aboutsummaryrefslogtreecommitdiffstats
path: root/main/libarchive
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2017-09-11 09:29:15 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2017-09-11 09:29:15 +0000
commitb25216c374af99f58ccd6922782803e735936861 (patch)
treef98ac2ffa23a52973f8fdccb7d097c4a38b0f3de /main/libarchive
parent3d23930026de3fdd7b0d6828a6d1ef4261bbd4dc (diff)
downloadaports-b25216c374af99f58ccd6922782803e735936861.tar.bz2
aports-b25216c374af99f58ccd6922782803e735936861.tar.xz
main/libarchive: security fix for CVE-2017-14166. Fixes #7803
Diffstat (limited to 'main/libarchive')
-rw-r--r--main/libarchive/APKBUILD12
-rw-r--r--main/libarchive/CVE-2017-14166.patch36
2 files changed, 45 insertions, 3 deletions
diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD
index 5e17cde19d..85a4fa742d 100644
--- a/main/libarchive/APKBUILD
+++ b/main/libarchive/APKBUILD
@@ -2,16 +2,21 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libarchive
pkgver=3.3.2
-pkgrel=0
+pkgrel=1
pkgdesc="library that can create and read several streaming archive formats"
url="http://libarchive.org/"
arch="all"
license="BSD"
makedepends="zlib-dev bzip2-dev xz-dev lz4-dev acl-dev libressl-dev expat-dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-tools"
-source="http://www.libarchive.org/downloads/$pkgname-$pkgver.tar.gz"
+source="http://www.libarchive.org/downloads/$pkgname-$pkgver.tar.gz
+ CVE-2017-14166.patch"
builddir="$srcdir/$pkgname-$pkgver"
+# secfixes:
+# 3.3.2-r1:
+# - CVE-2017-14166
+
build () {
cd "$builddir"
./configure \
@@ -34,4 +39,5 @@ tools() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="1e538cd7d492f54b11c16c56f12c1632ba14302a3737ec0db786272aec0c8020f1e27616a7654d57e26737e5ed9bfc9a62f1fdda61a95c39eb726aa7c2f673e4 libarchive-3.3.2.tar.gz"
+sha512sums="1e538cd7d492f54b11c16c56f12c1632ba14302a3737ec0db786272aec0c8020f1e27616a7654d57e26737e5ed9bfc9a62f1fdda61a95c39eb726aa7c2f673e4 libarchive-3.3.2.tar.gz
+7cc9dbafd970c07fb4421b7a72a075cc0a000db77df4432222539c58625c93c45f01a144838b551980bc0c6dc5b4c3ab852eb1433006c3174581ba0897010dbe CVE-2017-14166.patch"
diff --git a/main/libarchive/CVE-2017-14166.patch b/main/libarchive/CVE-2017-14166.patch
new file mode 100644
index 0000000000..b729ae41e0
--- /dev/null
+++ b/main/libarchive/CVE-2017-14166.patch
@@ -0,0 +1,36 @@
+From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001
+From: Joerg Sonnenberger <joerg@bec.de>
+Date: Tue, 5 Sep 2017 18:12:19 +0200
+Subject: [PATCH] Do something sensible for empty strings to make fuzzers
+ happy.
+
+---
+ libarchive/archive_read_support_format_xar.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c
+index 7a22beb9d..93eeacc5e 100644
+--- a/libarchive/archive_read_support_format_xar.c
++++ b/libarchive/archive_read_support_format_xar.c
+@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt)
+ uint64_t l;
+ int digit;
+
++ if (char_cnt == 0)
++ return (0);
++
+ l = 0;
+ digit = *p - '0';
+ while (digit >= 0 && digit < 10 && char_cnt-- > 0) {
+@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt)
+ {
+ int64_t l;
+ int digit;
+-
++
++ if (char_cnt == 0)
++ return (0);
++
+ l = 0;
+ while (char_cnt-- > 0) {
+ if (*p >= '0' && *p <= '7')
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-28 11:34:34 +0000