Accepting request 48876 from Archiving

Copy from Archiving/bzip2 based on submit request 48876 from user puzel OBS-URL: https://build.opensuse.org/request/show/48876 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/bzip2?expand=0&rev=27
2010-09-23 21:51:54 +00:00 · 2010-09-23 21:51:54 +00:00 · dcbd039cdb
commit dcbd039cdb
parent f5d22fa499 005125ec40
5 changed files with 13 additions and 26 deletions
--- a/bzip2-1.0.5.tar.gz
+++ b/bzip2-1.0.5.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f7bf5368309d76e5daf3a89d4d1bea688dac7780742e7a0ae1af19be9316fe22
-size 841402
--- a/bzip2-1.0.6.tar.gz
+++ b/bzip2-1.0.6.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a2848f34fcd5d6cf47def00461fcb528a0484d8edef8208d6d2e2909dc61d9cd
+size 782025
--- a/bzip2-CVE-2010-0405.patch
+++ b/bzip2-CVE-2010-0405.patch
@ -1,18 +0,0 @@
-Index: bzip2-1.0.5/decompress.c
-===================================================================
--- bzip2-1.0.5.orig/decompress.c
-+++ bzip2-1.0.5/decompress.c
-@@ -394,6 +394,13 @@ Int32 BZ2_decompress ( DState* s )
-             es = -1;
-             N = 1;
-             do {
-+               /* Check that N doesn't get too big, so that es doesn't
-+                  go negative.  The maximum value that can be
-+                  RUNA/RUNB encoded is equal to the block size (post
-+                  the initial RLE), viz, 900k, so bounding N at 2
-+                  million should guard against overflow without
-+                  rejecting any legitimate inputs. */
-+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
-                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
-                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
-                N = N * 2;
--- a/bzip2.changes
+++ b/bzip2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Sep 23 09:27:21 UTC 2010 - puzel@novell.com
+
+- update to bzip2-1.0.6
+  - fixes CVE-2010-0405
+- drop bzip2-CVE-2010-0405 (upstream)
+
 -------------------------------------------------------------------
 Tue Sep 21 13:54:31 UTC 2010 - puzel@novell.com

--- a/bzip2.spec
+++ b/bzip2.spec
@ -1,5 +1,5 @@
 #
-# spec file for package bzip2 (Version 1.0.5)
+# spec file for package bzip2 (Version 1.0.6)
 #
 # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -19,8 +19,8 @@


 Name:           bzip2
-Version:        1.0.5
-Release:        46
+Version:        1.0.6
+Release:        1
 Provides:       bzip
 Obsoletes:      bzip
 BuildRequires:  pkg-config
@ -45,7 +45,6 @@ Patch:          http://pack.suse.cz/sbrabec/bzip2/for_downstream/bzip2-1.0.5-aut
 Patch2:         bzip2-maxlen20.patch
 Patch3:         bzip2-faster.patch
 Patch5:         bzip2-unsafe_strcpy.patch
-Patch6:         bzip2-CVE-2010-0405.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -109,7 +108,6 @@ Authors:
 %patch2
 %patch3
 %patch5
-%patch6 -p1

 %build
 profile_bzip2()