summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Sturmlechner <asturm@gentoo.org>2017-09-02 10:34:07 +0200
committerAndreas Sturmlechner <asturm@gentoo.org>2017-09-02 10:39:42 +0200
commit496ef5159327a6ec7726c0ec5ec849e16f416b7a (patch)
tree020f2e44d110c20c7b2bb301036f83407738ee47 /dev-libs/libzip
parentgames-action/minetest_game: version bump to 0.4.16 (diff)
downloadgentoo-496ef5159327a6ec7726c0ec5ec849e16f416b7a.tar.gz
gentoo-496ef5159327a6ec7726c0ec5ec849e16f416b7a.tar.bz2
gentoo-496ef5159327a6ec7726c0ec5ec849e16f416b7a.zip
dev-libs/libzip: Security revbump for CVE-2017-14107
Package-Manager: Portage-2.3.8, Repoman-2.3.3
Diffstat (limited to 'dev-libs/libzip')
-rw-r--r--dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch2
-rw-r--r--dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch27
-rw-r--r--dev-libs/libzip/libzip-1.2.0-r2.ebuild41
3 files changed, 69 insertions, 1 deletions
diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
index b7586e45a568..26236510fee8 100644
--- a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
@@ -34,4 +34,4 @@ index a369900..e5a7cc9 100644
- }
return -1;
}
- \ No newline at end of file
+
diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch
new file mode 100644
index 000000000000..3d1f9a0aabc3
--- /dev/null
+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch
@@ -0,0 +1,27 @@
+From 9b46957ec98d85a572e9ef98301247f39338a3b5 Mon Sep 17 00:00:00 2001
+From: Thomas Klausner <tk@giga.or.at>
+Date: Tue, 29 Aug 2017 10:25:03 +0200
+Subject: [PATCH] Make eocd checks more consistent between zip and zip64 cases.
+
+---
+ lib/zip_open.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/zip_open.c b/lib/zip_open.c
+index 3bd593b..9d3a4cb 100644
+--- a/lib/zip_open.c
++++ b/lib/zip_open.c
+@@ -847,7 +847,12 @@ _zip_read_eocd64(zip_source_t *src, zip_buffer_t *buffer, zip_uint64_t buf_offse
+ zip_error_set(error, ZIP_ER_SEEK, EFBIG);
+ return NULL;
+ }
+- if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) {
++ if (offset+size > buf_offset + eocd_offset) {
++ /* cdir spans past EOCD record */
++ zip_error_set(error, ZIP_ER_INCONS, 0);
++ return NULL;
++ }
++ if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) {
+ zip_error_set(error, ZIP_ER_INCONS, 0);
+ return NULL;
+ }
diff --git a/dev-libs/libzip/libzip-1.2.0-r2.ebuild b/dev-libs/libzip/libzip-1.2.0-r2.ebuild
new file mode 100644
index 000000000000..524782f42c3f
--- /dev/null
+++ b/dev-libs/libzip/libzip-1.2.0-r2.ebuild
@@ -0,0 +1,41 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit autotools
+
+DESCRIPTION="Library for manipulating zip archives"
+HOMEPAGE="https://nih.at/libzip/"
+SRC_URI="https://www.nih.at/libzip/${P}.tar.xz"
+
+LICENSE="BSD"
+SLOT="0/5"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
+IUSE="static-libs"
+
+RDEPEND="
+ sys-libs/zlib
+ elibc_musl? ( sys-libs/fts-standalone )
+"
+DEPEND="${RDEPEND}"
+
+DOCS=( AUTHORS NEWS.md API-CHANGES THANKS )
+
+PATCHES=(
+ "${FILESDIR}/${P}-headers.patch"
+ "${FILESDIR}/${P}-fts.patch"
+ "${FILESDIR}/${P}-CVE-2017-12858.patch"
+ "${FILESDIR}/${P}-CVE-2017-14107.patch"
+)
+
+src_prepare() {
+ default
+ eautoreconf
+}
+
+src_install() {
+ default
+ use static-libs || rm "${ED%/}"/usr/$(get_libdir)/libzip.a || die
+ find "${D}" -name '*.la' -delete || die
+}