[gentoo-commits] repo/gentoo:master commit in: dev-libs/libzip/files/, dev-libs/libzip/ - gentoo-commits

From:	Andreas Sturmlechner <asturm@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/libzip/files/, dev-libs/libzip/
Date:	Sat, 02 Sep 2017 08:40:18
Message-Id:	`1504341582.496ef5159327a6ec7726c0ec5ec849e16f416b7a.asturm@gentoo`

1

commit:     496ef5159327a6ec7726c0ec5ec849e16f416b7a

2

Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>

3

AuthorDate: Sat Sep  2 08:34:07 2017 +0000

4

Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>

5

CommitDate: Sat Sep  2 08:39:42 2017 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=496ef515

7

8

dev-libs/libzip: Security revbump for CVE-2017-14107

9

10

Package-Manager: Portage-2.3.8, Repoman-2.3.3

11

12

 .../libzip/files/libzip-1.2.0-CVE-2017-12858.patch |  2 +-

13

 .../libzip/files/libzip-1.2.0-CVE-2017-14107.patch | 27 ++++++++++++++

14

 dev-libs/libzip/libzip-1.2.0-r2.ebuild             | 41 ++++++++++++++++++++++

15

 3 files changed, 69 insertions(+), 1 deletion(-)

16

17

diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch

18

index b7586e45a56..26236510fee 100644

19

--- a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch

20

+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch

21

@@ -34,4 +34,4 @@ index a369900..e5a7cc9 100644

22

-	}

23

  	return -1;

24

}

25

-

26

\ No newline at end of file

27

+

28

29

diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch

30

new file mode 100644

31

index 00000000000..3d1f9a0aabc

32

--- /dev/null

33

+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch

34

@@ -0,0 +1,27 @@

35

+From 9b46957ec98d85a572e9ef98301247f39338a3b5 Mon Sep 17 00:00:00 2001

36

+From: Thomas Klausner <tk@×××××××.at>

37

+Date: Tue, 29 Aug 2017 10:25:03 +0200

38

+Subject: [PATCH] Make eocd checks more consistent between zip and zip64 cases.

39

+

40

+---

41

+ lib/zip_open.c | 7 ++++++-

42

+ 1 file changed, 6 insertions(+), 1 deletion(-)

43

+

44

+diff --git a/lib/zip_open.c b/lib/zip_open.c

45

+index 3bd593b..9d3a4cb 100644

46

+--- a/lib/zip_open.c

47

++++ b/lib/zip_open.c

48

+@@ -847,7 +847,12 @@ _zip_read_eocd64(zip_source_t *src, zip_buffer_t *buffer, zip_uint64_t buf_offse

49

+         zip_error_set(error, ZIP_ER_SEEK, EFBIG);

50

+         return NULL;

51

+     }

52

+-    if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) {

53

++    if (offset+size > buf_offset + eocd_offset) {

54

++	/* cdir spans past EOCD record */

55

++	zip_error_set(error, ZIP_ER_INCONS, 0);

56

++	return NULL;

57

++    }

58

++    if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) {

59

+ 	zip_error_set(error, ZIP_ER_INCONS, 0);

60

+ 	return NULL;

61

+     }

62

63

diff --git a/dev-libs/libzip/libzip-1.2.0-r2.ebuild b/dev-libs/libzip/libzip-1.2.0-r2.ebuild

64

new file mode 100644

65

index 00000000000..524782f42c3

66

--- /dev/null

67

+++ b/dev-libs/libzip/libzip-1.2.0-r2.ebuild

68

@@ -0,0 +1,41 @@

69

+# Copyright 1999-2017 Gentoo Foundation

70

+# Distributed under the terms of the GNU General Public License v2

71

+

72

+EAPI=6

73

+

74

+inherit autotools

75

+

76

+DESCRIPTION="Library for manipulating zip archives"

77

+HOMEPAGE="https://nih.at/libzip/"

78

+SRC_URI="https://www.nih.at/libzip/${P}.tar.xz"

79

+

80

+LICENSE="BSD"

81

+SLOT="0/5"

82

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"

83

+IUSE="static-libs"

84

+

85

+RDEPEND="

86

+	sys-libs/zlib

87

+	elibc_musl? ( sys-libs/fts-standalone )

88

+"

89

+DEPEND="${RDEPEND}"

90

+

91

+DOCS=( AUTHORS NEWS.md API-CHANGES THANKS )

92

+

93

+PATCHES=(

94

+	"${FILESDIR}/${P}-headers.patch"

95

+	"${FILESDIR}/${P}-fts.patch"

96

+	"${FILESDIR}/${P}-CVE-2017-12858.patch"

97

+	"${FILESDIR}/${P}-CVE-2017-14107.patch"

98

+)

