Accepting request 695733 from home:kstreitova:branches:Archiving

- add bzip2-1.0.6-CVE-2016-3189.patch to fix a heap use after free vulnerability that was reported in bzip2recover [bsc#985657] [CVE-2016-3189] OBS-URL: https://build.opensuse.org/request/show/695733 OBS-URL: https://build.opensuse.org/package/show/Archiving/bzip2?expand=0&rev=74
2019-04-23 08:22:37 +00:00 · 2019-04-23 08:22:37 +00:00 · 3713b730d5
commit 3713b730d5
parent 3750fa0c9a
3 changed files with 25 additions and 1 deletions
--- a/bzip2-1.0.6-CVE-2016-3189.patch
+++ b/bzip2-1.0.6-CVE-2016-3189.patch
@ -0,0 +1,15 @@
+Author: Jakub Martisko <jamartis@redhat.com>
+Date: Wed, 30 Mar 2016 10:22:27 +0200
+Description: bzip2recover: Fix potential use-after-free
+Origin: https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=edit
+
+--- a/bzip2recover.c
+++ b/bzip2recover.c
+@@ -472,6 +472,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
+            outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;
--- a/bzip2.changes
+++ b/bzip2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Apr 18 10:28:36 UTC 2019 - Kristýna Streitová <kstreitova@suse.com>
+
+- add bzip2-1.0.6-CVE-2016-3189.patch to fix a heap use after
+  free vulnerability that was reported in bzip2recover [bsc#985657]
+  [CVE-2016-3189]
+
 -------------------------------------------------------------------
 Tue Aug 21 11:28:34 UTC 2018 - christophe@krop.fr

--- a/bzip2.spec
+++ b/bzip2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package bzip2
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -37,6 +37,7 @@ Patch3:         bzip2-point-to-doc-pkg.patch
 Patch4:         bzip2-ocloexec.patch
 # PATCH-FIX-UPSTREAM bnc#970260 kstreitova@suse.com -- fix a wrong exit code when grepping multiple archives
 Patch5:         bzip2-1.0.6-bzgrep_return_value.patch
+Patch6:         bzip2-1.0.6-CVE-2016-3189.patch
 BuildRequires:  autoconf >= 2.57
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
@ -80,6 +81,7 @@ The bzip2 runtime library development files.
 %patch3 -p1
 %patch4
 %patch5 -p1
+%patch6 -p1

 %build
 autoreconf -fiv