commit: 8ae28c0fa697b98cc15aace97cf1668df29b5fd7 Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Thu Aug 24 17:12:33 2017 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Thu Aug 24 17:16:40 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8ae28c0f
dev-libs/libzip: Security revbump for CVE-2017-12858 Package-Manager: Portage-2.3.6, Repoman-2.3.1 .../libzip/files/libzip-1.2.0-CVE-2017-12858.patch | 37 ++++++++++++++++++++ dev-libs/libzip/libzip-1.2.0-r1.ebuild | 40 ++++++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch new file mode 100644 index 00000000000..b7586e45a56 --- /dev/null +++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch @@ -0,0 +1,37 @@ +From 2217022b7d1142738656d891e00b3d2d9179b796 Mon Sep 17 00:00:00 2001 +From: Thomas Klausner <[email protected]> +Date: Mon, 14 Aug 2017 10:55:44 +0200 +Subject: [PATCH] Fix double free(). + +Found by Brian 'geeknik' Carpenter using AFL. +--- + THANKS | 1 + + lib/zip_dirent.c | 3 --- + 2 files changed, 1 insertion(+), 3 deletions(-) + +diff --git a/THANKS b/THANKS +index be0cca9..a80ee1d 100644 +--- a/THANKS ++++ b/THANKS +@@ -12,6 +12,7 @@ BALATON Zoltan <[email protected]> + Benjamin Gilbert <[email protected]> + Boaz Stolk <[email protected]> + Bogdan <[email protected]> ++Brian 'geeknik' Carpenter <[email protected]> + Chris Nehren <[email protected]> + Coverity <[email protected]> + Dane Springmeyer <[email protected]> +diff --git a/lib/zip_dirent.c b/lib/zip_dirent.c +index a369900..e5a7cc9 100644 +--- a/lib/zip_dirent.c ++++ b/lib/zip_dirent.c +@@ -579,9 +579,6 @@ _zip_dirent_read(zip_dirent_t *zde, zip_source_t *src, zip_buffer_t *buffer, boo + } + + if (!_zip_dirent_process_winzip_aes(zde, error)) { +- if (!from_buffer) { +- _zip_buffer_free(buffer); +- } + return -1; + } + \ No newline at end of file diff --git a/dev-libs/libzip/libzip-1.2.0-r1.ebuild b/dev-libs/libzip/libzip-1.2.0-r1.ebuild new file mode 100644 index 00000000000..61f933dcd36 --- /dev/null +++ b/dev-libs/libzip/libzip-1.2.0-r1.ebuild @@ -0,0 +1,40 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 + +inherit autotools + +DESCRIPTION="Library for manipulating zip archives" +HOMEPAGE="http://www.nih.at/libzip/"; +SRC_URI="http://www.nih.at/libzip/${P}.tar.xz"; + +LICENSE="BSD" +SLOT="0/5" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos" +IUSE="static-libs" + +RDEPEND=" + sys-libs/zlib + elibc_musl? ( sys-libs/fts-standalone ) +" +DEPEND="${RDEPEND}" + +DOCS=( AUTHORS NEWS.md API-CHANGES THANKS ) + +PATCHES=( + "${FILESDIR}/${P}-headers.patch" + "${FILESDIR}/${P}-fts.patch" + "${FILESDIR}/${P}-CVE-2017-12858.patch" +) + +src_prepare() { + default + eautoreconf +} + +src_install() { + default + use static-libs || rm "${ED%/}"/usr/$(get_libdir)/libzip.a || die + find "${D}" -name '*.la' -delete || die +}
