Fix CVE-2009-4422: Multiple cross-site scripting (XSS) vulnerabilities in
the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph
3.0.6 allow remote attackers to inject arbitrary web script or HTML via a
key to csim_in_html_ex1.php, and other unspecified vectors.
Despite ports tree version is 3.0.7, this vulnerability has not been fixed.
The solution is taken from
http://www.securityfocus.com/archive/1/archive/1/508586/100/0/threaded
While on it:
- Fix typo in port creator's mail address
- Add LICENSE*
- Add NO_ARCH=yes (port only installs scripts)
PR: 207001
Submitted by: venture37@geeklan.co.uk
MFH: 2016Q1
Security: CVE-2009-4422
Changelog:
* Made "-reduce" and "-force" the default behavior. Removed obsolete
options "-plte_len", "-cc", "-nocc", "-double_gamma", "-already_crushed",
and "-bit_depth". Removed "things_have_changed" code.
* Deleted png_read_update_info() statement that was mistakenly added to
version 1.7.89. It caused "bad adaptive filter value" errors.
* Suppress warning about "damaged LZ stream" when bailing out and building
with libpng-1.7.0beta.
* Added a LICENSE file to the distribution. It points to the actual
license appearing in the NOTICES section near the top of pngcrush.c
* Show if pngcrush is built with bundled or system libpng and zlib.
* Fixed segfault while writing a -loco MNG (bug found with AFL, reported
by Brian Carpenter). Bug was introduced in pngcrush-1.7.35.
PR: 207801
Submitted by: Anton Sayetsky <vsasjason@gmail.com> (maintainer)
This update also fixes the build on FreeBSD 9.3-RELEASE where the
definition of powl(3) is hidden behind _DECLARE_C99_LDBL_MATH.
Reviewed by: kwm
Approved by: kwm
Differential Revision: https://reviews.freebsd.org/D5279
print/cups and update it to 2.1.3. Also remove print/cups-pstoraster,
improve print/cups-filters, print/foomatic-* and update print/hplip to
3.16.2.
Long description:
First some background. When you hand a file to cups it sets up a chain of
filter programs that converts the file to something a printer understands.
Each filter has a cost associated with it and cups tries to find the
cheapest chain. Costs used to be configured in such a way that files were
first converted to PostScript. This could then be manipulated further (e.g.
putting multiple pages on one sheet) before finally being sent to a
PostScript printer or another filter like pstoraster which produces a raster
format understood by non-PostScript printer drivers. Nowadays most filters
have been moved from cups to cups-filters and they have been configured to
use PDF as an intermediate format instead of PostScript.
Merging of cups-base, cups-client and cups-image into print/cups:
- cups-image provides a library to work with the cups raster format. It is
only used to implement filters and printer drivers and these only exist
in the context of a cups server so there's no need to separate this from
cups-base.
- cups-client provides a library that allows applications to print via cups.
It is possible to use the library to access a remote cups server without
running a local cups server, but such a setup is discouraged and the
configuration file to set this up has been marked deprecated. It is
better to run a local cups server and let that talk to the remote cups
server because then you have the benefits of local job queuing in case the
remote server is down or busy. Given this and the fact that without
filters cups-base is now smaller than it used to be it makes sense to
merge the ports. The patch also adds options IPPTOOL, DOCS and NLS which
when disabled make the new cups package smaller than the current
cups-client package. Merging the ports also prevents problems with
options like ZEROCONF being configured differently in both ports.
- print/cups was a metaport that depended on cups-base and some filters.
There isn't really a need for such a metaport so cups-base can be renamed
to cups. The filters can be depended on by printer drivers such as hplip
if they need them.
Additional changes to the new print/cups:
- Clean up the patches. They seem to have been regenerated with post-patch
changes included.
- Add a patch to prevent intermediate conversion to PDF when a PostScript
file is sent to a PostScript printer when cups-filters is installed.
- Fix the PAM configuration file.
- Add a patch to let the server search /usr/local/share/ppd like on Linux so
other ports don't have to add links to it.
- Remove ulpt(4) helper scripts. The port uses libusb with ugen(4).
- Remove support for mDNSResponder. cups-filters only supports Avahi.
- Combine ICONS and XDG_OPEN options into an X11 option to support WITHOUT_X11.
- Optionally depend on colord for ICC profile support.
- Various smaller changes.
Changes to print/cups-filters:
- Let the cups_browsed rc.d script depend on cupsd and avahi_daemon instead
of LOGIN.
- Development of foomatic-filters has been moved to cups-filters so let this
port install foomatic related files and add foomatic-filters to CONFLICTS.
- Fix location of liblouis tables.
- Add patch to fix ICC support.
Changes to print/cups-pstoraster:
This port is essentially an old version of Ghostscript plus a cups filter.
It's no longer developed. This commit removes it and changes existing
dependencies to print/cups-filters which depends on print/ghostscript* and
includes a gstoraster filter that can handle both PostScript and PDF.
Changes to print/foomatic-db*:
Remove old MASTER_SITES and dependencies and eliminate PKGNAMEPREFIX.
Changes to print/foomatic-filters:
Install beh backend with its original name again and add cups-filters to
CONFLICTS.
Changes to print/hplip:
- Stop installing hpijs/foomatic-rip support. This is no longer supported
upstream.
- Stop installing hpcups PPDs. These are now automatically generated. The
bundled PPDs are generated for an older version of cups.
- Rename the QT option to X11 to support WITHOUT_X11.
- Simplify the patches now that ports are installed in a staging area.
- Add a patch to set SO_REUSEPORT (next to SO_REUSEADDR) on the mDNS socket
like avahi-daemon does. This fixes Zeroconf support for HP network
printers.
PR: 207746
Exp-run by: antoine
Approved by: portmgr (antoine)
There is a regression with the 5.1.2 update to giflib. This affects the
ability for applications to render gif images usually ocurring after the
first gif image is rendered. Upstream has been notified but has not yet
provided feedback.
giflib 5.1.2 was a security fix, so reverting is not reasonable.
"The removed check look redundant - I couldn't find a code path where
Private->RunningBits would exceed that limit after initialization.
(Currently Private->RunningBits is checked before it is initialized)."
PR: 207849
Submitted by: Stefan Ehmann <shoesoft@gmx.net>
Approved by: ports-secteam (with hat)
MFH: 2016Q1
Fix distinfo for the offending ports.
lang/yorick's tag was moved, and the added patch was no longer needed.
PR: 207644
Submitted by: mat
Exp-run by by: antoine
Sponsored by: Absolight
Differential Revision: https://reviews.freebsd.org/D4268
libyuv is an open source project that includes YUV scaling and conversion
functionality.
- Prepare content for compression, with point, bilinear or box filter.
- Convert to YUV from webcam formats.
- Convert from YUV to formats for rendering/effects.
- Rotate by 90/180/270 degrees to adjust for mobile devices in portrait mode.
- Optimized versions for SSE2/SSSE3/AVX2 on x86/x64,
Neon on Arm, DSP R2 Mips are possible.
WWW: https://chromium.googlesource.com/libyuv/libyuv/
PR: 205680, 204958
Submitted by: Corey Smith <corsmith@gmail.com>, numisemis@yahoo.com
OSVERSION was used without OPSYS, but it turns out that DragonFly needs
a dedicated extra patch due to having a different name for the cdefs
macro.
Approved by: blankets (restore working DF port/non-invasive DF support)
