From b0c732dec4e83b2f18cb2cd323373b7247a6f2d3 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 23 Jul 2019 19:10:10 -0400 Subject: system/bzip2: [CVE] bump to 1.0.8 bzip2-1.0.4-POSIX-shell.patch integrated: https://sourceware.org/git/?p=bzip2.git;a=commit;h=33414da1d2bedf2cbe693f0e21fdaef11d221b1d CVE-2016-3189.patch integrated: https://sourceware.org/git/?p=bzip2.git;a=commit;h=c1cdd98db3238cb711c7d9cdc5671452ce2822cb --- system/bzip2/APKBUILD | 26 ++++++++++++-------------- system/bzip2/bzip2-1.0.4-POSIX-shell.patch | 21 --------------------- system/bzip2/bzip2-1.0.6-saneso.patch | 13 ------------- system/bzip2/bzip2-1.0.8-saneso.patch | 13 +++++++++++++ 4 files changed, 25 insertions(+), 48 deletions(-) delete mode 100644 system/bzip2/bzip2-1.0.4-POSIX-shell.patch delete mode 100644 system/bzip2/bzip2-1.0.6-saneso.patch create mode 100644 system/bzip2/bzip2-1.0.8-saneso.patch (limited to 'system') diff --git a/system/bzip2/APKBUILD b/system/bzip2/APKBUILD index 54b3e4d66..ed22b0137 100644 --- a/system/bzip2/APKBUILD +++ b/system/bzip2/APKBUILD @@ -1,28 +1,28 @@ # Maintainer: A. Wilcox pkgname=bzip2 -pkgver=1.0.6 -pkgrel=7 +pkgver=1.0.8 +pkgrel=0 pkgdesc="A high-quality data compression program" -url="http://sources.redhat.com/bzip2" +url="https://www.sourceware.org/bzip2/" arch="all" license="BSD-4-Clause" depends="" subpackages="$pkgname-dev $pkgname-doc libbz2" -source="https://downloads.sourceforge.net/bzip2/$pkgname-$pkgver.tar.gz +source="https://sourceware.org/pub/bzip2/$pkgname-$pkgver.tar.gz bzip2-1.0.4-makefile-CFLAGS.patch - bzip2-1.0.6-saneso.patch + bzip2-1.0.8-saneso.patch bzip2-1.0.4-man-links.patch bzip2-1.0.2-progress.patch bzip2-1.0.3-no-test.patch - bzip2-1.0.4-POSIX-shell.patch - CVE-2016-3189.patch " +builddir="$srcdir/$pkgname-$pkgver" # secfixes: # 1.0.6-r5: -# - CVE-2016-3189 +# - CVE-2016-3189 +# 1.0.8-r0: +# - CVE-2019-12900 -builddir="$srcdir"/$pkgname-$pkgver prepare() { default_prepare @@ -64,11 +64,9 @@ libbz2() { mv "$pkgdir"/usr/lib/*.so.* "$subpkgdir"/usr/lib/ } -sha512sums="00ace5438cfa0c577e5f578d8a808613187eff5217c35164ffe044fbafdfec9e98f4192c02a7d67e01e5a5ccced630583ad1003c37697219b0f147343a3fdd12 bzip2-1.0.6.tar.gz +sha512sums="083f5e675d73f3233c7930ebe20425a533feedeaaa9d8cc86831312a6581cefbe6ed0d08d2fa89be81082f2a5abdabca8b3c080bf97218a1bd59dc118a30b9f3 bzip2-1.0.8.tar.gz 58cc37430555520b6e35db2740e699cf37eacdd82989c21a222a593e36288710a0defb003662d4238235c12b3764bfc89cd646e6be9d0a08d54bd2c9baa6ad15 bzip2-1.0.4-makefile-CFLAGS.patch -8a7528b5b931bb72f637c6940bc811d54fb816fd5bb453af56d9b4a87091004eb5e191ba799d972794b24c56cf8134344a618b58946d3f1d985c508f88190845 bzip2-1.0.6-saneso.patch +bc52f6efc63ac8d06fcbbb0446cc9c8025964ba0651ef493b5a124e838bf03bebb0ef56247fdd007265c8ea091f3458e832a53856228e7fefa4d20a55065bba3 bzip2-1.0.8-saneso.patch 2d9a306bc0f552a58916ebc702d32350a225103c487e070d2082121a54e07f1813d3228f43293cc80a4bee62053fd597294c99a1751b1685cd678f4e5c6a2fe7 