commit: b0f7e72d6950013ea98f65116dc44cedd8923dd5 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Fri Nov 24 22:55:47 2017 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Fri Nov 24 23:06:22 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0f7e72d
app-text/poppler: Fix CVE-2017-{2820,9083} Bug: https://bugs.gentoo.org/619558 Bug: https://bugs.gentoo.org/624708 Package-Manager: Portage-2.3.16, Repoman-2.3.6 .../poppler-0.57.0-disable-internal-jpx.patch | 25 ++++++++++++++++++++++ app-text/poppler/poppler-0.57.0-r1.ebuild | 1 + 2 files changed, 26 insertions(+) diff --git a/app-text/poppler/files/poppler-0.57.0-disable-internal-jpx.patch b/app-text/poppler/files/poppler-0.57.0-disable-internal-jpx.patch new file mode 100644 index 00000000000..faf632128ff --- /dev/null +++ b/app-text/poppler/files/poppler-0.57.0-disable-internal-jpx.patch @@ -0,0 +1,25 @@ +Fix security issue [internal unmaintained JPX decoder] that is caused +by building without system-jpeg libs. Fedora does not care because they +always build with system-jpeg, however in Gentoo we allow the user to +disable both options and poppler's buildsystem is making us believe +there would be no JPX decoder built in that case, when in reality +JPXStream.cc is built (even if it may not be used by the code). + + +--- a/CMakeLists.txt 2017-11-24 23:12:41.953450442 +0100 ++++ b/CMakeLists.txt 2017-11-24 23:16:09.441030669 +0100 +@@ -506,9 +508,11 @@ + add_definitions(-DUSE_OPENJPEG2) + set(poppler_LIBS ${poppler_LIBS} ${LIBOPENJPEG2_LIBRARIES}) + else () +- set(poppler_SRCS ${poppler_SRCS} +- poppler/JPXStream.cc +- ) ++ if(NOT WITH_OPENJPEG AND HAVE_JPX_DECODER) ++ set(poppler_SRCS ${poppler_SRCS} ++ poppler/JPXStream.cc ++ ) ++ endif() + endif() + if(USE_CMS) + if(LCMS_FOUND) diff --git a/app-text/poppler/poppler-0.57.0-r1.ebuild b/app-text/poppler/poppler-0.57.0-r1.ebuild index b7a421f73e2..fafef568109 100644 --- a/app-text/poppler/poppler-0.57.0-r1.ebuild +++ b/app-text/poppler/poppler-0.57.0-r1.ebuild @@ -65,6 +65,7 @@ PATCHES=( "${FILESDIR}/${PN}-0.53.0-respect-cflags.patch" "${FILESDIR}/${PN}-0.33.0-openjpeg2.patch" "${FILESDIR}/${PN}-0.40-FindQt4.patch" + "${FILESDIR}/${P}-disable-internal-jpx.patch" # Fedora backports from upstream "${FILESDIR}/${P}-CVE-2017-14517.patch" "${FILESDIR}/${P}-CVE-2017-14518.patch"