From 97b5de053de341acf015fd994760bf180a3f522eccead85b4855dcaafe411e99 Mon Sep 17 00:00:00 2001
From: OBS User buildservice-autocommit <null@suse.de>
Date: Tue, 21 Sep 2010 16:00:48 +0000
Subject: [PATCH] Updating link to change in openSUSE:Factory/bzip2 revision
 26.0

OBS-URL: https://build.opensuse.org/package/show/Archiving/bzip2?expand=0&rev=ba843b2be98e63e6e5fb57040a8a6c10
---
 bzip2-CVE-2010-0405.patch | 18 ++++++++++++++++++
 bzip2.changes             |  6 ++++++
 bzip2.spec                |  6 ++++--
 3 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 bzip2-CVE-2010-0405.patch

diff --git a/bzip2-CVE-2010-0405.patch b/bzip2-CVE-2010-0405.patch
new file mode 100644
index 0000000..536aedb
--- /dev/null
+++ b/bzip2-CVE-2010-0405.patch
@@ -0,0 +1,18 @@
+Index: bzip2-1.0.5/decompress.c
+===================================================================
+--- bzip2-1.0.5.orig/decompress.c
++++ bzip2-1.0.5/decompress.c
+@@ -394,6 +394,13 @@ Int32 BZ2_decompress ( DState* s )
+             es = -1;
+             N = 1;
+             do {
++               /* Check that N doesn't get too big, so that es doesn't
++                  go negative.  The maximum value that can be
++                  RUNA/RUNB encoded is equal to the block size (post
++                  the initial RLE), viz, 900k, so bounding N at 2
++                  million should guard against overflow without
++                  rejecting any legitimate inputs. */
++               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
+                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
+                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
+                N = N * 2;
diff --git a/bzip2.changes b/bzip2.changes
index c654d86..aab2251 100644
--- a/bzip2.changes
+++ b/bzip2.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep 21 13:54:31 UTC 2010 - puzel@novell.com
+
+- add bzip2-CVE-2010-0405.patch (bnc#636978) 
+- fix copy-paste error in profile_bzip2()
+
 -------------------------------------------------------------------
 Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
 
diff --git a/bzip2.spec b/bzip2.spec
index c7399d4..881bf61 100644
--- a/bzip2.spec
+++ b/bzip2.spec
@@ -20,7 +20,7 @@
 
 Name:           bzip2
 Version:        1.0.5
-Release:        39
+Release:        46
 Provides:       bzip
 Obsoletes:      bzip
 BuildRequires:  pkg-config
@@ -45,6 +45,7 @@ Patch:          http://pack.suse.cz/sbrabec/bzip2/for_downstream/bzip2-1.0.5-aut
 Patch2:         bzip2-maxlen20.patch
 Patch3:         bzip2-faster.patch
 Patch5:         bzip2-unsafe_strcpy.patch
+Patch6:         bzip2-CVE-2010-0405.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -108,12 +109,13 @@ Authors:
 %patch2
 %patch3
 %patch5
+%patch6 -p1
 
 %build
 profile_bzip2()
 {
     tmpfile=$(mktemp)
-    trap "rm -f $tmpfile $tmpfile.gz" EXIT
+    trap "rm -f $tmpfile $tmpfile.bz2" EXIT
     tar -cjf $tmpfile.bz2 /usr/src || true
    # time ./bzip2 $tmpfile
     time ./bzip2 -d < $tmpfile.bz2 > /dev/null