From c074e654c4175348df823c5a2117b9b0fa7b7cb99ed77b33da589645c4762dc2 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Fri, 28 Jun 2019 07:19:41 +0000 Subject: [PATCH 1/2] Accepting request 712284 from home:iznogood:branches:Archiving - Update to version 1.0.7: * Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH. * bzip2: Fix return value when combining --test,-t and -q. * bzip2recover: Fix buffer overflow for large argv[0]. * bzip2recover: Fix use after free issue with outFile (CVE-2016-3189). * Make sure nSelectors is not out of range (CVE-2019-12900). - Drop patches fixed upstream: * bzip2-unsafe_strcpy.patch. * bzip2-1.0.6-CVE-2016-3189.patch. - Refresh patches with quilt. OBS-URL: https://build.opensuse.org/request/show/712284 OBS-URL: https://build.opensuse.org/package/show/Archiving/bzip2?expand=0&rev=76 --- bzip2-1.0.6-CVE-2016-3189.patch | 15 ---------- bzip2-1.0.6-bzgrep_return_value.patch | 6 ++-- bzip2-1.0.6-fix-bashisms.patch | 7 +++-- bzip2-1.0.6.2-autoconfiscated.patch | 42 ++++++++++++++++++--------- bzip2-1.0.6.tar.gz | 3 -- bzip2-1.0.7.tar.gz | 3 ++ bzip2-ocloexec.patch | 6 ++-- bzip2-point-to-doc-pkg.patch | 6 ++-- bzip2-unsafe_strcpy.patch | 12 -------- bzip2.changes | 16 ++++++++++ bzip2.spec | 15 ++-------- 11 files changed, 64 insertions(+), 67 deletions(-) delete mode 100644 bzip2-1.0.6-CVE-2016-3189.patch delete mode 100644 bzip2-1.0.6.tar.gz create mode 100644 bzip2-1.0.7.tar.gz delete mode 100644 bzip2-unsafe_strcpy.patch diff --git a/bzip2-1.0.6-CVE-2016-3189.patch b/bzip2-1.0.6-CVE-2016-3189.patch deleted file mode 100644 index 311f666..0000000 --- a/bzip2-1.0.6-CVE-2016-3189.patch +++ /dev/null @@ -1,15 +0,0 @@ -Author: Jakub Martisko -Date: Wed, 30 Mar 2016 10:22:27 +0200 -Description: bzip2recover: Fix potential use-after-free -Origin: https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=edit - ---- a/bzip2recover.c -+++ b/bzip2recover.c -@@ -472,6 +472,7 @@ Int32 main ( Int32 argc, Char** argv ) - bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); - bsPutUInt32 ( bsWr, blockCRC ); - bsClose ( bsWr ); -+ outFile = NULL; - } - if (wrBlock >= rbCtr) break; - wrBlock++; diff --git a/bzip2-1.0.6-bzgrep_return_value.patch b/bzip2-1.0.6-bzgrep_return_value.patch index 1227517..ac5026e 100644 --- a/bzip2-1.0.6-bzgrep_return_value.patch +++ b/bzip2-1.0.6-bzgrep_return_value.patch @@ -1,7 +1,7 @@ -Index: bzip2-1.0.6/bzgrep +Index: bzip2-1.0.7/bzgrep =================================================================== ---- bzip2-1.0.6.orig/bzgrep -+++ bzip2-1.0.6/bzgrep +--- bzip2-1.0.7.orig/bzgrep 2019-06-27 23:10:21.375272508 +0200 ++++ bzip2-1.0.7/bzgrep 2019-06-27 23:10:21.415272635 +0200 @@ -65,8 +65,20 @@ for i do else j=$(echo "$i" | sed 's/\\/&&/g;s/|/\\&/g;s/&/\\&/g') diff --git a/bzip2-1.0.6-fix-bashisms.patch b/bzip2-1.0.6-fix-bashisms.patch index afcad97..3991cb4 100644 --- a/bzip2-1.0.6-fix-bashisms.patch +++ b/bzip2-1.0.6-fix-bashisms.patch @@ -1,6 +1,7 @@ -diff -Ndurp bzip2-1.0.6/bzgrep bzip2-1.0.6-fix-bashisms/bzgrep ---- bzip2-1.0.6/bzgrep 