There's an integer overflow in brotli's decoders when input chunks are
larger than 2GB.
This is CVE-2020-8927 which is addressed by the update below to v1.0.9.
Looks like brotlicommon needs a minor bump due to the addition of new
symbols and I've tested the update by running regress tests (which all
pass on amd64) and building these consumers:
archivers/woff2
devel/libsoup
net/wireshark
www/apache-httpd
ok?
Index: devel/quirks/Makefile
===================================================================
RCS file: /cvs/ports/devel/quirks/Makefile,v
retrieving revision 1.1066
diff -u -p -u -r1.1066 Makefile
--- devel/quirks/Makefile 14 Oct 2020 11:17:10 -0000 1.1066
+++ devel/quirks/Makefile 14 Oct 2020 23:29:08 -0000
@@ -5,7 +5,7 @@ CATEGORIES = devel databases
DISTFILES =
# API.rev
-PKGNAME = quirks-3.458
+PKGNAME = quirks-3.459
PKG_ARCH = *
MAINTAINER = Marc Espie <es...@openbsd.org>
Index: devel/quirks/files/Quirks.pm
===================================================================
RCS file: /cvs/ports/devel/quirks/files/Quirks.pm,v
retrieving revision 1.1084
diff -u -p -u -r1.1084 Quirks.pm
--- devel/quirks/files/Quirks.pm 14 Oct 2020 11:17:10 -0000 1.1084
+++ devel/quirks/files/Quirks.pm 14 Oct 2020 23:29:08 -0000
@@ -2004,6 +2004,7 @@ sub tweak_search
# list of
# cat/path => badspec
my $cve = {
+ 'archivers/brotli' => 'brotli-<1.0.9',
'archivers/cabextract' => 'cabextract-<1.8',
'archivers/libmspack' => 'libmspack-<0.8alpha',
'archivers/p5-Archive-Zip' => 'p5-Archive-Zip-<1.64',
Index: archivers/brotli/Makefile
===================================================================
RCS file: /cvs/ports/archivers/brotli/Makefile,v
retrieving revision 1.9
diff -u -p -u -r1.9 Makefile
--- archivers/brotli/Makefile 12 Jul 2019 20:43:27 -0000 1.9
+++ archivers/brotli/Makefile 14 Oct 2020 23:29:08 -0000
@@ -4,11 +4,11 @@ COMMENT = generic lossless compressor
GH_ACCOUNT = google
GH_PROJECT = brotli
-GH_TAGNAME = v1.0.7
+GH_TAGNAME = v1.0.9
-SHARED_LIBS += brotlicommon 1.1 # 0.6
-SHARED_LIBS += brotlidec 1.1 # 0.6
-SHARED_LIBS += brotlienc 1.0 # 0.6
+SHARED_LIBS += brotlicommon 1.2 # 1.0.9
+SHARED_LIBS += brotlidec 1.1 # 1.0.9
+SHARED_LIBS += brotlienc 1.0 # 1.0.9
CATEGORIES = archivers
Index: archivers/brotli/distinfo
===================================================================
RCS file: /cvs/ports/archivers/brotli/distinfo,v
retrieving revision 1.7
diff -u -p -u -r1.7 distinfo
--- archivers/brotli/distinfo 25 Dec 2018 14:50:27 -0000 1.7
+++ archivers/brotli/distinfo 14 Oct 2020 23:29:08 -0000
@@ -1,2 +1,2 @@
-SHA256 (brotli-1.0.7.tar.gz) = TGG/sPrKhyGepYcybEZ7layyVVW1PRpCH/o8ipKW7iw=
-SIZE (brotli-1.0.7.tar.gz) = 23827908
+SHA256 (brotli-1.0.9.tar.gz) = +ejYHQQFumbRgVKa9CozVPg4yTkJX/mZMNpqqc32/kY=
+SIZE (brotli-1.0.9.tar.gz) = 486984
Index: archivers/brotli/pkg/PLIST
===================================================================
RCS file: /cvs/ports/archivers/brotli/pkg/PLIST,v
retrieving revision 1.4
diff -u -p -u -r1.4 PLIST
--- archivers/brotli/pkg/PLIST 5 Dec 2017 21:04:07 -0000 1.4
+++ archivers/brotli/pkg/PLIST 14 Oct 2020 23:29:08 -0000
@@ -5,11 +5,11 @@ include/brotli/decode.h
include/brotli/encode.h
include/brotli/port.h
include/brotli/types.h
-lib/libbrotlicommon-static.a
+@static-lib lib/libbrotlicommon-static.a
@lib lib/libbrotlicommon.so.${LIBbrotlicommon_VERSION}
-lib/libbrotlidec-static.a
+@static-lib lib/libbrotlidec-static.a
@lib lib/libbrotlidec.so.${LIBbrotlidec_VERSION}
-lib/libbrotlienc-static.a
+@static-lib lib/libbrotlienc-static.a
@lib lib/libbrotlienc.so.${LIBbrotlienc_VERSION}
lib/pkgconfig/libbrotlicommon.pc
lib/pkgconfig/libbrotlidec.pc
