From 8acec4cd4b4fc6f9bcab54a041e9f27a950859cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= Date: Thu, 4 May 2017 16:02:44 +0200 Subject: main/ctags: security fix for CVE-2014-7204 --- main/ctags/APKBUILD | 39 +++++++--------- main/ctags/CVE-2014-7204.patch | 102 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+), 23 deletions(-) create mode 100644 main/ctags/CVE-2014-7204.patch diff --git a/main/ctags/APKBUILD b/main/ctags/APKBUILD index 748a164645..bfa03befdd 100644 --- a/main/ctags/APKBUILD +++ b/main/ctags/APKBUILD @@ -1,8 +1,9 @@ +# Contributor: Sören Tempel # Contributor: Michael Mason # Maintainer: Fabian Affolter pkgname=ctags pkgver=5.8 -pkgrel=4 +pkgrel=5 pkgdesc="Generator of tags for all types of C/C++ languages" url="http://ctags.sourceforge.net/" arch="all" @@ -12,43 +13,35 @@ makedepends="" install="" subpackages="$pkgname-doc" source="http://prdownloads.sourceforge.net/ctags/$pkgname-$pkgver.tar.gz + CVE-2014-7204.patch error-format.patch" +builddir="$srcdir"/$pkgname-$pkgver -_builddir="$srcdir"/$pkgname-$pkgver -prepare() { - cd "$_builddir" - for i in $source; do - case $i in - *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; - esac - done -} +# secfixes: +# 5.8-r5: +# - CVE-2014-7204 build() { - cd "$_builddir" + cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ --prefix=/usr \ - --mandir=/usr/share/man \ --sysconfdir=/etc \ - --infodir=/usr/share/info \ - || return 1 - make || return 1 + --mandir=/usr/share/man \ + --localstatedir=/var \ + --disable-external-sort + make } package() { - cd "$_builddir" + cd "$builddir" mkdir -p "$pkgdir"/usr/bin - make -j1 \ - DEST_CTAGS="$pkgdir"/usr/bin \ + make -j1 DEST_CTAGS="$pkgdir"/usr/bin \ mandir="$pkgdir"/usr/share/man \ - install || return 1 + install } -md5sums="c00f82ecdcc357434731913e5b48630d ctags-5.8.tar.gz -f0b35e99098aba05128c12859fa44e9e error-format.patch" -sha256sums="0e44b45dcabe969e0bbbb11e30c246f81abe5d32012db37395eb57d66e9e99c7 ctags-5.8.tar.gz -30339f93cdf0da56fe746703330332d0f345a677c38025c4be6d56d56b82414c error-format.patch" sha512sums="981912cd335978cde22864e977947fc75326572fb29518e559cc4a8ac1edc84b3604165218a666e36353f17da4f89f8e967acdb88696f816748eb946d79eaa15 ctags-5.8.tar.gz +7593aa9ca8857b09127a842752d214764734215b42b58c8a44e2a320b21b5a4923dd05a3d14a9053e570f07297d77b3d2fa8f5d41c500e9aadf993413a66be76 CVE-2014-7204.patch bc861fa7fe401e5f5845c39d8ec714268898fafcd76afa54bebfc7965d4ef66e227e7bab80733c8f95a79a131b05fbdd4024d05139f2f9bd67914ff4c9e0e9b9 error-format.patch" diff --git a/main/ctags/CVE-2014-7204.patch b/main/ctags/CVE-2014-7204.patch new file mode 100644 index 0000000000..baf036ffc9 --- /dev/null +++ b/main/ctags/CVE-2014-7204.patch @@ -0,0 +1,102 @@ +From a499a10833d525c9af794c616dc40f7425110c71 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sat, 27 Sep 2014 14:37:19 +0100 +Subject: Changed the javascript parser to set the tag's scope rather than + including it in the tag name. + +Patch from Colomban. + +Author: David Fishburn +Origin: upstream, http://sourceforge.net/p/ctags/code/791/ +Bug-Debian: https://bugs.debian.org/742605 +Last-Update: 2014-09-27 + +Patch-Name: jscript-set-tag-scope.patch +--- + jscript.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 51 insertions(+), 3 deletions(-) + +diff --git a/jscript.c b/jscript.c +index 5de3367..a790355 100644 +--- a/jscript.c ++++ b/jscript.c +@@ -215,6 +215,7 @@ static void deleteToken (tokenInfo *const token) + * Tag generation functions + */ + ++/* + static void makeConstTag (tokenInfo *const token, const jsKind kind) + { + if (JsKinds [kind].enabled && ! token->ignoreTag ) +@@ -238,12 +239,13 @@ static void makeJsTag (tokenInfo *const token, const jsKind kind) + + if (JsKinds [kind].enabled && ! token->ignoreTag ) + { +- /* ++ * + * If a scope has been added to the token, change the token + * string to include the scope when making the tag. +- */ ++ * + if ( vStringLength(token->scope) > 0 ) + { ++ * + fulltag = vStringNew (); + vStringCopy(fulltag, token->scope); + vStringCatS (fulltag, "."); +@@ -251,8 +253,54 @@ static void makeJsTag (tokenInfo *const token, const jsKind kind) + vStringTerminate(fulltag); + vStringCopy(token->string, fulltag); + vStringDelete (fulltag); ++ * ++ jsKind parent_kind = JSTAG_CLASS; ++ ++ * ++ * if we're creating a function (and not a method), ++ * guess we're inside another function ++ * ++ if (kind == JSTAG_FUNCTION) ++ parent_kind = JSTAG_FUNCTION; ++ ++ e.extensionFields.scope[0] = JsKinds [parent_kind].name; ++ e.extensionFields.scope[1] = vStringValue (token->scope); ++ } ++ * makeConstTag (token, kind); * ++ makeTagEntry (&e); ++ } ++} ++*/ ++ ++static void makeJsTag (tokenInfo *const token, const jsKind kind) ++{ ++ if (JsKinds [kind].enabled && ! token->ignoreTag ) ++ { ++ const char *const name = vStringValue (token->string); ++ tagEntryInfo e; ++ initTagEntry (&e, name); ++ ++ e.lineNumber = token->lineNumber; ++ e.filePosition = token->filePosition; ++ e.kindName = JsKinds [kind].name; ++ e.kind = JsKinds [kind].letter; ++ ++ if ( vStringLength(token->scope) > 0 ) ++ { ++ jsKind parent_kind = JSTAG_CLASS; ++ ++ /* ++ * If we're creating a function (and not a method), ++ * guess we're inside another function ++ */ ++ if (kind == JSTAG_FUNCTION) ++ parent_kind = JSTAG_FUNCTION; ++ ++ e.extensionFields.scope[0] = JsKinds [parent_kind].name; ++ e.extensionFields.scope[1] = vStringValue (token->scope); + } +- makeConstTag (token, kind); ++ ++ makeTagEntry (&e); + } + } + -- cgit v1.2.3