From 94871950f0ccca43a98fe9209c03a175c133a95b Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Fri, 21 Jun 2019 14:10:19 -0400
Subject: system/sharutils: patch for CVE-2018-1000097

---
 system/sharutils/APKBUILD               | 15 +++++++++------
 system/sharutils/CVE-2018-1000097.patch | 16 ++++++++++++++++
 2 files changed, 25 insertions(+), 6 deletions(-)
 create mode 100644 system/sharutils/CVE-2018-1000097.patch

diff --git a/system/sharutils/APKBUILD b/system/sharutils/APKBUILD
index 6a0d92e82..67b264b53 100644
--- a/system/sharutils/APKBUILD
+++ b/system/sharutils/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=sharutils
 pkgver=4.15.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Utilities for manipulating shell archives"
 url="https://www.gnu.org/software/sharutils/"
 arch="all"
@@ -10,10 +10,14 @@ license="GPL-3.0+"
 depends="bzip2"
 makedepends_build="texinfo"
 subpackages="$pkgname-lang $pkgname-doc"
-source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"
+source="https://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz
+	CVE-2018-1000097.patch"
+
+# secfixes:
+#   4.15.2-r2:
+#     - CVE-2018-1000097
 
 build() {
-	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -26,15 +30,14 @@ build() {
 }
 
 check() {
-	cd "$builddir"
 	make check
 }
 
 package() {
-	cd "$builddir"
 	make DESTDIR="$pkgdir" install
 	rm "$pkgdir"/usr/lib/charset.alias
 	rmdir "$pkgdir"/usr/lib || true
 }
 
-sha512sums="80d0b804a0617e11e5c23dc0d59b218bbf93e40aaf5e9a5401a18ef9cb700390aab711e2b2e2f26c8fd5b8ef99a91d3405e01d02cadabcba7639979314e59f8d  sharutils-4.15.2.tar.xz"
+sha512sums="80d0b804a0617e11e5c23dc0d59b218bbf93e40aaf5e9a5401a18ef9cb700390aab711e2b2e2f26c8fd5b8ef99a91d3405e01d02cadabcba7639979314e59f8d  sharutils-4.15.2.tar.xz
+6415da74c4f6f203bc4ad617bd05fa6ac86e1079538236148763e0b5e81ca8ea4004ea58e9e4755ba371246a7c469ef1e421576260494043d3ce3fc80e73cf69  CVE-2018-1000097.patch"
diff --git a/system/sharutils/CVE-2018-1000097.patch b/system/sharutils/CVE-2018-1000097.patch
new file mode 100644
index 000000000..f61662040
--- /dev/null
+++ b/system/sharutils/CVE-2018-1000097.patch
@@ -0,0 +1,16 @@
+From: Petr Pisar
+Subject: Fix CVE-2018-1000097, heap buffer overflow in unshar
+Bug-Debian: https://bugs.debian.org/893525
+X-Debian-version: 1:4.15.2-3
+
+--- a/src/unshar.c
++++ b/src/unshar.c
+@@ -240,7 +240,7 @@
+       off_t position = ftello (file);
+ 
+       /* Read next line, fail if no more and no previous process.  */
+-      if (!fgets (rw_buffer, BUFSIZ, file))
++      if (!fgets (rw_buffer, rw_base_size, file))
+ 	{
+ 	  if (!start)
+ 	    error (0, 0, _("Found no shell commands in %s"), name);
-- 
cgit v1.2.3-60-g2f50