bzip2-1.0.4-man-links.patch b6810c73428f17245e0d7c2decd00c88986cd8ad1cfe4982defe34bdab808d53870ed92cb513b2d00c15301747ceb6ca958fb0e0458d0663b7d8f7c524f7ba4e bzip2-1.0.2-progress.patch -aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030 bzip2-1.0.3-no-test.patch -64ab461bf739c29615383750e7f260abb2d49df7eb23916940d512bd61fd9a37aaade4d8f6f94280c95fc781b8f92587ad4f3dda51e87dec7a92a7a6f8d8ae86 bzip2-1.0.4-POSIX-shell.patch -cef6f448b661a775cc433f9636730e89c1285d07075536217657056be56e0a11e96f41f7c14f6ec59e235464b9ddd649a71fb8de1c60eda2fd5c2cdfbb6a8fdc CVE-2016-3189.patch" +aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030 bzip2-1.0.3-no-test.patch" diff --git a/system/bzip2/bzip2-1.0.4-POSIX-shell.patch b/system/bzip2/bzip2-1.0.4-POSIX-shell.patch deleted file mode 100644 index a5916eaff..000000000 --- a/system/bzip2/bzip2-1.0.4-POSIX-shell.patch +++ /dev/null @@ -1,21 +0,0 @@ -bzgrep uses !/bin/sh but then uses the bashism ${var//} so replace those -with calls to sed so POSIX shells work - -http://bugs.gentoo.org/193365 - ---- ./bzgrep -+++ ./bzgrep -@@ -63,10 +63,9 @@ - bzip2 -cdfq "$i" | $grep $opt "$pat" - r=$? - else -- j=${i//\\/\\\\} -- j=${j//|/\\|} -- j=${j//&/\\&} -- j=`printf "%s" "$j" | tr '\n' ' '` -+ # the backslashes here are doubled up as we have to escape each one for the -+ # shell and then escape each one for the sed expression -+ j=`printf "%s" "${i}" | sed -e 's:\\\\:\\\\\\\\:g' -e 's:[|]:\\\\|:g' -e 's:[&]:\\\\&:g' | tr '\n' ' '` - bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${j}:|" - r=$? - fi diff --git a/system/bzip2/bzip2-1.0.6-saneso.patch b/system/bzip2/bzip2-1.0.6-saneso.patch deleted file mode 100644 index 1968a63bf..000000000 --- a/system/bzip2/bzip2-1.0.6-saneso.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- ./Makefile-libbz2_so -+++ ./Makefile-libbz2_so -@@ -35,8 +35,8 @@ - bzlib.o - - all: $(OBJS) -- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.6 $(OBJS) -- $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6 -+ $(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS) -+ $(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6 - rm -f libbz2.so.1.0 - ln -s libbz2.so.1.0.6 libbz2.so.1.0 - diff --git a/system/bzip2/bzip2-1.0.8-saneso.patch b/system/bzip2/bzip2-1.0.8-saneso.patch new file mode 100644 index 000000000..7aab257af --- /dev/null +++ b/system/bzip2/bzip2-1.0.8-saneso.patch @@ -0,0 +1,13 @@ +--- bzip2-1.0.8/Makefile-libbz2_so 2019-07-13 17:50:05.000000000 +0000 ++++ bzip2-1.0.8/Makefile-libbz2_so 2019-07-23 22:36:08.050034514 +0000 +@@ -35,8 +35,8 @@ OBJS= blocksort.o \ + bzlib.o + + all: $(OBJS) +- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.8 $(OBJS) +- $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8 ++ $(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS) ++ $(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8 + rm -f libbz2.so.1.0 + ln -s libbz2.so.1.0.8 libbz2.so.1.0 + -- cgit v1.2.3-60-g2f50