Jul 25 2009 Fedora Release Engineering - 3.0.1-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Fri Jul 3 2009 Richard W.M. Jones - 3.0.1-10 -- ocaml-camlimages: PNG reader multiple integer overflows - (CVE 2009-2295 / RHBZ#509531). - -* Sat May 23 2009 Richard W.M. Jones - 3.0.1-8 -- Rebuild for OCaml 3.11.1 - -* Thu Apr 16 2009 S390x secondary arch maintainer -- ExcludeArch sparc64, s390, s390x as we don't have OCaml on those archs - (added sparc64 per request from the sparc maintainer) - -* Wed Feb 25 2009 Fedora Release Engineering - 3.0.1-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Sat Feb 7 2009 Richard W.M. Jones - 3.0.1-6 -- Rebuild against updated lablgtk. - -* Fri Dec 5 2008 Richard W.M. Jones - 3.0.1-5 -- Rebuild. - -* Thu Dec 4 2008 Richard W.M. Jones - 3.0.1-4 -- Rebuild. - -* Mon Nov 3 2008 Richard W.M. Jones - 3.0.1-3 -- +BR gtk2-devel. -- +BR ocaml-x11. - -* Mon Nov 3 2008 Richard W.M. Jones - 3.0.1-1 -- Home page moved (fixes rhbz 468158). -- New upstream version 3.0.1 and multiple build fixes for this. -- License is really LGPLv2 with the OCaml linking exception. -- Removed the DESTDIR patch. -- Build tiff support. -- Run it through rpmlint and fix all problems. - -* Thu Aug 28 2008 Richard W.M. Jones - 2.2.0-13 -- Rebuild with patch fuzz. - -* Mon Aug 11 2008 Tom "spot" Callaway - 2.2.0-12 -- fix license tag - -* Wed Apr 23 2008 Richard W.M. Jones - 2.2.0-11 -- Rebuild for OCaml 3.10.2 - -* Sat Mar 1 2008 Richard W.M. Jones 2.2.0-10 -- Rebuild for ppc64. - -* Wed Feb 13 2008 Richard W.M. Jones 2.2.0-9 -- Rebuild for OCaml 3.10.1 -- Fix paths to conform to packaging policy. - -* Wed May 09 2007 Nigel Jones 2.2.0-8 -- Exclude ppc64 builds due to missing ocaml - -* Fri May 04 2007 Nigel Jones 2.2.0-7 -- Change to Makefile patch to move .so files to stublibs -- Rename to ocaml-camlimages -- Other changes per review - -* Thu May 03 2007 Nigel Jones 2.2.0-6 -- Include .*a files just to make sure - -* Thu May 03 2007 Nigel Jones 2.2.0-5 -- Revert -4 changes -- Remove excludedirs patch, replace with a sed -- Provide html documentation generated from running ocaml-ocamldoc - -* Thu Apr 26 2007 Nigel Jones 2.2.0-4 -- Add Provides: camlimages-static, and LICENSE to -devel docs - -* Thu Apr 12 2007 Nigel Jones 2.2.0-3 -- Remove .a & .o files - -* Wed Apr 11 2007 Nigel Jones 2.2.0-2 -- Add missing dependencies - -* Tue Apr 10 2007 Nigel Jones 2.2.0-1 -- Initial spec file diff --git a/sources b/sources deleted file mode 100644 index d72f7c4..0000000 --- a/sources +++ /dev/null @@ -1,2 +0,0 @@ -fb1633c9c8df0b2b2d0f892d8c4ac2ee camlimages-2.2.0-htmlref.tar.gz -ccb2551232df255f6306941d26d07615 camlimages-3.0.2.tgz