1 |
commit: 496ef5159327a6ec7726c0ec5ec849e16f416b7a |
2 |
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Sep 2 08:34:07 2017 +0000 |
4 |
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 2 08:39:42 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=496ef515 |
7 |
|
8 |
dev-libs/libzip: Security revbump for CVE-2017-14107 |
9 |
|
10 |
Package-Manager: Portage-2.3.8, Repoman-2.3.3 |
11 |
|
12 |
.../libzip/files/libzip-1.2.0-CVE-2017-12858.patch | 2 +- |
13 |
.../libzip/files/libzip-1.2.0-CVE-2017-14107.patch | 27 ++++++++++++++ |
14 |
dev-libs/libzip/libzip-1.2.0-r2.ebuild | 41 ++++++++++++++++++++++ |
15 |
3 files changed, 69 insertions(+), 1 deletion(-) |
16 |
|
17 |
diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch |
18 |
index b7586e45a56..26236510fee 100644 |
19 |
--- a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch |
20 |
+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch |
21 |
@@ -34,4 +34,4 @@ index a369900..e5a7cc9 100644 |
22 |
- } |
23 |
return -1; |
24 |
} |
25 |
- |
26 |
\ No newline at end of file |
27 |
+ |
28 |
|
29 |
diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch |
30 |
new file mode 100644 |
31 |
index 00000000000..3d1f9a0aabc |
32 |
--- /dev/null |
33 |
+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch |
34 |
@@ -0,0 +1,27 @@ |
35 |
+From 9b46957ec98d85a572e9ef98301247f39338a3b5 Mon Sep 17 00:00:00 2001 |
36 |
+From: Thomas Klausner <tk@×××××××.at> |
37 |
+Date: Tue, 29 Aug 2017 10:25:03 +0200 |
38 |
+Subject: [PATCH] Make eocd checks more consistent between zip and zip64 cases. |
39 |
+ |
40 |
+--- |
41 |
+ lib/zip_open.c | 7 ++++++- |
42 |
+ 1 file changed, 6 insertions(+), 1 deletion(-) |
43 |
+ |
44 |
+diff --git a/lib/zip_open.c b/lib/zip_open.c |
45 |
+index 3bd593b..9d3a4cb 100644 |
46 |
+--- a/lib/zip_open.c |
47 |
++++ b/lib/zip_open.c |
48 |
+@@ -847,7 +847,12 @@ _zip_read_eocd64(zip_source_t *src, zip_buffer_t *buffer, zip_uint64_t buf_offse |
49 |
+ zip_error_set(error, ZIP_ER_SEEK, EFBIG); |
50 |
+ return NULL; |
51 |
+ } |
52 |
+- if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) { |
53 |
++ if (offset+size > buf_offset + eocd_offset) { |
54 |
++ /* cdir spans past EOCD record */ |
55 |
++ zip_error_set(error, ZIP_ER_INCONS, 0); |
56 |
++ return NULL; |
57 |
++ } |
58 |
++ if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) { |
59 |
+ zip_error_set(error, ZIP_ER_INCONS, 0); |
60 |
+ return NULL; |
61 |
+ } |
62 |
|
63 |
diff --git a/dev-libs/libzip/libzip-1.2.0-r2.ebuild b/dev-libs/libzip/libzip-1.2.0-r2.ebuild |
64 |
new file mode 100644 |
65 |
index 00000000000..524782f42c3 |
66 |
--- /dev/null |
67 |
+++ b/dev-libs/libzip/libzip-1.2.0-r2.ebuild |
68 |
@@ -0,0 +1,41 @@ |
69 |
+# Copyright 1999-2017 Gentoo Foundation |
70 |
+# Distributed under the terms of the GNU General Public License v2 |
71 |
+ |
72 |
+EAPI=6 |
73 |
+ |
74 |
+inherit autotools |
75 |
+ |
76 |
+DESCRIPTION="Library for manipulating zip archives" |
77 |
+HOMEPAGE="https://nih.at/libzip/" |
78 |
+SRC_URI="https://www.nih.at/libzip/${P}.tar.xz" |
79 |
+ |
80 |
+LICENSE="BSD" |
81 |
+SLOT="0/5" |
82 |
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos" |
83 |
+IUSE="static-libs" |
84 |
+ |
85 |
+RDEPEND=" |
86 |
+ sys-libs/zlib |
87 |
+ elibc_musl? ( sys-libs/fts-standalone ) |
88 |
+" |
89 |
+DEPEND="${RDEPEND}" |
90 |
+ |
91 |
+DOCS=( AUTHORS NEWS.md API-CHANGES THANKS ) |
92 |
+ |
93 |
+PATCHES=( |
94 |
+ "${FILESDIR}/${P}-headers.patch" |
95 |
+ "${FILESDIR}/${P}-fts.patch" |
96 |
+ "${FILESDIR}/${P}-CVE-2017-12858.patch" |
97 |
+ "${FILESDIR}/${P}-CVE-2017-14107.patch" |
98 |
+) |
99 |
+ |
100 |
+src_prepare() { |
101 |
+ default |
102 |
+ eautoreconf |
103 |
+} |
104 |
+ |
105 |
+src_install() { |
106 |
+ default |
107 |
+ use static-libs || rm "${ED%/}"/usr/$(get_libdir)/libzip.a || die |
108 |
+ find "${D}" -name '*.la' -delete || die |
109 |
+} |