From 14cbf73416b6e1d6839c573967901260e464deb2 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Fri, 18 Apr 2014 14:08:41 +0000
Subject: main/json-c: security upgrade to 0.12 (CVE-2013-6371,CVE-2013-6370)

ref #2849
---
 main/json-c/APKBUILD                    | 15 ++++++++++-----
 main/json-c/size-set-but-not-used.patch | 19 +++++++++++++++++++
 2 files changed, 29 insertions(+), 5 deletions(-)
 create mode 100644 main/json-c/size-set-but-not-used.patch

(limited to 'main')

diff --git a/main/json-c/APKBUILD b/main/json-c/APKBUILD
index a5b14da3a7..ce85acabd1 100644
--- a/main/json-c/APKBUILD
+++ b/main/json-c/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=json-c
-pkgver=0.11
+pkgver=0.12
 pkgrel=0
 pkgdesc="A JSON implementation in C"
 url="https://github.com/json-c/json-c/wiki"
@@ -11,7 +11,9 @@ depends_dev=""
 makedepends="$depends_dev"
 install=""
 subpackages="$pkgname-dev"
-source="https://s3.amazonaws.com/${pkgname}_releases/releases/$pkgname-${pkgver}.tar.gz"
+source="https://s3.amazonaws.com/${pkgname}_releases/releases/$pkgname-${pkgver}.tar.gz
+	size-set-but-not-used.patch
+	"
 
 _builddir="$srcdir"/json-c-$pkgver
 prepare() {
@@ -43,6 +45,9 @@ package() {
 	rm -f "$pkgdir"/usr/lib/*.la
 }
 
-md5sums="aa02367d2f7a830bf1e3376f77881e98  json-c-0.11.tar.gz"
-sha256sums="28dfc65145dc0d4df1dfe7701ac173c4e5f9347176c8983edbfac9149494448c  json-c-0.11.tar.gz"
-sha512sums="65ab563fe908d585ba05fff3b77283050ec4f94114ff6e4b916557013d75498271cf65b2660a0aaf74b23beaa80385c80d37ab6a700ba967dd859fa779a81cb0  json-c-0.11.tar.gz"
+md5sums="3ca4bbb881dfc4017e8021b5e0a8c491  json-c-0.12.tar.gz
+ff9d703a13744d4a67c074dfa25d3eea  size-set-but-not-used.patch"
+sha256sums="000c01b2b3f82dcb4261751eb71f1b084404fb7d6a282f06074d3c17078b9f3f  json-c-0.12.tar.gz
+71cd883f54d46f023eaf2e530344c301dbbe9bd5090d64a1abe4dd8394afb2b4  size-set-but-not-used.patch"
+sha512sums="c959804362386f6b77e9d04b5fedf6d6aff1fcd0ab50250edb25f759b510b402e7ad4b33d1cbadc3337b63a3145d19f310812a9ee351748348304b384dc2dc35  json-c-0.12.tar.gz
+881faff046ae3608c82456276788b4a72e0abd75f8c2d57e192a8a40c887cd78e535f3a009ca69180c29dfcf07f3d823b4cd84b944103a4c7d5b1a7a5eb98103  size-set-but-not-used.patch"
diff --git a/main/json-c/size-set-but-not-used.patch b/main/json-c/size-set-but-not-used.patch
new file mode 100644
index 0000000000..1cb1ab1d24
--- /dev/null
+++ b/main/json-c/size-set-but-not-used.patch
@@ -0,0 +1,19 @@
+https://github.com/json-c/json-c/issues/134
+
+diff --git a/json_tokener.c b/json_tokener.c
+index 19de8ef..9a76293 100644
+--- a/json_tokener.c
++++ b/json_tokener.c
+@@ -352,12 +352,10 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
+ 
+     case json_tokener_state_inf: /* aka starts with 'i' */
+       {
+-	int size;
+ 	int size_inf;
+ 	int is_negative = 0;
+ 
+ 	printbuf_memappend_fast(tok->pb, &c, 1);
+-	size = json_min(tok->st_pos+1, json_null_str_len);
+ 	size_inf = json_min(tok->st_pos+1, json_inf_str_len);
+ 	char *infbuf = tok->pb->buf;
+ 	if (*infbuf == '-')
-- 
cgit v1.2.3