99

+

100

+src_prepare() {

101

+	default

102

+	eautoreconf

103

+}

104

+

105

+src_install() {

106

+	default

107

+	use static-libs || rm "${ED%/}"/usr/$(get_libdir)/libzip.a || die

108

+	find "${D}" -name '*.la' -delete || die

109

+}

1	commit: 496ef5159327a6ec7726c0ec5ec849e16f416b7a
2	Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
3	AuthorDate: Sat Sep 2 08:34:07 2017 +0000
4	Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
5	CommitDate: Sat Sep 2 08:39:42 2017 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=496ef515
7
8	dev-libs/libzip: Security revbump for CVE-2017-14107
9
10	Package-Manager: Portage-2.3.8, Repoman-2.3.3
11
12	.../libzip/files/libzip-1.2.0-CVE-2017-12858.patch \| 2 +-
13	.../libzip/files/libzip-1.2.0-CVE-2017-14107.patch \| 27 ++++++++++++++
14	dev-libs/libzip/libzip-1.2.0-r2.ebuild \| 41 ++++++++++++++++++++++
15	3 files changed, 69 insertions(+), 1 deletion(-)
16
17	diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
18	index b7586e45a56..26236510fee 100644
19	--- a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
20	+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
21	@@ -34,4 +34,4 @@ index a369900..e5a7cc9 100644
22	- }
23	return -1;
24	}
25	-
26	\ No newline at end of file
27	+
28
29	diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch
30	new file mode 100644
31	index 00000000000..3d1f9a0aabc
32	--- /dev/null
33	+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch
34	@@ -0,0 +1,27 @@
35	+From 9b46957ec98d85a572e9ef98301247f39338a3b5 Mon Sep 17 00:00:00 2001
36	+From: Thomas Klausner <tk@×××××××.at>
37	+Date: Tue, 29 Aug 2017 10:25:03 +0200
38	+Subject: [PATCH] Make eocd checks more consistent between zip and zip64 cases.
39	+
40	+---
41	+ lib/zip_open.c \| 7 ++++++-
42	+ 1 file changed, 6 insertions(+), 1 deletion(-)
43	+
44	+diff --git a/lib/zip_open.c b/lib/zip_open.c
45	+index 3bd593b..9d3a4cb 100644
46	+--- a/lib/zip_open.c
47	++++ b/lib/zip_open.c
48	+@@ -847,7 +847,12 @@ _zip_read_eocd64(zip_source_t src, zip_buffer_t buffer, zip_uint64_t buf_offse
49	+ zip_error_set(error, ZIP_ER_SEEK, EFBIG);
50	+ return NULL;
51	+ }
52	+- if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) {
53	++ if (offset+size > buf_offset + eocd_offset) {
54	++ /* cdir spans past EOCD record */
55	++ zip_error_set(error, ZIP_ER_INCONS, 0);
56	++ return NULL;
57	++ }
58	++ if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) {
59	+ zip_error_set(error, ZIP_ER_INCONS, 0);
60	+ return NULL;
61	+ }
62
63	diff --git a/dev-libs/libzip/libzip-1.2.0-r2.ebuild b/dev-libs/libzip/libzip-1.2.0-r2.ebuild
64	new file mode 100644
65	index 00000000000..524782f42c3
66	--- /dev/null
67	+++ b/dev-libs/libzip/libzip-1.2.0-r2.ebuild
68	@@ -0,0 +1,41 @@
69	+# Copyright 1999-2017 Gentoo Foundation
70	+# Distributed under the terms of the GNU General Public License v2
71	+
72	+EAPI=6
73	+
74	+inherit autotools
75	+
76	+DESCRIPTION="Library for manipulating zip archives"
77	+HOMEPAGE="https://nih.at/libzip/"
78	+SRC_URI="https://www.nih.at/libzip/${P}.tar.xz"
79	+
80	+LICENSE="BSD"
81	+SLOT="0/5"
82	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
83	+IUSE="static-libs"
84	+
85	+RDEPEND="
86	+ sys-libs/zlib
87	+ elibc_musl? ( sys-libs/fts-standalone )
88	+"
89	+DEPEND="${RDEPEND}"
90	+
91	+DOCS=( AUTHORS NEWS.md API-CHANGES THANKS )
92	+
93	+PATCHES=(
94	+ "${FILESDIR}/${P}-headers.patch"
95	+ "${FILESDIR}/${P}-fts.patch"
96	+ "${FILESDIR}/${P}-CVE-2017-12858.patch"
97	+ "${FILESDIR}/${P}-CVE-2017-14107.patch"
98	+)
99	+
100	+src_prepare() {
101	+ default
102	+ eautoreconf
103	+}
104	+
105	+src_install() {
106	+ default
107	+ use static-libs \|\| rm "${ED%/}"/usr/$(get_libdir)/libzip.a \|\| die
108	+ find "${D}" -name '*.la' -delete \|\| die
109	+}

Gentoo Archives: gentoo-commits