Changelog:
libexif-0.6.24 (2021-11-25):
* Translation updates: sr, vi, pl, uk, french
* fixed regression in exif_data_load_data which could not load EXIF in JPEG data anymore
* Decode lots of Canon tag names
* removed empty strings from translation (empty string would translate to the PO info header)
* various warning removals and code improvements
* added sample "persistent" afl fuzzer (100x faster than normal afl fuzzer)
libexif-0.6.23 (2021-09-12):
* Translation updates: es, pl, uk, fr
* EXIF_TAG_SENSITIVITY_TYPE decoder added, added some more Exif 2.3 tags:
- EXIF_TAG_STANDARD_OUTPUT_SENSITIVITY
- EXIF_TAG_RECOMMENDED_EXPOSURE_INDEX
- EXIF_TAG_ISO_SPEED
- EXIF_TAG_ISO_SPEEDLatitudeYYY
- EXIF_TAG_ISO_SPEEDLatitudeZZZ
- EXIF_TAG_OFFSET_TIME
- EXIF_TAG_OFFSET_TIME_ORIGINAL
- EXIF_TAG_OFFSET_TIME_DIGITIZED
- EXIF_TAG_IMAGE_DEPTH
* be more relaxed to out of order JPG / EXIF dataheaders in files generated by some tools
* default GPS IFD table added
* Decode more Nikon Makernote tag names
* Added Apple iOS Makernote
* Security fixes:
* CVE-2020-0198: unsigned integer overflow in exif_data_load_data_content
* CVE-2020-0452: compiler optimization could remove an a
bufferoverflow check, making a buffer overflow possible with some
EXIF tags
* some more denial of service (compute time or stack exhaustion) counter-measures
added that avoid minutes of decoding time with malformed files found
by OSS-Fuzz
libexif-0.6.22 (2020-05-18):
* New translations: ms
* Updated translations for most languages
* Fixed C89 compatibility
* Fixed warnings on recent versions of autoconf
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
* Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others.
* CVE-2018-20030: Fix for recursion DoS
* CVE-2020-13114: Time consumption DoS when parsing canon array markers
* CVE-2020-13113: Potential use of uninitialized memory
* CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
* CVE-2020-0093: read overflow
* CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs
* CVE-2020-12767: fixed division by zero
* CVE-2016-6328: fixed integer overflow when parsing maker notes
* CVE-2017-7544: fixed buffer overread
pkglint --only "https instead of http" -r -F
With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.
This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
Problems found with existing digests:
Package fotoxx distfile fotoxx-14.03.1.tar.gz
ac2033f87de2c23941261f7c50160cddf872c110 [recorded]
118e98a8cc0414676b3c4d37b8df407c28a1407c [calculated]
Package ploticus-examples distfile ploticus-2.00/plnode200.tar.gz
34274a03d0c41fae5690633663e3d4114b9d7a6d [recorded]
da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated]
Problems found locating distfiles:
Package AfterShotPro: missing distfile AfterShotPro-1.1.0.30/AfterShotPro_i386.deb
Package pgraf: missing distfile pgraf-20010131.tar.gz
Package qvplay: missing distfile qvplay-0.95.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
* New translations: en_AU, uk
* Updated translations: cs, da, de, en_CA, nl, pl, sk, sv, vi
* Added more supported lens in Canon MakerNote
* Added some defensive NULL pointer checks
* Fixed a number of security and stability issues due to buffer overflows,
bad pointer dereferences and division-by-zero including bug 3434540
and bug 3434545 (CVE-2012-2812, CVE-2012-2813, CVE-2012-2814,
CVE-2012-2836, CVE-2012-2837, CVE-2012-2840, CVE-2012-2841,
CVE-2012-2845)
* New translations: bs, tr
* Updated translations: be, cs, da, de, en_GB, en_CA, it, ja, nl, pl, pt_BR,
pt, ru, sk, sq, sr, sv, vi, zh_CN
* Fixed some problems in the write-exif.c example program
* Stop listing -lm as a required library for dynamic linking in libexif.pc
* Turned on the --enable-silent-rules configure option
* Changed a lot of strings to make the case of the text more consistent
* exif_entry_dump() now displays the correct tag name for GPS tags
* Fixed some invalid format specifiers that caused problems on some platforms
* Display rational numbers with the right number of significant figures
* New translations: be, en_GB, it, ja, pt, sq, zh_CN
* Updated translations: da, sv, vi
* Now using a binary search to make searching through the tag table faster
* Fixed a heap buffer overflow during tag format conversion
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
* Updated translations: cs, de, pl, sk, vi
* New translations: nl, se, en_CA
* Enabled sv translation by default
* Bug fixes
* Enhanced support of Canon and Olympus makernotes
* Added support for Fuji and Sanyo makernotes
* Added support for the NO_VERBOSE_TAG_STRINGS and NO_VERBOSE_TAG_DATA
macros to reduce size for embedded applications
* Added support for more tags
New in 0.6.15 (2007-05-23) since 0.6.14 (2007-05-10):
* Added support for 2 new types of Pentax makernotes & Casio type2 makernote
* Added support for Win XP metadata (Author, Comment, KeyWords, Title,
Subject) tags
* Bug fixes:
[ 1443183 ] install error when doxygen is not present.