2007-01-03 04:00:55.000000000 +0200 -+++ bzip2-1.0.6-fix-bashisms/bzgrep 2014-10-19 02:07:30.036033876 +0300 +Index: bzip2-1.0.7/bzgrep +=================================================================== +--- bzip2-1.0.7.orig/bzgrep 2019-06-27 20:15:39.000000000 +0200 ++++ bzip2-1.0.7/bzgrep 2019-06-27 23:12:37.027916706 +0200 @@ -63,9 +63,7 @@ for i do bzip2 -cdfq "$i" | $grep $opt "$pat" r=$? diff --git a/bzip2-1.0.6.2-autoconfiscated.patch b/bzip2-1.0.6.2-autoconfiscated.patch index 62304b8..850caec 100644 --- a/bzip2-1.0.6.2-autoconfiscated.patch +++ b/bzip2-1.0.6.2-autoconfiscated.patch @@ -1,5 +1,7 @@ ---- /dev/null -+++ autogen.sh +Index: bzip2-1.0.7/autogen.sh +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ bzip2-1.0.7/autogen.sh 2019-06-27 23:12:37.015916631 +0200 @@ -0,0 +1,8 @@ +mv LICENSE COPYING +mv CHANGES NEWS @@ -9,8 +11,10 @@ +aclocal +automake --add-missing --gnu +autoconf ---- /dev/null -+++ README.autotools +Index: bzip2-1.0.7/README.autotools +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ bzip2-1.0.7/README.autotools 2019-06-27 23:12:37.015916631 +0200 @@ -0,0 +1,41 @@ +bzip2 autoconfiscated +===================== @@ -53,8 +57,10 @@ + +To be super-safe, I incremented minor number of the library file, so +both instances of the shared library can live together. ---- /dev/null -+++ configure.ac +Index: bzip2-1.0.7/configure.ac +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ bzip2-1.0.7/configure.ac 2019-06-27 23:12:37.015916631 +0200 @@ -0,0 +1,62 @@ +# -*- Autoconf -*- +# Process this file with autoconf to produce a configure script. @@ -118,8 +124,10 @@ +AC_SUBST([BZIP2_LT_AGE]) +AC_CONFIG_FILES([Makefile bzip2.pc]) +AC_OUTPUT ---- /dev/null -+++ Makefile.am +Index: bzip2-1.0.7/Makefile.am +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ bzip2-1.0.7/Makefile.am 2019-06-27 23:12:37.015916631 +0200 @@ -0,0 +1,137 @@ +ACLOCAL_AMFLAGS = -I m4 +lib_LTLIBRARIES = libbz2.la @@ -258,8 +266,10 @@ + words2 \ + words3 \ + xmlproc.sh ---- /dev/null -+++ bzip2.pc.in +Index: bzip2-1.0.7/bzip2.pc.in +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ bzip2-1.0.7/bzip2.pc.in 2019-06-27 23:12:37.015916631 +0200 @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ @@ -272,8 +282,10 @@ +Version: @VERSION@ +Libs: -L${libdir} -lbz2 +Cflags: -I${includedir} ---- /dev/null -+++ m4/visibility.m4 +Index: bzip2-1.0.7/m4/visibility.m4 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ bzip2-1.0.7/m4/visibility.m4 2019-06-27 23:12:37.015916631 +0200 @@ -0,0 +1,78 @@ +# visibility.m4 serial 4 (gettext-0.18.2) +dnl Copyright (C) 2005, 2008, 2010-2011 Free Software Foundation, Inc. @@ -353,8 +365,10 @@ + AC_DEFINE_UNQUOTED([HAVE_VISIBILITY], [$HAVE_VISIBILITY], + [Define to 1 or 0, depending whether the compiler supports simple visibility declarations.]) +]) ---- bzlib.h.orig -+++ bzlib.h +Index: bzip2-1.0.7/bzlib.h +=================================================================== +--- bzip2-1.0.7.orig/bzlib.h 2019-06-27 20:15:39.000000000 +0200 ++++ bzip2-1.0.7/bzlib.h 2019-06-27 23:12:37.015916631 +0200 @@ -91,9 +91,11 @@ typedef # endif #else diff --git a/bzip2-1.0.6.tar.gz b/bzip2-1.0.6.tar.gz deleted file mode 100644 index 8cf2887..0000000 --- a/bzip2-1.0.6.