commit: 496ef5159327a6ec7726c0ec5ec849e16f416b7a
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Sat Sep 2 08:34:07 2017 +0000
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Sat Sep 2 08:39:42 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=496ef515
dev-libs/libzip: Security revbump for CVE-2017-14107
Package-Manager: Portage-2.3.8, Repoman-2.3.3
.../libzip/files/libzip-1.2.0-CVE-2017-12858.patch | 2 +-
.../libzip/files/libzip-1.2.0-CVE-2017-14107.patch | 27 ++++++++++++++
dev-libs/libzip/libzip-1.2.0-r2.ebuild | 41 ++++++++++++++++++++++
3 files changed, 69 insertions(+), 1 deletion(-)
diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
index b7586e45a56..26236510fee 100644
--- a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-12858.patch
@@ -34,4 +34,4 @@ index a369900..e5a7cc9 100644
- }
return -1;
}
-
\ No newline at end of file
+
diff --git a/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch
b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch
new file mode 100644
index 00000000000..3d1f9a0aabc
--- /dev/null
+++ b/dev-libs/libzip/files/libzip-1.2.0-CVE-2017-14107.patch
@@ -0,0 +1,27 @@
+From 9b46957ec98d85a572e9ef98301247f39338a3b5 Mon Sep 17 00:00:00 2001
+From: Thomas Klausner <[email protected]>
+Date: Tue, 29 Aug 2017 10:25:03 +0200
+Subject: [PATCH] Make eocd checks more consistent between zip and zip64 cases.
+
+---
+ lib/zip_open.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/zip_open.c b/lib/zip_open.c
+index 3bd593b..9d3a4cb 100644
+--- a/lib/zip_open.c
++++ b/lib/zip_open.c
+@@ -847,7 +847,12 @@ _zip_read_eocd64(zip_source_t *src, zip_buffer_t *buffer,
zip_uint64_t buf_offse
+ zip_error_set(error, ZIP_ER_SEEK, EFBIG);
+ return NULL;
+ }
+- if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) {
++ if (offset+size > buf_offset + eocd_offset) {
++ /* cdir spans past EOCD record */
++ zip_error_set(error, ZIP_ER_INCONS, 0);
++ return NULL;
++ }
++ if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) {
+ zip_error_set(error, ZIP_ER_INCONS, 0);
+ return NULL;
+ }
diff --git a/dev-libs/libzip/libzip-1.2.0-r2.ebuild
b/dev-libs/libzip/libzip-1.2.0-r2.ebuild
new file mode 100644
index 00000000000..524782f42c3
--- /dev/null
+++ b/dev-libs/libzip/libzip-1.2.0-r2.ebuild
@@ -0,0 +1,41 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit autotools
+
+DESCRIPTION="Library for manipulating zip archives"
+HOMEPAGE="https://nih.at/libzip/";
+SRC_URI="https://www.nih.at/libzip/${P}.tar.xz";
+
+LICENSE="BSD"
+SLOT="0/5"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86
~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos"
+IUSE="static-libs"
+
+RDEPEND="
+ sys-libs/zlib
+ elibc_musl? ( sys-libs/fts-standalone )
+"
+DEPEND="${RDEPEND}"
+
+DOCS=( AUTHORS NEWS.md API-CHANGES THANKS )
+
+PATCHES=(
+ "${FILESDIR}/${P}-headers.patch"
+ "${FILESDIR}/${P}-fts.patch"
+ "${FILESDIR}/${P}-CVE-2017-12858.patch"
+ "${FILESDIR}/${P}-CVE-2017-14107.patch"
+)
+
+src_prepare() {
+ default
+ eautoreconf
+}
+
+src_install() {
+ default
+ use static-libs || rm "${ED%/}"/usr/$(get_libdir)/libzip.a || die
+ find "${D}" -name '*.la' -delete || die
+}