* New translations: Czech, Slovak.
* Improved doxygen generated API and code internals
documentation. Made building of code internals docs optional
(--enable-internal-docs) as the call graphs take quite long to
build. Made building any docs optional (--disable-docs).
New in 0.6.14 (2007-05-10) since 0.6.13 (2005-12-27):
* Bug fixes: #1457501, #1471060, #1525770, #1617991, #1703284, #1716196
* Extended support of Canon, Nikon, Olympus makernotes
* Added option EXIF_DATA_OPTION_DONT_CHANGE_MAKER_NOTE to prevent
modification of maker notes
* Other fixes and improvements which include API/ABI additions.
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
PKGLOCALEDIR and which install their locale files directly under
${PREFIX}/${PKGLOCALEDIR} and sort the PLIST file entries. From now
on, pkgsrc/mk/plist/plist-locale.awk will automatically handle
transforming the PLIST to refer to the correct locale directory.
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
JPEG pictures with certain EXIF data, like those from SONY, Nikon
or Canon digital cameras.
Obtained from libexif CVS, exif-data.c, rev. 1.68, via FreeBSD.
Noted by Leonard Schmidt on tech-pkg.
"Matthias Clasen has reported a vulnerability in libexif, which can be
exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an infinite recursion in the
"exif_data_load_data_content()" function and can be exploited to
cause a stack overflow when parsing a specially crafted image.
Successful exploitation may crash an application linked against the
vulnerable library."
Bump PKGREVISION. Patch from:
http://sourceforge.net/tracker/index.php?func=detail&aid=1196787&group_id=12272&atid=112272
* Final fix of Ubuntu Security Notice USN-91-1 (CAN-2005-0664)
https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152
* Updated build system with cross compile capabilities
* Small fixes:
Fix tag order, use even offsets, improve Nikon&Olympus mnote tags.
* SECURITY UPDATE: Fix buffer overflow.
* libexif/exif-data.c: Add buffer size checks in several places before
trying to access it.
* Thanks to Sylvain Defresne for spotting this and the patch.
* References:
https://bugzilla.ubuntulinux.org/show_bug.cgi?id=7152
Thanks to wiz@ for heads-up. :)
PKGREVISIONs of packages including it, because the recent update of
libexif changed the major version number of libexif. Noted by dieter
and Jeremy C. Reed on tech-pkg@.
in the process. (More information on tech-pkg.)
Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and
installing .la files.
Bump PKGREVISION (only) of all packages depending directly on the above
via a buildlink3 include.
All library names listed by *.la files no longer need to be listed
in the PLIST, e.g., instead of:
lib/libfoo.a
lib/libfoo.la
lib/libfoo.so
lib/libfoo.so.0
lib/libfoo.so.0.1
one simply needs:
lib/libfoo.la
and bsd.pkg.mk will automatically ensure that the additional library
names are listed in the installed package +CONTENTS file.
Also make LIBTOOLIZE_PLIST default to "yes".
