Merge updates from master

4 files changed, 85 insertions, 1 deletions

diff --git a/app-emacs/lua-mode/Manifest b/app-emacs/lua-mode/Manifest
index 99d224cdd884..469d4cfe6d59 100644
--- a/app-emacs/lua-mode/Manifest
+++ b/app-emacs/lua-mode/Manifest
@@ -1 +1 @@
-DIST lua-mode-20130419.tar.gz 26236 SHA256 75c1696421983fbb58946ea649d2917f0deefc8b4f1dbc16b819e0cd603e396a SHA512 1fecd953b5b08dad26345c6e0d2006f35f92082d7cd244e4d668808a2694271605f10eb15d7b62ab8fbdf029fa6bac8bcebe8c8d4ef782dbd63ebcce8abc8439 WHIRLPOOL 4477da3bfb707459c14cefbc55ca7303b1774627c143cfe1d2dc3e70a7843fd7f9d0090f4640b934482a39b020afaf09b4dfd0b8ef10fd46f71b3d2c799e6347
+DIST lua-mode-20130419.tar.gz 26242 BLAKE2B 25f75c70982ba2fb0077fb249501367f9dde3eee5ff7bb45c0d8d97857b6268c481652e06e5a92bd04d9b9fcac0fa3368dfbdc3efcbaefc34268aeb490ac6ad9 SHA512 e66ebe6c953e81b07a8f9d86264b1baa5e0b730a6d26b1acf7fb48ceb8cc0f008cdea0046d89e380fefefe0e0b189ef360280236befc79ade69e0622a2e7eb92
diff --git a/media-gfx/optipng/files/optipng-0.7.6-cve-2017-1000229.patch b/media-gfx/optipng/files/optipng-0.7.6-cve-2017-1000229.patch
new file mode 100644
index 000000000000..19dc3ad0c57b
--- /dev/null
+++ b/media-gfx/optipng/files/optipng-0.7.6-cve-2017-1000229.patch
@@ -0,0 +1,25 @@
+From 77ac8e9fd9b2c1aeec3951e2bb50f7cc2c1e92d2 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 19 Nov 2017 16:04:26 +0100
+Subject: [PATCH] Prevent integer overflow (bug #65, CVE-2017-1000229)
+
+---
+ src/minitiff/tiffread.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/minitiff/tiffread.c b/src/minitiff/tiffread.c
+index b4910ec..5f9b376 100644
+--- a/src/minitiff/tiffread.c
++++ b/src/minitiff/tiffread.c
+@@ -350,6 +350,8 @@ minitiff_read_info(struct minitiff_info *tiff_ptr, FILE *fp)
+         count = tiff_ptr->strip_offsets_count;
+         if (count == 0 || count > tiff_ptr->height)
+             goto err_invalid;
++        if (count > (size_t)-1 / sizeof(long))
++            goto err_memory;
+         tiff_ptr->strip_offsets = (long *)malloc(count * sizeof(long));
+         if (tiff_ptr->strip_offsets == NULL)
+             goto err_memory;
+-- 
+2.14.2
+
diff --git a/media-gfx/optipng/optipng-0.7.6-r1.ebuild b/media-gfx/optipng/optipng-0.7.6-r1.ebuild
new file mode 100644
index 000000000000..becde449ea44
--- /dev/null
+++ b/media-gfx/optipng/optipng-0.7.6-r1.ebuild
@@ -0,0 +1,56 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=4
+
+inherit eutils toolchain-funcs
+
+DESCRIPTION="Compress PNG files without affecting image quality"
+HOMEPAGE="http://optipng.sourceforge.net/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
+
+LICENSE="ZLIB"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-macos ~x86-solaris"
+IUSE=""
+
+RDEPEND="sys-libs/zlib
+	media-libs/libpng:0"
+DEPEND="${RDEPEND}
+	sys-apps/findutils"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${PN}-0.7.5-estonian.patch
+	epatch "${FILESDIR}"/${PN}-0.7.6-cve-2017-1000229.patch  # bug 637936
+
+	rm -R src/{libpng,zlib} || die
+	find . -type d -name build -exec rm -R {} + || die
+
+	# next release is almost a complete rewrite, so plug this compilation
+	# problem in anticipation of the much (c)leaner(?) rewrite
+	sed -i \
+		-e 's/^#ifdef AT_FDCWD/#if defined(AT_FDCWD) \&\& !(defined (__SVR4) \&\& defined (__sun))/' \
+		src/optipng/osys.c || die
+
+	tc-export CC AR RANLIB
+	export LD=$(tc-getCC)
+}
+
+src_configure() {
+	./configure \
+		-with-system-libpng \
+		-with-system-zlib \
+		|| die "configure failed"
+}
+
+src_compile() {
+	emake -C src/optipng
+}
+
+src_install() {
+	dodoc README.txt doc/*.txt
+	dohtml doc/*.html
+	doman src/${PN}/man/${PN}.1
+
+	dobin src/${PN}/${PN}
+}
diff --git a/profiles/hardened/linux/musl/x86/use.mask b/profiles/hardened/linux/musl/x86/use.mask
index a70efb03255b..61e5564be9fc 100644
--- a/profiles/hardened/linux/musl/x86/use.mask
+++ b/profiles/hardened/linux/musl/x86/use.mask
@@ -5,6 +5,9 @@
 -x86
 -abi_x86_32
 
+# ssp is broken on x86 musl.  This is critical for gcc-6.
+ssp
+
 # unmask all SIMD assembler flags
 -cpu_flags_x86_3dnow
 -cpu_flags_x86_3dnowext