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a2848f34fcd5d6cf47def00461fcb528a0484d8edef8208d6d2e2909dc61d9cd -size 782025 diff --git a/bzip2-1.0.7.tar.gz b/bzip2-1.0.7.tar.gz new file mode 100644 index 0000000..abda68b --- /dev/null +++ b/bzip2-1.0.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e768a87c5b1a79511499beb41500bcc4caf203726fff46a6f5f9ad27fe08ab2b +size 809680 diff --git a/bzip2-ocloexec.patch b/bzip2-ocloexec.patch index 4a4dc0b..a174b72 100644 --- a/bzip2-ocloexec.patch +++ b/bzip2-ocloexec.patch @@ -1,5 +1,7 @@ ---- bzlib.c.orig -+++ bzlib.c +Index: bzip2-1.0.7/bzlib.c +=================================================================== +--- bzip2-1.0.7.orig/bzlib.c 2019-06-27 20:15:39.000000000 +0200 ++++ bzip2-1.0.7/bzlib.c 2019-06-27 23:10:21.399272583 +0200 @@ -1414,7 +1414,15 @@ BZFILE * bzopen_or_bzdopen } mode++; diff --git a/bzip2-point-to-doc-pkg.patch b/bzip2-point-to-doc-pkg.patch index 532a62e..33c4078 100644 --- a/bzip2-point-to-doc-pkg.patch +++ b/bzip2-point-to-doc-pkg.patch @@ -1,7 +1,7 @@ -Index: bzip2-1.0.6/README +Index: bzip2-1.0.7/README =================================================================== ---- bzip2-1.0.6.orig/README -+++ bzip2-1.0.6/README +--- bzip2-1.0.7.orig/README 2019-06-27 20:15:39.000000000 +0200 ++++ bzip2-1.0.7/README 2019-06-27 23:10:21.387272546 +0200 @@ -17,7 +17,8 @@ in the file LICENSE. Complete documentation is available in Postscript form (manual.ps), diff --git a/bzip2-unsafe_strcpy.patch b/bzip2-unsafe_strcpy.patch deleted file mode 100644 index 51516fc..0000000 --- a/bzip2-unsafe_strcpy.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- bzip2recover.c -+++ bzip2recover.c -@@ -309,7 +309,8 @@ - UInt32 buffHi, buffLo, blockCRC; - Char* p; - -- strcpy ( progName, argv[0] ); -+ strncpy ( progName, argv[0], BZ_MAX_FILENAME-1); -+ progName[BZ_MAX_FILENAME-1]='\0'; - inFileName[0] = outFileName[0] = 0; - - fprintf ( stderr, diff --git a/bzip2.changes b/bzip2.changes index 0f30028..b713ab5 100644 --- a/bzip2.changes +++ b/bzip2.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Thu Jun 27 21:01:36 UTC 2019 - Bjørn Lie + +- Update to version 1.0.7: + * Fix undefined behavior in the macros SET_BH, CLEAR_BH, & + ISSET_BH. + * bzip2: Fix return value when combining --test,-t and -q. + * bzip2recover: Fix buffer overflow for large argv[0]. + * bzip2recover: Fix use after free issue with outFile + (CVE-2016-3189). + * Make sure nSelectors is not out of range (CVE-2019-12900). +- Drop patches fixed upstream: + * bzip2-unsafe_strcpy.patch. + * bzip2-1.0.6-CVE-2016-3189.patch. +- Refresh patches with quilt. + ------------------------------------------------------------------- Thu Apr 18 10:28:36 UTC 2019 - Kristýna Streitová diff --git a/bzip2.spec b/bzip2.spec index bd0ddb6..ef303b9 100644 --- a/bzip2.spec +++ b/bzip2.spec @@ -12,13 +12,13 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define libname libbz2-1 Name: bzip2 -Version: 1.0.6 +Version: 1.0.7 Release: 0 Summary: A Program for Compressing Files License: BSD-3-Clause @@ -32,12 +32,10 @@ Source100: bzip2-rpmlintrc # PATCH-FEATURE-OPENSUSE bzip2-1.0.6-autoconfiscated.patch sbrabec@suse.cz -- Convert to a standard autoconf based package. Patch0: ftp://ftp.suse.com/pub/people/sbrabec/bzip2/for_downstream/bzip2-1.0.6.2-autoconfiscated.patch Patch1: bzip2-1.0.6-fix-bashisms.patch -Patch2: bzip2-unsafe_strcpy.patch Patch3: bzip2-point-to-doc-pkg.patch Patch4: bzip2-ocloexec.patch # PATCH-FIX-UPSTREAM bnc#970260 kstreitova@suse.com -- fix a wrong exit code when grepping multiple archives Patch5: bzip2-1.0.6-bzgrep_return_value.patch -Patch6: bzip2-1.0.6-CVE-2016-3189.patch BuildRequires: autoconf >= 2.57 BuildRequires: libtool BuildRequires: pkgconfig @@ -74,14 +72,7 @@ Requires: glibc-devel The bzip2 runtime library development files. %prep -%setup -q -%patch0 -%patch1 -p1 -%patch2 -%patch3 -p1 -%patch4 -%patch5 -p1 -%patch6 -p1 +%autosetup -p1 %build autoreconf -fiv From 280db28620ed34d0e079c8bc9289561942a0363ee3931f1b1e802bc6305ee989 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Fri, 28 Jun 2019 07:51:07 +0000 Subject: [PATCH 2/2] - Update bug reference - Fix downloaded patches * Make sure nSelectors is not out of range (CVE-2019-12900 bsc#1139083) OBS-URL: https://build.opensuse.org/package/show/Archiving/bzip2?expand=0&rev=77 --- bzip2-1.0.6.2-autoconfiscated.patch | 42 ++++++++++------------------- bzip2.changes | 9 ++++++- bzip2.spec | 9 +++++-- 3 files changed, 29 insertions(+), 31 deletions(-) diff --git a/bzip2-1.0.6.2-autoconfiscated.patch b/bzip2-1.0.6.2-autoconfiscated.patch index 850caec..62304b8 100644 --- a/bzip2-1.0.6.2-autoconfiscated.patch +++ b/bzip2-1.0.6.2-autoconfiscated.patch @@ -1,7 +1,5 @@ -Index: bzip2-1.0.7/autogen.sh -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ bzip2-1.0.7/autogen.sh 2019-06-27 23:12:37.015916631 +0200 +--- /dev/null ++++ autogen.sh @@ -0,0 +1,8 @@ +mv LICENSE COPYING +mv CHANGES NEWS @@ -11,10 +9,8 @@ Index: bzip2-1.0.7/autogen.sh +aclocal +automake --add-missing --gnu +autoconf -Index: bzip2-1.0.7/README.autotools -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ bzip2-1.0.7/README.autotools 2019-06-27 23:12:37.015916631 +0200 +--- /dev/null ++++ README.autotools @@ -0,0 +1,41 @@ +bzip2 autoconfiscated +===================== @@ -57,10 +53,8 @@ Index: bzip2-1.0.7/README.autotools + +To be super-safe, I incremented minor number of the library file, so +both instances of the shared library can live together. -Index: bzip2-1.0.7/configure.ac -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ bzip2-1.0.7/configure.ac 2019-06-27 23:12:37.015916631 +0200 +--- /dev/null ++++ configure.ac @@ -0,0 +1,62 @@ +# -*- Autoconf -*- +# Process this file with autoconf to produce a configure script. @@ -124,10 +118,8 @@ Index: bzip2-1.0.7/configure.ac +AC_SUBST([BZIP2_LT_AGE]) +AC_CONFIG_FILES([Makefile bzip2.pc]) +AC_OUTPUT -Index: bzip2-1.0.7/Makefile.am -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ bzip2-1.0.7/Makefile.am 2019-06-27 23:12:37.015916631 +0200 +--- /dev/null ++++ Makefile.am @@ -0,0 +1,137 @@ +ACLOCAL_AMFLAGS = -I m4 +lib_LTLIBRARIES = libbz2.la @@ -266,10 +258,8 @@ Index: bzip2-1.0.7/Makefile.am + words2 \ + words3 \ + xmlproc.sh -Index: bzip2-1.0.7/bzip2.pc.in -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ bzip2-1.0.7/bzip2.pc.in 2019-06-27 23:12:37.015916631 +0200 +--- /dev/null ++++ bzip2.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ @@ -282,10 +272,8 @@ Index: bzip2-1.0.7/bzip2.pc.in +Version: @VERSION@ +Libs: -L${libdir} -lbz2 +Cflags: -I${includedir} -Index: bzip2-1.0.7/m4/visibility.m4 -=================================================================== ---- /dev/null 1970-01-01 00:00:00.000000000 +0000 -+++ bzip2-1.0.7/m4/visibility.m4 2019-06-27 23:12:37.015916631 +0200 +--- /dev/null ++++ m4/visibility.m4 @@ -0,0 +1,78 @@ +# visibility.m4 serial 4 (gettext-0.18.2) +dnl Copyright (C) 2005, 2008, 2010-2011 Free Software Foundation, Inc. @@ -365,10 +353,8 @@ Index: bzip2-1.0.7/m4/visibility.m4 + AC_DEFINE_UNQUOTED([HAVE_VISIBILITY], [$HAVE_VISIBILITY], + [Define to 1 or 0, depending whether the compiler supports simple visibility declarations.]) +]) -Index: bzip2-1.0.7/bzlib.h -=================================================================== ---- bzip2-1.0.7.orig/bzlib.h 2019-06-27 20:15:39.000000000 +0200 -+++ bzip2-1.0.7/bzlib.h 2019-06-27 23:12:37.015916631 +0200 +--- bzlib.h.orig ++++ bzlib.h @@ -91,9 +91,11 @@ typedef # endif #else diff --git a/bzip2.changes b/bzip2.changes index b713ab5..843037b 100644 --- a/bzip2.changes +++ b/bzip2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jun 28 07:42:24 UTC 2019 - Martin Pluskal + +- Update bug reference +- Fix downloaded patches + ------------------------------------------------------------------- Thu Jun 27 21:01:36 UTC 2019 - Bjørn Lie @@ -8,7 +14,8 @@ Thu Jun 27 21:01:36 UTC 2019 - Bjørn Lie * bzip2recover: Fix buffer overflow for large argv[0]. * bzip2recover: Fix use after free issue with outFile (CVE-2016-3189). - * Make sure nSelectors is not out of range (CVE-2019-12900). + * Make sure nSelectors is not out of range (CVE-2019-12900 + bsc#1139083) - Drop patches fixed upstream: * bzip2-unsafe_strcpy.patch. * bzip2-1.0.6-CVE-2016-3189.patch. diff --git a/bzip2.spec b/bzip2.spec index ef303b9..9e4957f 100644 --- a/bzip2.spec +++ b/bzip2.spec @@ -72,7 +72,12 @@ Requires: glibc-devel The bzip2 runtime library development files. %prep -%autosetup -p1 +%setup -q +%patch0 +%patch1 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build autoreconf -fiv @@ -82,7 +87,7 @@ autoreconf -fiv %if 0%{?do_profiling} make %{?_smp_mflags} CFLAGS="%{optflags} %{cflags_profile_generate}" make %{?_smp_mflags} CFLAGS="%{optflags} %{cflags_profile_generate}" test - make clean + make %{?_smp_mflags} clean make %{?_smp_mflags} CFLAGS="%{optflags} %{cflags_profile_feedback}" %else make %{?_smp_mflags} CFLAGS="%{optflags}"