[gentoo-commits] repo/gentoo:master commit in: dev-libs/confuse/files/, dev-libs/confuse/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] repo/gentoo:master commit in: dev-libs/confuse/files/, dev-libs/confuse/
@ 2023-03-13 23:27 Sam James
  0 siblings, 0 replies; only message in thread
From: Sam James @ 2023-03-13 23:27 UTC (permalink / raw
  To: gentoo-commits

commit:     5dce806e4b3a04419f125938501990818739bbb8
Author:     Vaibhav Rustagi <vaibhavrustagi <AT> google <DOT> com>
AuthorDate: Mon Mar 13 21:33:11 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Mar 13 23:27:02 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5dce806e

dev-libs/confuse: Add fix for CVE-2022-40320

The source of libconfuse package didn't make a release since Jun 24,
2020 (https://github.com/libconfuse/libconfuse). Therefore, to fix the
CVE add a patch.

[sam: adjust patch metadata, drop back to ~arch.]

Bug: https://bugs.gentoo.org/901089
Signed-off-by: Vaibhav Rustagi <vaibhavrustagi <AT> google.com>
Closes: https://github.com/gentoo/gentoo/pull/30104
Signed-off-by: Sam James <sam <AT> gentoo.org>

 dev-libs/confuse/confuse-3.3-r2.ebuild             | 62 ++++++++++++++++++++++
 .../files/confuse-3.3-fix-CVE-2022-40320.patch     | 39 ++++++++++++++
 2 files changed, 101 insertions(+)

diff --git a/dev-libs/confuse/confuse-3.3-r2.ebuild b/dev-libs/confuse/confuse-3.3-r2.ebuild
new file mode 100644
index 000000000000..57c0210569c8
--- /dev/null
+++ b/dev-libs/confuse/confuse-3.3-r2.ebuild
@@ -0,0 +1,62 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+inherit multilib-minimal flag-o-matic
+
+DESCRIPTION="a configuration file parser library"
+HOMEPAGE="https://github.com/martinh/libconfuse"
+SRC_URI="https://github.com/martinh/libconfuse/releases/download/v${PV}/${P}.tar.xz"
+
+LICENSE="ISC"
+SLOT="0/2.1.0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x86-solaris"
+
+IUSE="nls static-libs"
+
+BDEPEND="
+	sys-devel/flex
+	sys-devel/libtool
+	virtual/pkgconfig
+	nls? ( sys-devel/gettext )
+"
+RDEPEND="
+	nls? ( virtual/libintl[${MULTILIB_USEDEP}] )
+"
+
+PATCHES=(
+	# Upstream commit to fix CVE-2022-40320:
+	# https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
+	"${FILESDIR}"/confuse-3.3-fix-CVE-2022-40320.patch
+)
+
+DOCS=( AUTHORS )
+
+src_prepare() {
+	default
+	multilib_copy_sources
+}
+
+multilib_src_configure() {
+	# https://github.com/libconfuse/libconfuse/pull/167
+	append-lfs-flags
+
+	# examples are normally compiled but not installed. They
+	# fail during a mingw crosscompile.
+	local ECONF_SOURCE=${BUILD_DIR}
+	econf \
+		--enable-shared \
+		--disable-examples \
+		$(use_enable nls) \
+		$(use_enable static-libs static)
+}
+
+multilib_src_install_all() {
+	doman doc/man/man3/*.3
+	dodoc -r doc/html
+
+	docinto examples
+	dodoc examples/*.{c,conf}
+
+	find "${D}" -name '*.la' -delete || die
+}

diff --git a/dev-libs/confuse/files/confuse-3.3-fix-CVE-2022-40320.patch b/dev-libs/confuse/files/confuse-3.3-fix-CVE-2022-40320.patch
new file mode 100644
index 000000000000..478c8556fe59
--- /dev/null
+++ b/dev-libs/confuse/files/confuse-3.3-fix-CVE-2022-40320.patch
@@ -0,0 +1,39 @@
+https://bugs.gentoo.org/901089
+https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
+
+(Rebased by Vaibhav Rustagi <vaibhavrustagi@google.com>)
+
+From d73777c2c3566fb2647727bb56d9a2295b81669b Mon Sep 17 00:00:00 2001
+From: Joachim Wiberg <troglobit@gmail.com>
+Date: Fri, 2 Sep 2022 16:12:46 +0200
+Subject: [PATCH] Fix #163: unterminated username used with getpwnam()
+
+Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
+--- a/src/confuse.c
++++ b/src/confuse.c
+@@ -1863,18 +1863,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename)
+ 			passwd = getpwuid(geteuid());
+ 			file = filename + 1;
+ 		} else {
+-			/* ~user or ~user/path */
+-			char *user;
++			char *user; /* ~user or ~user/path */
++			size_t len;
+ 
+ 			file = strchr(filename, '/');
+ 			if (file == 0)
+ 				file = filename + strlen(filename);
+ 
+-			user = malloc(file - filename);
++			len = file - filename - 1;
++			user = malloc(len + 1);
+ 			if (!user)
+ 				return NULL;
+ 
+-			strncpy(user, filename + 1, file - filename - 1);
++			strncpy(user, &filename[1], len);
++			user[len] = 0;
+ 			passwd = getpwnam(user);
+ 			free(user);
+ 		}
+


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2023-03-13 23:27 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-13 23:27 [gentoo-commits] repo/gentoo:master commit in: dev-libs/confuse/files/, dev-libs/confuse/ Sam James

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox