From 6c18e8f7dd58cb92c71cb4ea6ce31e5939ea4ff7 Mon Sep 17 00:00:00 2001
From: Max Rees <maxcrees@me.com>
Date: Tue, 3 Mar 2020 14:47:07 +0000
Subject: user/exiv2: patch CVE-2019-20421 (#233)

---
 user/exiv2/APKBUILD | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

(limited to 'user/exiv2/APKBUILD')

diff --git a/user/exiv2/APKBUILD b/user/exiv2/APKBUILD
index f1ca3f81f..fb710b602 100644
--- a/user/exiv2/APKBUILD
+++ b/user/exiv2/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=exiv2
 pkgver=0.27.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Exif, IPTC and XMP metadata library and tools"
 url="https://www.exiv2.org/"
 arch="all"
@@ -12,8 +12,11 @@ checkdepends="python3 libxml2 cmd:which"
 makedepends="$depends_dev bash cmake"
 subpackages="$pkgname-dev $pkgname-doc"
 source="http://www.exiv2.org/builds/exiv2-$pkgver-Source.tar.gz
-	https://dev.sick.bike/dist/exiv2-0.27.2-POC-file_issue_1019
-	CVE-2019-17402.patch"
+	https://dev.sick.bike/dist/exiv2-$pkgver-POC-file_issue_1019
+	https://dev.sick.bike/dist/exiv2-$pkgver-Jp2Image_readMetadata_loop.poc
+	CVE-2019-17402.patch
+	CVE-2019-20421.patch
+	"
 builddir="$srcdir/$pkgname-$pkgver-Source"
 
 # secfixes:
@@ -86,6 +89,8 @@ builddir="$srcdir/$pkgname-$pkgver-Source"
 #     - CVE-2019-13114
 #   0.27.2-r1:
 #     - CVE-2019-17402
+#   0.27.2-r2:
+#     - CVE-2019-20421
 
 prepare() {
 	default_prepare
@@ -93,6 +98,10 @@ prepare() {
 	# Remove #1019 POC after >= 0.27.2
 	mv "$srcdir/$pkgname-$pkgver-POC-file_issue_1019" \
 		test/data/POC-file_issue_1019
+
+	# Ditto
+	mv "$srcdir/$pkgname-$pkgver-Jp2Image_readMetadata_loop.poc" \
+		test/data/Jp2Image_readMetadata_loop.poc
 }
 
 build() {
@@ -112,4 +121,6 @@ package() {
 
 sha512sums="39eb7d920dce18b275ac66f4766c7c73f7c72ee10e3e1e43d84c611b24f48ce20a70eac6d53948914e93242a25b8b52cc4bc760ee611ddcd77481306c1f9e721  exiv2-0.27.2-Source.tar.gz
 cfe0b534c29c37e7b6e5a00e8ec320cb57eb17187813fe30677a097e930655f1b097ce77806e0124affbdc423b48d9910560158eed9d2d03418a824244dafba9  exiv2-0.27.2-POC-file_issue_1019
-623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd  CVE-2019-17402.patch"
+d2c0f59e9e2daf00066b0ad73253bb7bb09b3319606813f16478ef5717751e4cbb93d12f5c9339dae2965dcf6a63138bdb4205b698aeab57a75f97ddf458d4f7  exiv2-0.27.2-Jp2Image_readMetadata_loop.poc
+623232624f5382c7261a8b7e66063954c37555b7812e4f2e9af8433c4d8a1f141feafbfd2c5081395208cf1c65307ce1b39e5e34f689c558dce82f78030b29dd  CVE-2019-17402.patch
+c819f06a194b8465c66ccd91b8373cb2a359e59bab7583a8abb873c2001efe6188ac8fa4717c6382d2f2396d25e79e7b397c5ebf000d35c4a7dae547db7bc77b  CVE-2019-20421.patch"
-- 
cgit v1.2.3-70-g09d2