main/ctags: security fix for CVE-2014-7204

2 files changed, 118 insertions, 23 deletions

diff --git a/main/ctags/APKBUILD b/main/ctags/APKBUILD
index 748a164645..bfa03befdd 100644
--- a/main/ctags/APKBUILD
+++ b/main/ctags/APKBUILD
@@ -1,8 +1,9 @@
+# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
 # Contributor: Michael Mason <ms13sp@gmail.com>
 # Maintainer: Fabian Affolter <fabian@affolter-engineering.ch>
 pkgname=ctags
 pkgver=5.8
-pkgrel=4
+pkgrel=5
 pkgdesc="Generator of tags for all types of C/C++ languages"
 url="http://ctags.sourceforge.net/"
 arch="all"
@@ -12,43 +13,35 @@ makedepends=""
 install=""
 subpackages="$pkgname-doc"
 source="http://prdownloads.sourceforge.net/ctags/$pkgname-$pkgver.tar.gz
+	CVE-2014-7204.patch
 	error-format.patch"
+builddir="$srcdir"/$pkgname-$pkgver
 
-_builddir="$srcdir"/$pkgname-$pkgver
-prepare() {
-	cd "$_builddir"
-	for i in $source; do
-		case $i in
-		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
-		esac
-	done
-}
+# secfixes:
+#   5.8-r5:
+#     - CVE-2014-7204
 
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
 		--prefix=/usr \
-		--mandir=/usr/share/man \
 		--sysconfdir=/etc \
-		--infodir=/usr/share/info \
-		|| return 1
-	make || return 1
+		--mandir=/usr/share/man \
+		--localstatedir=/var \
+		--disable-external-sort
+	make
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	mkdir -p "$pkgdir"/usr/bin
-	make -j1 \
-		DEST_CTAGS="$pkgdir"/usr/bin \
+	make -j1 DEST_CTAGS="$pkgdir"/usr/bin \
 		mandir="$pkgdir"/usr/share/man \
-		install || return 1
+		install
 }
 
-md5sums="c00f82ecdcc357434731913e5b48630d  ctags-5.8.tar.gz
-f0b35e99098aba05128c12859fa44e9e  error-format.patch"
-sha256sums="0e44b45dcabe969e0bbbb11e30c246f81abe5d32012db37395eb57d66e9e99c7  ctags-5.8.tar.gz
-30339f93cdf0da56fe746703330332d0f345a677c38025c4be6d56d56b82414c  error-format.patch"
 sha512sums="981912cd335978cde22864e977947fc75326572fb29518e559cc4a8ac1edc84b3604165218a666e36353f17da4f89f8e967acdb88696f816748eb946d79eaa15  ctags-5.8.tar.gz
+7593aa9ca8857b09127a842752d214764734215b42b58c8a44e2a320b21b5a4923dd05a3d14a9053e570f07297d77b3d2fa8f5d41c500e9aadf993413a66be76  CVE-2014-7204.patch
 bc861fa7fe401e5f5845c39d8ec714268898fafcd76afa54bebfc7965d4ef66e227e7bab80733c8f95a79a131b05fbdd4024d05139f2f9bd67914ff4c9e0e9b9  error-format.patch"
diff --git a/main/ctags/CVE-2014-7204.patch b/main/ctags/CVE-2014-7204.patch
new file mode 100644
index 0000000000..baf036ffc9
--- /dev/null
+++ b/main/ctags/CVE-2014-7204.patch
@@ -0,0 +1,102 @@
+From a499a10833d525c9af794c616dc40f7425110c71 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sat, 27 Sep 2014 14:37:19 +0100
+Subject: Changed the javascript parser to set the tag's scope rather than
+ including it in the tag name.
+
+Patch from Colomban.
+
+Author: David Fishburn
+Origin: upstream, http://sourceforge.net/p/ctags/code/791/
+Bug-Debian: https://bugs.debian.org/742605
+Last-Update: 2014-09-27
+
+Patch-Name: jscript-set-tag-scope.patch
+---
+ jscript.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 51 insertions(+), 3 deletions(-)
+
+diff --git a/jscript.c b/jscript.c
+index 5de3367..a790355 100644
+--- a/jscript.c
++++ b/jscript.c
+@@ -215,6 +215,7 @@ static void deleteToken (tokenInfo *const token)
+  *	 Tag generation functions
+  */
+ 
++/*
+ static void makeConstTag (tokenInfo *const token, const jsKind kind)
+ {
+ 	if (JsKinds [kind].enabled && ! token->ignoreTag )
+@@ -238,12 +239,13 @@ static void makeJsTag (tokenInfo *const token, const jsKind kind)
+ 
+ 	if (JsKinds [kind].enabled && ! token->ignoreTag )
+ 	{
+-		/*
++		*
+ 		 * If a scope has been added to the token, change the token
+ 		 * string to include the scope when making the tag.
+-		 */
++		 *
+ 		if ( vStringLength(token->scope) > 0 )
+ 		{
++			*
+ 			fulltag = vStringNew ();
+ 			vStringCopy(fulltag, token->scope);
+ 			vStringCatS (fulltag, ".");
+@@ -251,8 +253,54 @@ static void makeJsTag (tokenInfo *const token, const jsKind kind)
+ 			vStringTerminate(fulltag);
+ 			vStringCopy(token->string, fulltag);
+ 			vStringDelete (fulltag);
++			*
++ 			jsKind parent_kind = JSTAG_CLASS;
++ 
++ 			* 
++			 * if we're creating a function (and not a method),
++ 			 * guess we're inside another function 
++			 *
++ 			if (kind == JSTAG_FUNCTION)
++ 				parent_kind = JSTAG_FUNCTION;
++ 
++ 			e.extensionFields.scope[0] = JsKinds [parent_kind].name;
++ 			e.extensionFields.scope[1] = vStringValue (token->scope);
++		}
++		* makeConstTag (token, kind); *
++ 		makeTagEntry (&e);
++	}
++}
++*/
++
++static void makeJsTag (tokenInfo *const token, const jsKind kind)
++{
++	if (JsKinds [kind].enabled && ! token->ignoreTag )
++	{
++		const char *const name = vStringValue (token->string);
++		tagEntryInfo e;
++		initTagEntry (&e, name);
++
++		e.lineNumber   = token->lineNumber;
++		e.filePosition = token->filePosition;
++		e.kindName	   = JsKinds [kind].name;
++		e.kind		   = JsKinds [kind].letter;
++
++		if ( vStringLength(token->scope) > 0 )
++		{
++			jsKind parent_kind = JSTAG_CLASS;
++
++			/* 
++			 * If we're creating a function (and not a method),
++			 * guess we're inside another function 
++			 */
++			if (kind == JSTAG_FUNCTION)
++				parent_kind = JSTAG_FUNCTION;
++
++			e.extensionFields.scope[0] = JsKinds [parent_kind].name;
++			e.extensionFields.scope[1] = vStringValue (token->scope);
+ 		}
+-		makeConstTag (token, kind);
++
++		makeTagEntry (&e);
+ 	}
+ }
+