From 94871950f0ccca43a98fe9209c03a175c133a95b Mon Sep 17 00:00:00 2001 From: Max Rees Date: Fri, 21 Jun 2019 14:10:19 -0400 Subject: system/sharutils: patch for CVE-2018-1000097 --- system/sharutils/APKBUILD | 15 +++++++++------ system/sharutils/CVE-2018-1000097.patch | 16 ++++++++++++++++ 2 files changed, 25 insertions(+), 6 deletions(-) create mode 100644 system/sharutils/CVE-2018-1000097.patch diff --git a/system/sharutils/APKBUILD b/system/sharutils/APKBUILD index 6a0d92e82..67b264b53 100644 --- a/system/sharutils/APKBUILD +++ b/system/sharutils/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: A. Wilcox pkgname=sharutils pkgver=4.15.2 -pkgrel=1 +pkgrel=2 pkgdesc="Utilities for manipulating shell archives" url="https://www.gnu.org/software/sharutils/" arch="all" @@ -10,10 +10,14 @@ license="GPL-3.0+" depends="bzip2" makedepends_build="texinfo" subpackages="$pkgname-lang $pkgname-doc" -source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz" +source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz + CVE-2018-1000097.patch" + +# secfixes: +# 4.15.2-r2: +# - CVE-2018-1000097 build() { - cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -26,15 +30,14 @@ build() { } check() { - cd "$builddir" make check } package() { - cd "$builddir" make DESTDIR="$pkgdir" install rm "$pkgdir"/usr/lib/charset.alias rmdir "$pkgdir"/usr/lib || true } -sha512sums="80d0b804a0617e11e5c23dc0d59b218bbf93e40aaf5e9a5401a18ef9cb700390aab711e2b2e2f26c8fd5b8ef99a91d3405e01d02cadabcba7639979314e59f8d sharutils-4.15.2.tar.xz" +sha512sums="80d0b804a0617e11e5c23dc0d59b218bbf93e40aaf5e9a5401a18ef9cb700390aab711e2b2e2f26c8fd5b8ef99a91d3405e01d02cadabcba7639979314e59f8d sharutils-4.15.2.tar.xz +6415da74c4f6f203bc4ad617bd05fa6ac86e1079538236148763e0b5e81ca8ea4004ea58e9e4755ba371246a7c469ef1e421576260494043d3ce3fc80e73cf69 CVE-2018-1000097.patch" diff --git a/system/sharutils/CVE-2018-1000097.patch b/system/sharutils/CVE-2018-1000097.patch new file mode 100644 index 000000000..f61662040 --- /dev/null +++ b/system/sharutils/CVE-2018-1000097.patch @@ -0,0 +1,16 @@ +From: Petr Pisar +Subject: Fix CVE-2018-1000097, heap buffer overflow in unshar +Bug-Debian: https://bugs.debian.org/893525 +X-Debian-version: 1:4.15.2-3 + +--- a/src/unshar.c ++++ b/src/unshar.c +@@ -240,7 +240,7 @@ + off_t position = ftello (file); + + /* Read next line, fail if no more and no previous process. */ +- if (!fgets (rw_buffer, BUFSIZ, file)) ++ if (!fgets (rw_buffer, rw_base_size, file)) + { + if (!start) + error (0, 0, _("Found no shell commands in %s"), name); -- cgit v1.2.3-70-g09d2