diff --git a/bzip2-1.0.4.tar.gz b/bzip2-1.0.4.tar.gz deleted file mode 100644 index 29d4694..0000000 --- a/bzip2-1.0.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f41c3898fbd53e68e0b052418960e538813cc98afcd72b2b604079d8de3e529c -size 841221 diff --git a/bzip2-1.0.5.tar.gz b/bzip2-1.0.5.tar.gz new file mode 100644 index 0000000..0d8513b --- /dev/null +++ b/bzip2-1.0.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f7bf5368309d76e5daf3a89d4d1bea688dac7780742e7a0ae1af19be9316fe22 +size 841402 diff --git a/bzip2-CVE-2008-1372-CERT-FI-20469.patch b/bzip2-CVE-2008-1372-CERT-FI-20469.patch deleted file mode 100644 index 0f973c6..0000000 --- a/bzip2-CVE-2008-1372-CERT-FI-20469.patch +++ /dev/null @@ -1,41 +0,0 @@ ---- bzip2-1.0.4/bzlib.c 2007-01-03 03:00:55.000000000 +0100 -+++ bzip2-1.0.5/bzlib.c 2007-12-09 14:57:21.000000000 +0100 -@@ -598,6 +598,7 @@ - UInt32 c_tPos = s->tPos; - char* cs_next_out = s->strm->next_out; - unsigned int cs_avail_out = s->strm->avail_out; -+ Int32 ro_blockSize100k = s->blockSize100k; - /* end restore */ - - UInt32 avail_out_INIT = cs_avail_out; ---- bzip2-1.0.4/bzlib_private.h 2007-01-03 03:00:55.000000000 +0100 -+++ bzip2-1.0.5/bzlib_private.h 2007-12-09 15:00:46.000000000 +0100 -@@ -442,11 +442,15 @@ - /*-- Macros for decompression. --*/ - - #define BZ_GET_FAST(cccc) \ -+ /* c_tPos is unsigned, hence test < 0 is pointless. */ \ -+ if (s->tPos >= (UInt32)100000 * (UInt32)s->blockSize100k) return True; \ - s->tPos = s->tt[s->tPos]; \ - cccc = (UChar)(s->tPos & 0xff); \ - s->tPos >>= 8; - - #define BZ_GET_FAST_C(cccc) \ -+ /* c_tPos is unsigned, hence test < 0 is pointless. */ \ -+ if (c_tPos >= (UInt32)100000 * (UInt32)ro_blockSize100k) return True; \ - c_tPos = c_tt[c_tPos]; \ - cccc = (UChar)(c_tPos & 0xff); \ - c_tPos >>= 8; -@@ -469,8 +473,10 @@ - (((UInt32)s->ll16[i]) | (GET_LL4(i) << 16)) - - #define BZ_GET_SMALL(cccc) \ -- cccc = BZ2_indexIntoF ( s->tPos, s->cftab ); \ -- s->tPos = GET_LL(s->tPos); -+ /* c_tPos is unsigned, hence test < 0 is pointless. */ \ -+ if (s->tPos >= (UInt32)100000 * (UInt32)s->blockSize100k) return True; \ -+ cccc = BZ2_indexIntoF ( s->tPos, s->cftab ); \ -+ s->tPos = GET_LL(s->tPos); - - - /*-- externs for decompression. --*/ diff --git a/bzip2-cflags.patch b/bzip2-cflags.patch new file mode 100644 index 0000000..098e0f6 --- /dev/null +++ b/bzip2-cflags.patch @@ -0,0 +1,11 @@ +--- Makefile-libbz2_so ++++ Makefile-libbz2_so +@@ -35,7 +35,7 @@ + bzlib.o + + all: $(OBJS) +- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.4 $(OBJS) ++ $(CC) $(CFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.4 $(OBJS) + $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.4 + rm -f libbz2.so.1.0 + ln -s libbz2.so.1.0.4 libbz2.so.1.0 diff --git a/bzip2-faster.patch b/bzip2-faster.patch index 2580a85..05c75eb 100644 --- a/bzip2-faster.patch +++ b/bzip2-faster.patch @@ -24,7 +24,7 @@ } DState; -@@ -482,8 +485,8 @@ +@@ -488,8 +491,8 @@ BZ2_decompress ( DState* ); extern void diff --git a/bzip2-unsafe_strcpy.patch b/bzip2-unsafe_strcpy.patch new file mode 100644 index 0000000..51516fc --- /dev/null +++ b/bzip2-unsafe_strcpy.patch @@ -0,0 +1,12 @@ +--- bzip2recover.c ++++ bzip2recover.c +@@ -309,7 +309,8 @@ + UInt32 buffHi, buffLo, blockCRC; + Char* p; + +- strcpy ( progName, argv[0] ); ++ strncpy ( progName, argv[0], BZ_MAX_FILENAME-1); ++ progName[BZ_MAX_FILENAME-1]='\0'; + inFileName[0] = outFileName[0] = 0; + + fprintf ( stderr, diff --git a/bzip2.changes b/bzip2.changes index 6059dc1..37e8219 100644 --- a/bzip2.changes +++ b/bzip2.