Version 0.39 is a security release. All of the dynamically-sized
buffers which were allocated on the stack before have been changed
to heap allocations. This circumvents some dangerous security flaws.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
Changes:
- Security fix for extract_chmLib. Pathnames containing a ".." element
will not be extracted. There doesn't seem to be a legitimate reason
to use ".." as a path element in a chm file.
http://secunia.com/advisories/20734/
- Fix for reading some chm files. Running over a large directory of chm
files, about 1% of them turned out to be unreadable. This resulted
from an incomplete understanding of one of the header fields
(index_root). Apparently, this can take negative values other than -1.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
Another stack overflow has been fixed, this one reported by Sven Tantau.
The stack overflow is trivially exploitable to run arbitrary code.
Additionally, the Makefile.in was fixed so that "make install" does the
right thing. Previously, it was not working properly, and the examples
would subsequently fail to build.
Changes:
- Major security fix (iDEFENSE Security Advisory IDEF1099 - Stack Overflow
Vulnerability)
- Major security fix from Palasik Sandor (LZX decompression buffer overrun)
- Bugfix/enhancement from David Huseby to make the "what" flags to
chm_enumerate work correctly, and to pass the flags along to the callback
function (via the chmUnitInfo structure) so that the callback doesn't
need to re-parse the filename.
- Compilation fixes for x86-64 from Vitaly V. Bursov.
- Miscellaneous fixes to the configure script, including some significant
cleanup by Vadim Zeitlin. The changes from Vadim should also allow the
configure script to correctly configure the build on OS X, where it was
previously failing to note that pread64 doesn't work.
- Minor update to the Makefile.in to do a mkdir before the install, in case
the specified INSTALLPREFIX directory is non-existent
Changes:
- UTF-8 filenames, while still not handled correctly, are handled a little
more gracefully. That is to say, the library doesn't fail to open files
with filenames using characters outside the ASCII subset. I'm very
interested in any information as to the "right" way to handle filenames
of this sort.
- Files not containing a compressed section are handled properly, such as
.chw files. These files seem to contain information about compression,
but the information is invalid or empty. The library deals gracefully
with this now.
- Files compressed with different options were not being decompressed
properly. In particular, if the "reset interval" for the compressed
section was other than 2 block sizes, it could fail to read some of the
files.
- The caching system was improved slightly, in conjunction with this
previous bugfix.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
from pkgsrc-wip (by xtraeme@).
CHMLIB is a library for dealing with Microsoft ITSS/CHM format
files. Right now, it is a very simple library, but sufficient for
dealing with all of the .chm files I've come across. Due to the
fairly well-designed indexing built into this particular file
format, even a small library is able to gain reasonably good
performance indexing into ITSS archives. Since the last version
there have been major bugfixes, portability improvements, and minor
feature additions.