From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 267FB1396D0 for ; Sat, 2 Sep 2017 08:40:18 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 68C15E0BEB; Sat, 2 Sep 2017 08:40:17 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 33838E0BEB for ; Sat, 2 Sep 2017 08:40:16 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A541E34166C for ; Sat, 2 Sep 2017 08:40:15 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D77258B23 for ; Sat, 2 Sep 2017 08:40:13 +0000 (UTC) From: "Andreas Sturmlechner" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Andreas Sturmlechner" Message-ID: <1504341582.496ef5159327a6ec7726c0ec5ec849e16f416b7a.asturm@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/libzip/files/, dev-libs/libzip/ X-VCS-Repository: repo/gentoo X-VCS-Files: dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch dev-libs/libzip/libzip-1.2.0-r2.ebuild X-VCS-Directories: dev-libs/libzip/ dev-libs/libzip/files/ X-VCS-Committer: asturm X-VCS-Committer-Name: Andreas Sturmlechner X-VCS-Revision: 496ef5159327a6ec7726c0ec5ec849e16f416b7a X-VCS-Branch: master Date: Sat, 2 Sep 2017 08:40:13 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 9699aa3f-2c89-4085-bb91-b4639d1d1524 X-Archives-Hash: 25286515624b88bae6af3780d7e488a0 commit: 496ef5159327a6ec7726c0ec5ec849e16f416b7a Author: Andreas Sturmlechner gentoo org> AuthorDate: Sat Sep 2 08:34:07 2017 +0000 Commit: Andreas Sturmlechner gentoo org> CommitDate: Sat Sep 2 08:39:42 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=496ef515 dev-libs/libzip: Security revbump for CVE-2017-14107 Package-Manager: Portage-2.3.8, Repoman-2.3.3 .../libzip/files/libzip-1.2.0-CVE-2017-12858.patch | 2 +- .../libzip/files/libzip-1.2.0-CVE-2017-14107.patch | 27 ++++++++++++++ dev-libs/libzip/libzip-1.2.0-r2.ebuild | 41 ++++++++++++++++++++++ 3 files changed, 69 insertions(+), 1 deletion(-) diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch index b7586e45a56..26236510fee 100644 --- a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch +++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch @@ -34,4 +34,4 @@ index a369900..e5a7cc9 100644 - } return -1; } - \ No newline at end of file + diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch new file mode 100644 index 00000000000..3d1f9a0aabc --- /dev/null +++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch @@ -0,0 +1,27 @@ +From 9b46957ec98d85a572e9ef98301247f39338a3b5 Mon Sep 17 00:00:00 2001 +From: Thomas Klausner +Date: Tue, 29 Aug 2017 10:25:03 +0200 +Subject: [PATCH] Make eocd checks more consistent between zip and zip64 cases. + +--- + lib/zip_open.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/zip_open.c b/lib/zip_open.c +index 3bd593b..9d3a4cb 100644 +--- a/lib/zip_open.c ++++ b/lib/zip_open.c +@@ -847,7 +847,12 @@ _zip_read_eocd64(zip_source_t *src, zip_buffer_t *buffer, zip_uint64_t buf_offse + zip_error_set(error, ZIP_ER_SEEK, EFBIG); + return NULL; + } +- if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) { ++ if (offset+size > buf_offset + eocd_offset) { ++ /* cdir spans past EOCD record */ ++ zip_error_set(error, ZIP_ER_INCONS, 0); ++ return NULL; ++ } ++ if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) { + zip_error_set(error, ZIP_ER_INCONS, 0); + return NULL; + } diff --git a/dev-libs/libzip/libzip-1.2.0-r2.ebuild b/dev-libs/libzip/libzip-1.2.0-r2.ebuild new file mode 100644 index 00000000000..524782f42c3 --- /dev/null +++ b/dev-libs/libzip/libzip-1.2.0-r2.ebuild @@ -0,0 +1,41 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools + +DESCRIPTION="Library for manipulating zip archives" +HOMEPAGE="https://nih.at/libzip/" +SRC_URI="https://www.nih.at/libzip/${P}.tar.xz" + +LICENSE="BSD" +SLOT="0/5" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos" +IUSE="static-libs" + +RDEPEND=" + sys-libs/zlib + elibc_musl? ( sys-libs/fts-standalone ) +" +DEPEND="${RDEPEND}" + +DOCS=( AUTHORS NEWS.md API-CHANGES THANKS ) + +PATCHES=( + "${FILESDIR}/${P}-headers.patch" + "${FILESDIR}/${P}-fts.patch" + "${FILESDIR}/${P}-CVE-2017-12858.patch" + "${FILESDIR}/${P}-CVE-2017-14107.patch" +) + +src_prepare() { + default + eautoreconf +} + +src_install() { + default + use static-libs || rm "${ED%/}"/usr/$(get_libdir)/libzip.a || die + find "${D}" -name '*.la' -delete || die +}