From 44322cf3a8e1a8deb315160c7b52110f0847dfee Mon Sep 17 00:00:00 2001 From: Leonardo Arena Date: Tue, 20 Aug 2019 14:32:22 +0000 Subject: main/libarchive: security upgrade to 3.3.3 CVE-2017-14501, CVE-2017-14502, CVE-2017-14503 Drop uneeded patches Ref #10745 --- main/libarchive/APKBUILD | 17 ++++++++--------- main/libarchive/CVE-2017-14166.patch | 36 ------------------------------------ main/libarchive/libressl-2.7.patch | 12 ------------ 3 files changed, 8 insertions(+), 57 deletions(-) delete mode 100644 main/libarchive/CVE-2017-14166.patch delete mode 100644 main/libarchive/libressl-2.7.patch diff --git a/main/libarchive/APKBUILD b/main/libarchive/APKBUILD index 86193f06c4..d098ec568a 100644 --- a/main/libarchive/APKBUILD +++ b/main/libarchive/APKBUILD @@ -1,21 +1,22 @@ # Contributor: Sergei Lukin # Maintainer: Natanael Copa pkgname=libarchive -pkgver=3.3.2 -pkgrel=3 +pkgver=3.3.3 +pkgrel=0 pkgdesc="library that can create and read several streaming archive formats" url="http://libarchive.org/" arch="all" license="BSD" makedepends="zlib-dev bzip2-dev xz-dev lz4-dev acl-dev libressl-dev expat-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-tools" -source="http://www.libarchive.org/downloads/$pkgname-$pkgver.tar.gz - libressl-2.7.patch - CVE-2017-14166.patch - " +source="http://www.libarchive.org/downloads/$pkgname-$pkgver.tar.gz" builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 3.3.3-r0: +# - CVE-2017-14501 +# - CVE-2017-14502 +# - CVE-2017-14503 # 3.3.2-r1: # - CVE-2017-14166 @@ -41,6 +42,4 @@ tools() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -sha512sums="1e538cd7d492f54b11c16c56f12c1632ba14302a3737ec0db786272aec0c8020f1e27616a7654d57e26737e5ed9bfc9a62f1fdda61a95c39eb726aa7c2f673e4 libarchive-3.3.2.tar.gz -cdff266bf494be68b778dc66f8b80b213159d6fd26b6fe9980ede5aa4e4764e449438ae7e1e151f01f5a513b0911774df9c8f22b5b4d8b10c9b2162c365a06bc libressl-2.7.patch -7cc9dbafd970c07fb4421b7a72a075cc0a000db77df4432222539c58625c93c45f01a144838b551980bc0c6dc5b4c3ab852eb1433006c3174581ba0897010dbe CVE-2017-14166.patch" +sha512sums="9d12b47d6976efa9f98e62c25d8b85fd745d4e9ca7b7e6d36bfe095dfe5c4db017d4e785d110f3758f5938dad6f1a1b009267fd7e82cb7212e93e1aea237bab7 libarchive-3.3.3.tar.gz" diff --git a/main/libarchive/CVE-2017-14166.patch b/main/libarchive/CVE-2017-14166.patch deleted file mode 100644 index b729ae41e0..0000000000 --- a/main/libarchive/CVE-2017-14166.patch +++ /dev/null @@ -1,36 +0,0 @@ -From fa7438a0ff4033e4741c807394a9af6207940d71 Mon Sep 17 00:00:00 2001 -From: Joerg Sonnenberger -Date: Tue, 5 Sep 2017 18:12:19 +0200 -Subject: [PATCH] Do something sensible for empty strings to make fuzzers - happy. - ---- - libarchive/archive_read_support_format_xar.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/libarchive/archive_read_support_format_xar.c b/libarchive/archive_read_support_format_xar.c -index 7a22beb9d..93eeacc5e 100644 ---- a/libarchive/archive_read_support_format_xar.c -+++ b/libarchive/archive_read_support_format_xar.c -@@ -1040,6 +1040,9 @@ atol10(const char *p, size_t char_cnt) - uint64_t l; - int digit; - -+ if (char_cnt == 0) -+ return (0); -+ - l = 0; - digit = *p - '0'; - while (digit >= 0 && digit < 10 && char_cnt-- > 0) { -@@ -1054,7 +1057,10 @@ atol8(const char *p, size_t char_cnt) - { - int64_t l; - int digit; -- -+ -+ if (char_cnt == 0) -+ return (0); -+ - l = 0; - while (char_cnt-- > 0) { - if (*p >= '0' && *p <= '7') diff --git a/main/libarchive/libressl-2.7.patch b/main/libarchive/libressl-2.7.patch deleted file mode 100644 index 5ab5610a11..0000000000 --- a/main/libarchive/libressl-2.7.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/libarchive/archive_openssl_hmac_private.h.orig 2018-03-22 20:47:12 UTC -+++ b/libarchive/archive_openssl_hmac_private.h -@@ -28,7 +28,8 @@ - #include - #include - --#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ -+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) - #include /* malloc, free */ - #include /* memset */ - static inline HMAC_CTX *HMAC_CTX_new(void) -- cgit v1.2.3