Accepting request 712352 from Archiving

- Update bug reference - Fix downloaded patches - Update to version 1.0.7: * Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH. * bzip2: Fix return value when combining --test,-t and -q. * bzip2recover: Fix buffer overflow for large argv[0]. * bzip2recover: Fix use after free issue with outFile (CVE-2016-3189). * Make sure nSelectors is not out of range (CVE-2019-12900 bsc#1139083) - Drop patches fixed upstream: * bzip2-unsafe_strcpy.patch. * bzip2-1.0.6-CVE-2016-3189.patch. - Refresh patches with quilt. OBS-URL: https://build.opensuse.org/request/show/712352 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bzip2?expand=0&rev=64
2019-07-02 08:37:05 +00:00 · 2019-07-02 08:37:05 +00:00 · 268098169c
commit 268098169c
parent e443cef228 280db28620
10 changed files with 44 additions and 49 deletions
--- a/bzip2-1.0.6-CVE-2016-3189.patch
+++ b/bzip2-1.0.6-CVE-2016-3189.patch
@ -1,15 +0,0 @@
 Author: Jakub Martisko <jamartis@redhat.com>
 Date: Wed, 30 Mar 2016 10:22:27 +0200
 Description: bzip2recover: Fix potential use-after-free
 Origin: https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=edit
 --- a/bzip2recover.c
 +++ b/bzip2recover.c
@@ -472,6 +472,7 @@ Int32 main ( Int32 argc, Char** argv )
             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
             bsPutUInt32 ( bsWr, blockCRC );
             bsClose ( bsWr );
 +            outFile = NULL;
          }
          if (wrBlock >= rbCtr) break;
          wrBlock++;
--- a/bzip2-1.0.6-bzgrep_return_value.patch
+++ b/bzip2-1.0.6-bzgrep_return_value.patch
@ -1,7 +1,7 @@
-Index: bzip2-1.0.6/bzgrep
+Index: bzip2-1.0.7/bzgrep
 ===================================================================
--- bzip2-1.0.6.orig/bzgrep
+--- bzip2-1.0.7.orig/bzgrep	2019-06-27 23:10:21.375272508 +0200
-+++ bzip2-1.0.6/bzgrep
+++ bzip2-1.0.7/bzgrep	2019-06-27 23:10:21.415272635 +0200
@@ -65,8 +65,20 @@ for i do
   else
     j=$(echo "$i" | sed 's/\\/&&/g;s/|/\\&/g;s/&/\\&/g')
--- a/bzip2-1.0.6-fix-bashisms.patch
+++ b/bzip2-1.0.6-fix-bashisms.patch
@ -1,6 +1,7 @@
-diff -Ndurp bzip2-1.0.6/bzgrep bzip2-1.0.6-fix-bashisms/bzgrep
+Index: bzip2-1.0.7/bzgrep
--- bzip2-1.0.6/bzgrep	2007-01-03 04:00:55.000000000 +0200
+===================================================================
-+++ bzip2-1.0.6-fix-bashisms/bzgrep	2014-10-19 02:07:30.036033876 +0300
+--- bzip2-1.0.7.orig/bzgrep	2019-06-27 20:15:39.000000000 +0200
 +++ bzip2-1.0.7/bzgrep	2019-06-27 23:12:37.027916706 +0200
@@ -63,9 +63,7 @@ for i do
     bzip2 -cdfq "$i" | $grep $opt "$pat"
     r=$?
--- a/bzip2-1.0.6.tar.gz
+++ b/bzip2-1.0.6.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:a2848f34fcd5d6cf47def00461fcb528a0484d8edef8208d6d2e2909dc61d9cd
 size 782025
--- a/bzip2-1.0.7.tar.gz
+++ b/bzip2-1.0.7.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e768a87c5b1a79511499beb41500bcc4caf203726fff46a6f5f9ad27fe08ab2b
 size 809680
--- a/bzip2-ocloexec.patch
+++ b/bzip2-ocloexec.patch
@ -1,5 +1,7 @@
--- bzlib.c.orig
+Index: bzip2-1.0.7/bzlib.c
-+++ bzlib.c
+===================================================================
 --- bzip2-1.0.7.orig/bzlib.c	2019-06-27 20:15:39.000000000 +0200
 +++ bzip2-1.0.7/bzlib.c	2019-06-27 23:10:21.399272583 +0200
@@ -1414,7 +1414,15 @@ BZFILE * bzopen_or_bzdopen
       }
       mode++;
--- a/bzip2-point-to-doc-pkg.patch
+++ b/bzip2-point-to-doc-pkg.patch
@ -1,7 +1,7 @@
-Index: bzip2-1.0.6/README
+Index: bzip2-1.0.7/README
 ===================================================================
--- bzip2-1.0.6.orig/README
+--- bzip2-1.0.7.orig/README	2019-06-27 20:15:39.000000000 +0200
-+++ bzip2-1.0.6/README
+++ bzip2-1.0.7/README	2019-06-27 23:10:21.387272546 +0200
@@ -17,7 +17,8 @@ in the file LICENSE.