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Thu Apr 3 17:12:42 CEST 2008 - lmichnovic@suse.cz + +- update to version 1.5 + * Fixes CERT-FI 20469 as it applies to bzip2 + which obsoletes bzip2-CVE-2008-1372-CERT-FI-20469.patch +- installing scripts bzdiff, bzgrep, bzmore + and symlinks bzless, bzcmp [bnc#376464] +- addded CFLAGS in Makefile-libbz2_so (cflags.patch) +- fix unsafe strcpy in bzip2recover (unsafe_strcpy.patch) + Thanks to Red Hat. + ------------------------------------------------------------------- Wed Mar 19 18:34:23 CET 2008 - nadvornik@suse.cz diff --git a/bzip2.spec b/bzip2.spec index cf3f9cc..de5402b 100644 --- a/bzip2.spec +++ b/bzip2.spec @@ -1,5 +1,5 @@ # -# spec file for package bzip2 (Version 1.0.4) +# spec file for package bzip2 (Version 1.0.5) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,8 +12,8 @@ Name: bzip2 -Version: 1.0.4 -Release: 69 +Version: 1.0.5 +Release: 1 Provides: bzip Obsoletes: bzip # The following is a kludge to get updating bzip2 to after the split work @@ -30,7 +30,8 @@ Source100: rpmlintrc Patch1: bzip2-shared_lib.patch Patch2: bzip2-maxlen20.patch Patch3: bzip2-faster.patch -Patch4: bzip2-CVE-2008-1372-CERT-FI-20469.patch +Patch4: bzip2-cflags.patch +Patch5: bzip2-unsafe_strcpy.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -43,6 +44,7 @@ Authors: Julian Seward %package doc +License: BSD 3-Clause Summary: The bzip2 program and Library Documentation Group: Productivity/Archiving/Compression @@ -56,6 +58,7 @@ Authors: Julian Seward %package -n libbz2-1 +License: BSD 3-Clause Summary: The bzip2 runtime library Group: Productivity/Archiving/Compression @@ -69,6 +72,7 @@ Authors: Julian Seward %package -n libbz2-devel +License: BSD 3-Clause Summary: The bzip2 runtime library development files Group: Development/Libraries/Other Requires: libbz2-1 = %{version} @@ -87,7 +91,8 @@ Authors: %patch1 %patch2 %patch3 -%patch4 -p1 +%patch4 +%patch5 %build profile_bzip2() @@ -120,6 +125,14 @@ install -m 755 -d $RPM_BUILD_ROOT/%{_lib}/ mv $RPM_BUILD_ROOT%{_libdir}/libbz2.so $RPM_BUILD_ROOT/%{_lib}/libbz2.so.%{version} ln -sf libbz2.so.%{version} $RPM_BUILD_ROOT/%{_lib}/libbz2.so.1 ln -sf ../../%{_lib}/libbz2.so.%{version} $RPM_BUILD_ROOT%{_libdir}/libbz2.so +# installing bzgrep, bzdiff and bzmore scripts bnc#376464 +mkdir -p $RPM_BUILD_ROOT%{_bindir} +install -m 755 bzgrep bzdiff bzmore $RPM_BUILD_ROOT%{_bindir} +install -m 644 bzgrep.1 bzdiff.1 bzmore.1 $RPM_BUILD_ROOT%{_mandir}/man1 +ln -s bzdiff $RPM_BUILD_ROOT%{_bindir}/bzcmp +ln -s bzmore $RPM_BUILD_ROOT%{_bindir}/bzless +ln -s bzdiff.1 $RPM_BUILD_ROOT%{_mandir}/man1/bzcmp.1 +ln -s bzmore.1 $RPM_BUILD_ROOT%{_mandir}/man1/bzless.1 %clean rm -rf $RPM_BUILD_ROOT @@ -151,6 +164,15 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libbz2.so %changelog +* Thu Apr 03 2008 lmichnovic@suse.cz +- update to version 1.5 + * Fixes CERT-FI 20469 as it applies to bzip2 + which obsoletes bzip2-CVE-2008-1372-CERT-FI-20469.patch +- installing scripts bzdiff, bzgrep, bzmore + and symlinks bzless, bzcmp [bnc#376464] +- addded CFLAGS in Makefile-libbz2_so (cflags.patch) +- fix unsafe strcpy in bzip2recover (unsafe_strcpy.patch) + Thanks to Red Hat. * Wed Mar 19 2008 nadvornik@suse.cz - fixed buffer overflows CVE-2008-1372 [bnc#372047] * Thu Dec 06 2007 lmichnovic@suse.cz @@ -220,7 +242,7 @@ rm -rf $RPM_BUILD_ROOT - re-added /usr/include/bzlib.h * Thu Mar 08 2001 bk@suse.de - Replaced the -malign options with -mcpu=pentiumpro -* Tue Mar 06 2001 bk@suse.de +* Wed Mar 07 2001 bk@suse.de - add version info to libbz2 link to fix the library version number - if i386, add -malign-loops=2 -malign-jumps=2 -malign-functions=2 * Thu Nov 30 2000 aj@suse.de