Re: UPDATE: libass 0.15.0 - CVE-2020-26682

Tue, 03 Nov 2020 13:45:59 -0800 

On Tue, Oct 27, 2020 at 11:59:37PM -0400, Brad Smith wrote:
> Here is an update to libass 0.15.0.
> 
> CVE-2020-26682
> 
> In libass 0.14.0, the `ass_outline_construct`'s call to `outline_stroke` 
> causes a signed integer overflow.

Adding in a missing dependency on a new hard requirement for harfbuzz.


Index: Makefile
===================================================================
RCS file: /home/cvs/ports/multimedia/libass/Makefile,v
retrieving revision 1.24
diff -u -p -u -p -r1.24 Makefile
--- Makefile    21 Aug 2019 07:35:17 -0000      1.24
+++ Makefile    3 Nov 2020 16:07:22 -0000
@@ -2,14 +2,13 @@
 
 COMMENT=       portable ASS/SSA subtitle renderer
 
-VER=           0.14.0
+VER=           0.15.0
 DISTNAME=      libass-${VER}
-REVISION=      0
 CATEGORIES=    multimedia devel
 MASTER_SITES=  https://github.com/libass/libass/releases/download/${VER}/
 EXTRACT_SUFX=  .tar.xz
 
-SHARED_LIBS=   ass     3.0
+SHARED_LIBS=   ass     3.1
 
 HOMEPAGE=      https://github.com/libass/libass
 
@@ -18,17 +17,18 @@ MAINTAINER= Brad Smith <[email protected]
 # ISC
 PERMIT_PACKAGE=        Yes
 
-WANTLIB=       expat fontconfig freetype fribidi iconv m z
+WANTLIB=       ${COMPILER_LIBCXX} expat fontconfig freetype fribidi \
+               glib-2.0 graphite2 harfbuzz iconv intl m pcre z
 
 COMPILER=      base-clang ports-gcc
 COMPILER_LANGS=        c
 
 LIB_DEPENDS=   converters/libiconv \
-               devel/fribidi
+               devel/fribidi \
+               devel/harfbuzz
 
 CONFIGURE_STYLE= gnu
-CONFIGURE_ARGS=        --disable-asm \
-               --disable-harfbuzz
+CONFIGURE_ARGS=        --disable-asm
 CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \
                LDFLAGS="-L${LOCALBASE}/lib"
 
Index: distinfo
===================================================================
RCS file: /home/cvs/ports/multimedia/libass/distinfo,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 distinfo
--- distinfo    22 Jul 2019 06:55:41 -0000      1.16
+++ distinfo    27 Oct 2020 23:01:10 -0000
@@ -1,2 +1,2 @@
-SHA256 (libass-0.14.0.tar.xz) = iB8jgq9Irq11t6DgLmXYjF69Np/ka8d9knCpSqj9OKI=
-SIZE (libass-0.14.0.tar.xz) = 356256
+SHA256 (libass-0.15.0.tar.xz) = nwkjDJoKpo73qmqeKrcJypVwIPhC5SxbLlK4AafZ6DM=
+SIZE (libass-0.15.0.tar.xz) = 367848
Index: pkg/PLIST
===================================================================
RCS file: /home/cvs/ports/multimedia/libass/pkg/PLIST,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 PLIST
--- pkg/PLIST   21 Nov 2014 02:53:54 -0000      1.3
+++ pkg/PLIST   27 Oct 2020 23:03:55 -0000
@@ -2,7 +2,7 @@
 include/ass/
 include/ass/ass.h
 include/ass/ass_types.h
-lib/libass.a
+@static-lib lib/libass.a
 lib/libass.la
 @lib lib/libass.so.${LIBass_VERSION}
 lib/pkgconfig/libass.pc

Reply via email to