 Complete documentation is available in Postscript form (manual.ps),
--- a/bzip2-unsafe_strcpy.patch
+++ b/bzip2-unsafe_strcpy.patch
@ -1,12 +0,0 @@
 --- bzip2recover.c
 +++ bzip2recover.c
@@ -309,7 +309,8 @@
    UInt32      buffHi, buffLo, blockCRC;
    Char*       p;
 -   strcpy ( progName, argv[0] );
 +   strncpy ( progName, argv[0], BZ_MAX_FILENAME-1);
 +   progName[BZ_MAX_FILENAME-1]='\0';
    inFileName[0] = outFileName[0] = 0;
    fprintf ( stderr, 
--- a/bzip2.changes
+++ b/bzip2.changes
@ -1,3 +1,26 @@
 -------------------------------------------------------------------
 Fri Jun 28 07:42:24 UTC 2019 - Martin Pluskal <mpluskal@suse.com>
 - Update bug reference
 - Fix downloaded patches
 -------------------------------------------------------------------
 Thu Jun 27 21:01:36 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>
 - Update to version 1.0.7:
  * Fix undefined behavior in the macros SET_BH, CLEAR_BH, &
    ISSET_BH.
  * bzip2: Fix return value when combining --test,-t and -q.
  * bzip2recover: Fix buffer overflow for large argv[0].
  * bzip2recover: Fix use after free issue with outFile
    (CVE-2016-3189).
  * Make sure nSelectors is not out of range (CVE-2019-12900
    bsc#1139083)
 - Drop patches fixed upstream:
  * bzip2-unsafe_strcpy.patch.
  * bzip2-1.0.6-CVE-2016-3189.patch.
 - Refresh patches with quilt.
 -------------------------------------------------------------------
 Thu Apr 18 10:28:36 UTC 2019 - Kristýna Streitová <kstreitova@suse.com>
--- a/bzip2.spec
+++ b/bzip2.spec
@ -12,13 +12,13 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 %define libname libbz2-1
 Name:           bzip2
-Version:        1.0.6
+Version:        1.0.7
 Release:        0
 Summary:        A Program for Compressing Files
 License:        BSD-3-Clause
@ -32,12 +32,10 @@ Source100:      bzip2-rpmlintrc
 # PATCH-FEATURE-OPENSUSE bzip2-1.0.6-autoconfiscated.patch sbrabec@suse.cz -- Convert to a standard autoconf based package.
 Patch0:         ftp://ftp.suse.com/pub/people/sbrabec/bzip2/for_downstream/bzip2-1.0.6.2-autoconfiscated.patch
 Patch1:         bzip2-1.0.6-fix-bashisms.patch
 Patch2:         bzip2-unsafe_strcpy.patch
 Patch3:         bzip2-point-to-doc-pkg.patch
 Patch4:         bzip2-ocloexec.patch
 # PATCH-FIX-UPSTREAM bnc#970260 kstreitova@suse.com -- fix a wrong exit code when grepping multiple archives
 Patch5:         bzip2-1.0.6-bzgrep_return_value.patch
 Patch6:         bzip2-1.0.6-CVE-2016-3189.patch
 BuildRequires:  autoconf >= 2.57
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@ -77,11 +75,9 @@ The bzip2 runtime library development files.
 %setup -q
 %patch0
 %patch1 -p1
 %patch2
 %patch3 -p1
-%patch4
+%patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %build
 autoreconf -fiv
@ -91,7 +87,7 @@ autoreconf -fiv
 %if 0%{?do_profiling}
  make %{?_smp_mflags} CFLAGS="%{optflags} %{cflags_profile_generate}"
  make %{?_smp_mflags} CFLAGS="%{optflags} %{cflags_profile_generate}" test
-  make clean
+  make %{?_smp_mflags} clean
  make %{?_smp_mflags} CFLAGS="%{optflags} %{cflags_profile_feedback}"
 %else
  make %{?_smp_mflags} CFLAGS="%{optflags}"