ports/core (3.4): [notify] bzip2: fix for CVE-2016-3189. closes FS#1585
commit 0c7977b67da2af83fa278a8e38ca043aa4618ee1 Author: Fredrik Rinnestam <fredrik@crux.nu> Date: Fri Feb 9 17:43:17 2018 +0100 [notify] bzip2: fix for CVE-2016-3189. closes FS#1585 diff --git a/bzip2/.md5sum b/bzip2/.md5sum index 134efa59..dc8c7f33 100644 --- a/bzip2/.md5sum +++ b/bzip2/.md5sum @@ -1,2 +1,3 @@ +3b17081b71204ddfaa1cef6f5f9d8747 CVE-2016-3189.patch 00b516f4704d4a7cb50a1d97e6e8e15b bzip2-1.0.6.tar.gz ab2b0d7367fc6f14a3d943a3861ad2c1 bzip2.patch diff --git a/bzip2/.signature b/bzip2/.signature index ebf2ccb8..2e185d6a 100644 --- a/bzip2/.signature +++ b/bzip2/.signature @@ -1,6 +1,7 @@ untrusted comment: verify with /etc/ports/core.pub -RWRJc1FUaeVeqqfPftfIF0ivBJPCnvaKfb3TRTwhrHN2HwJzwZnalx90xUtEQ05eddc+wTr4TBkDpfdlnZ8wHaz4+pZOxRRSZQU= -SHA256 (Pkgfile) = b5093f1b2cdc92c7773a0eb48bd20aa058fa677b9fc053f2ba1b4c82afe83b2e +RWRJc1FUaeVeqm1TQVFfW0gKA8At/dPhtV6NvWErI7K10qCoVdy+G3YMe2g5Zlh1u5pYju9Ph8byE7Uxm6vIntJdAWeV8x219w0= +SHA256 (Pkgfile) = fa4a0928f6530d495d431e37ba880d2359cf96da3cd3b64d68dc5f49b0428ebd SHA256 (.footprint) = bd0f9e3ca456b7ff1fcc5440865dc233e263307cb4b59f5d3c5d7ccfdadfcd6d SHA256 (bzip2-1.0.6.tar.gz) = a2848f34fcd5d6cf47def00461fcb528a0484d8edef8208d6d2e2909dc61d9cd SHA256 (bzip2.patch) = b8aa64ff17bc5704cbaf2b7012086575acfa6557c89fafdcc6dcd847fb29b5cf +SHA256 (CVE-2016-3189.patch) = 5c1cce66d2d1dfa61a627734c1a00bf0441c5ab6be0458676e20787705a14a6b diff --git a/bzip2/CVE-2016-3189.patch b/bzip2/CVE-2016-3189.patch new file mode 100644 index 00000000..d947130e --- /dev/null +++ b/bzip2/CVE-2016-3189.patch @@ -0,0 +1,10 @@ +--- a/bzip2recover.c ++++ b/bzip2recover.c +@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv ) + bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); + bsPutUInt32 ( bsWr, blockCRC ); + bsClose ( bsWr ); ++ outFile = NULL; + } + if (wrBlock >= rbCtr) break; + wrBlock++; diff --git a/bzip2/Pkgfile b/bzip2/Pkgfile index 5c399f1a..8e44892a 100644 --- a/bzip2/Pkgfile +++ b/bzip2/Pkgfile @@ -4,14 +4,15 @@ name=bzip2 version=1.0.6 -release=2 +release=3 source=(http://www.bzip.org/$version/$name-$version.tar.gz \ - $name.patch) + $name.patch CVE-2016-3189.patch) build() { cd $name-$version patch -Np1 -i $SRC/$name.patch + patch -p1 -i $SRC/CVE-2016-3189.patch make make PREFIX=$PKG/usr install
participants (1)
-
crux@crux.nu