[gentoo-commits] repo/gentoo:master commit in: media-libs/libraw/, media-libs/libraw/files/

["Hans de Graaff" <graaff@gentoo.org>]

commit:     8bfc77ff0d80c08df6ca2401ef3c77faecd1680f
Author:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 15 10:27:22 2023 +0000
Commit:     Hans de Graaff <graaff <AT> gentoo <DOT> org>
CommitDate: Sun Oct 15 10:27:56 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bfc77ff

media-libs/libraw: fix CVE-2023-1729

Bug: https://bugs.gentoo.org/908041
Signed-off-by: Hans de Graaff <graaff <AT> gentoo.org>

 .../libraw/files/libraw-0.21.1-CVE-2023-1729.patch | 22 ++++++++
 media-libs/libraw/libraw-0.21.1-r1.ebuild          | 62 ++++++++++++++++++++++
 2 files changed, 84 insertions(+)

diff --git a/media-libs/libraw/files/libraw-0.21.1-CVE-2023-1729.patch b/media-libs/libraw/files/libraw-0.21.1-CVE-2023-1729.patch
new file mode 100644
index 000000000000..427b3c852c16
--- /dev/null
+++ b/media-libs/libraw/files/libraw-0.21.1-CVE-2023-1729.patch
@@ -0,0 +1,22 @@
+From 9ab70f6dca19229cb5caad7cc31af4e7501bac93 Mon Sep 17 00:00:00 2001
+From: Alex Tutubalin <lexa@lexa.ru>
+Date: Sat, 14 Jan 2023 18:32:59 +0300
+Subject: [PATCH] do not set shrink flag for 3/4 component images
+
+---
+ src/preprocessing/raw2image.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/preprocessing/raw2image.cpp b/src/preprocessing/raw2image.cpp
+index e65e2ad7..702cf290 100644
+--- a/src/preprocessing/raw2image.cpp
++++ b/src/preprocessing/raw2image.cpp
+@@ -43,6 +43,8 @@ void LibRaw::raw2image_start()
+ 
+   // adjust for half mode!
+   IO.shrink =
++	  !imgdata.rawdata.color4_image && !imgdata.rawdata.color3_image &&
++	  !imgdata.rawdata.float4_image && !imgdata.rawdata.float3_image &&
+       P1.filters &&
+       (O.half_size || ((O.threshold || O.aber[0] != 1 || O.aber[2] != 1)));
+ 

diff --git a/media-libs/libraw/libraw-0.21.1-r1.ebuild b/media-libs/libraw/libraw-0.21.1-r1.ebuild
new file mode 100644
index 000000000000..98313a578726
--- /dev/null
+++ b/media-libs/libraw/libraw-0.21.1-r1.ebuild
@@ -0,0 +1,62 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit multilib-minimal toolchain-funcs
+
+MY_PN=LibRaw
+MY_PV="${PV/_b/-B}"
+MY_P="${MY_PN}-${MY_PV}"
+
+DESCRIPTION="LibRaw is a library for reading RAW files obtained from digital photo cameras"
+HOMEPAGE="https://www.libraw.org/ https://github.com/LibRaw/LibRaw"
+SRC_URI="https://www.libraw.org/data/${MY_P}.tar.gz"
+
+LICENSE="LGPL-2.1 CDDL"
+# SONAME isn't exactly the same as PV but it does correspond and
+# libraw has unstable ABI across releases.
+SLOT="0/$(ver_cut 1-2)"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux"
+IUSE="examples jpeg +lcms openmp zlib"
+
+RDEPEND="
+	jpeg? ( media-libs/libjpeg-turbo:=[${MULTILIB_USEDEP}] )
+	lcms? ( >=media-libs/lcms-2.5:2[${MULTILIB_USEDEP}] )
+	zlib? ( sys-libs/zlib[${MULTILIB_USEDEP}] )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+S="${WORKDIR}/${MY_P}"
+
+DOCS=( Changelog.txt README.md )
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2023-1729.patch" )
+
+pkg_pretend() {
+	[[ ${MERGE_TYPE} != binary ]] && use openmp && tc-check-openmp
+}
+
+pkg_setup() {
+	[[ ${MERGE_TYPE} != binary ]] && use openmp && tc-check-openmp
+}
+
+multilib_src_configure() {
+	local myeconfargs=(
+		--disable-jasper
+		$(multilib_native_use_enable examples)
+		$(use_enable jpeg)
+		$(use_enable lcms)
+		$(use_enable openmp)
+		$(use_enable zlib)
+	)
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+}
+
+multilib_src_install_all() {
+	einstalldocs
+
+	# package installs .pc files
+	find "${D}" -name '*.la' -delete || die
+}