* [gentoo-commits] repo/gentoo:master commit in: net-libs/libsignal-protocol-c/files/, net-libs/libsignal-protocol-c/
@ 2023-05-18 7:39 Joonas Niilola
0 siblings, 0 replies; only message in thread
From: Joonas Niilola @ 2023-05-18 7:39 UTC (permalink / raw
To: gentoo-commits
commit: c2e3eb85c45e83591be7faee69d58af55a10f8f4
Author: Randy Barlow <randy <AT> electronsweatshop <DOT> com>
AuthorDate: Wed Apr 26 03:45:40 2023 +0000
Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Thu May 18 07:26:00 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2e3eb85
net-libs/libsignal-protocol-c: Fix CVE-2022-48468
This commit fixes CVE-2022-48468 for this package's bundled
protobuf-c.
Here are some reference links about the issue:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468
https://bugzilla.redhat.com/show_bug.cgi?id=2186673
For reference, here is the commit I made in Fedora to address the issue,
which includes this patch:
https://src.fedoraproject.org/rpms/libsignal-protocol-c/c/152eb06d164e7973fda49139bc5a51f3b23c0cf6?branch=rawhide
Closes: https://bugs.gentoo.org/905098
Signed-off-by: Randy Barlow <randy <AT> electronsweatshop.com>
Closes: https://github.com/gentoo/gentoo/pull/30764
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>
...libsignal-protocol-c-2.3.3-CVE-2022-48468.patch | 53 ++++++++++++++++++++++
.../libsignal-protocol-c-2.3.3-r1.ebuild | 18 ++++++++
2 files changed, 71 insertions(+)
diff --git a/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch b/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch
new file mode 100644
index 000000000000..8b3706dd8829
--- /dev/null
+++ b/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch
@@ -0,0 +1,53 @@
+From 478dfe51552243b367cf2e9c5d047cbbd3c21635 Mon Sep 17 00:00:00 2001
+From: Randy Barlow <randy@electronsweatshop.com>
+Date: Fri, 18 Mar 2022 12:42:57 -0400
+Subject: [PATCH] CVE-2022-48468: unsigned integer overflow
+
+This commit combines two upstream commits from protobuf-c[0][1].
+The first fixes an unsigned integer overflow, and the second fixes a
+regression introduced by the first. I originally decided to amend the
+commit message of the first to mention that it fixes a CVE, but then I
+realized it would be better to bring the fix for the regression together
+with it.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468
+https://bugzilla.redhat.com/show_bug.cgi?id=2186673
+
+[0]
+https://github.com/protobuf-c/protobuf-c/pull/513/commits/289f5c18b195aa43d46a619d1188709abbfa9c82
+[1]
+https://github.com/protobuf-c/protobuf-c/pull/513/commits/0d1fd124a4e0a07b524989f6e64410ff648fba61
+
+Co-authored-by: 10054172 <hui.zhang@thalesgroup.com>
+Co-authored-by: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Signed-off-by: 10054172 <hui.zhang@thalesgroup.com>
+Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
+---
+ src/protobuf-c/protobuf-c.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/protobuf-c/protobuf-c.c b/src/protobuf-c/protobuf-c.c
+index 4f2f5bc..6ae5287 100644
+--- a/src/protobuf-c/protobuf-c.c
++++ b/src/protobuf-c/protobuf-c.c
+@@ -2456,10 +2456,13 @@ parse_required_member(ScannedMember *scanned_member,
+ return FALSE;
+
+ def_mess = scanned_member->field->default_value;
+- subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+- allocator,
+- len - pref_len,
+- data + pref_len);
++ if (len >= pref_len)
++ subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
++ allocator,
++ len - pref_len,
++ data + pref_len);
++ else
++ subm = NULL;
+
+ if (maybe_clear &&
+ *pmessage != NULL &&
+--
+2.39.2
+
diff --git a/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild b/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild
new file mode 100644
index 000000000000..27fe1d46128e
--- /dev/null
+++ b/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit cmake
+
+DESCRIPTION="Signal Protocol C Library"
+HOMEPAGE="https://www.whispersystems.org/"
+SRC_URI="https://github.com/signalapp/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="~amd64 ~arm64 ~x86"
+
+LICENSE="GPL-3"
+SLOT="0"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-2.3.3-CVE-2022-48468.patch
+)
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2023-05-18 7:39 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-18 7:39 [gentoo-commits] repo/gentoo:master commit in: net-libs/libsignal-protocol-c/files/, net-libs/libsignal-protocol-c/ Joonas Niilola
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox