From 496ef5159327a6ec7726c0ec5ec849e16f416b7a Mon Sep 17 00:00:00 2001 From: Andreas Sturmlechner Date: Sat, 2 Sep 2017 10:34:07 +0200 Subject: dev-libs/libzip: Security revbump for CVE-2017-14107 Package-Manager: Portage-2.3.8, Repoman-2.3.3 --- .../libzip/files/libzip-1.2.0-CVE-2017-12858.patch | 2 +- .../libzip/files/libzip-1.2.0-CVE-2017-14107.patch | 27 ++++++++++++++ dev-libs/libzip/libzip-1.2.0-r2.ebuild | 41 ++++++++++++++++++++++ 3 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch create mode 100644 dev-libs/libzip/libzip-1.2.0-r2.ebuild diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch index b7586e45a568..26236510fee8 100644 --- a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch +++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch @@ -34,4 +34,4 @@ index a369900..e5a7cc9 100644 - } return -1; } - \ No newline at end of file + diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch new file mode 100644 index 000000000000..3d1f9a0aabc3 --- /dev/null +++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch @@ -0,0 +1,27 @@ +From 9b46957ec98d85a572e9ef98301247f39338a3b5 Mon Sep 17 00:00:00 2001 +From: Thomas Klausner +Date: Tue, 29 Aug 2017 10:25:03 +0200 +Subject: [PATCH] Make eocd checks more consistent between zip and zip64 cases. + +--- + lib/zip_open.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/zip_open.c b/lib/zip_open.c +index 3bd593b..9d3a4cb 100644 +--- a/lib/zip_open.c ++++ b/lib/zip_open.c +@@ -847,7 +847,12 @@ _zip_read_eocd64(zip_source_t *src, zip_buffer_t *buffer, zip_uint64_t buf_offse + zip_error_set(error, ZIP_ER_SEEK, EFBIG); + return NULL; + } +- if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) { ++ if (offset+size > buf_offset + eocd_offset) { ++ /* cdir spans past EOCD record */ ++ zip_error_set(error, ZIP_ER_INCONS, 0); ++ return NULL; ++ } ++ if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) { + zip_error_set(error, ZIP_ER_INCONS, 0); + return NULL; + } diff --git a/dev-libs/libzip/libzip-1.2.0-r2.ebuild b/dev-libs/libzip/libzip-1.2.0-r2.ebuild new file mode 100644 index 000000000000..524782f42c3f --- /dev/null +++ b/dev-libs/libzip/libzip-1.2.0-r2.ebuild @@ -0,0 +1,41 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools + +DESCRIPTION="Library for manipulating zip archives" +HOMEPAGE="https://nih.at/libzip/" +SRC_URI="https://www.nih.at/libzip/${P}.tar.xz" + +LICENSE="BSD" +SLOT="0/5" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos" +IUSE="static-libs" + +RDEPEND=" + sys-libs/zlib + elibc_musl? ( sys-libs/fts-standalone ) +" +DEPEND="${RDEPEND}" + +DOCS=( AUTHORS NEWS.md API-CHANGES THANKS ) + +PATCHES=( + "${FILESDIR}/${P}-headers.patch" + "${FILESDIR}/${P}-fts.patch" + "${FILESDIR}/${P}-CVE-2017-12858.patch" + "${FILESDIR}/${P}-CVE-2017-14107.patch" +) + +src_prepare() { + default + eautoreconf +} + +src_install() { + default + use static-libs || rm "${ED%/}"/usr/$(get_libdir)/libzip.a || die + find "${D}" -name '*.la' -delete || die +} -- cgit v1.2.3-65-gdbad