SHA256
1
0
forked from pool/bzip2

Accepting request 712284 from home:iznogood:branches:Archiving

- Update to version 1.0.7:
  * Fix undefined behavior in the macros SET_BH, CLEAR_BH, &
    ISSET_BH.
  * bzip2: Fix return value when combining --test,-t and -q.
  * bzip2recover: Fix buffer overflow for large argv[0].
  * bzip2recover: Fix use after free issue with outFile
    (CVE-2016-3189).
  * Make sure nSelectors is not out of range (CVE-2019-12900).
- Drop patches fixed upstream:
  * bzip2-unsafe_strcpy.patch.
  * bzip2-1.0.6-CVE-2016-3189.patch.
- Refresh patches with quilt.

OBS-URL: https://build.opensuse.org/request/show/712284
OBS-URL: https://build.opensuse.org/package/show/Archiving/bzip2?expand=0&rev=76
This commit is contained in:
Martin Pluskal 2019-06-28 07:19:41 +00:00 committed by Git OBS Bridge
parent 3713b730d5
commit c074e654c4
11 changed files with 64 additions and 67 deletions

View File

@ -1,15 +0,0 @@
Author: Jakub Martisko <jamartis@redhat.com>
Date: Wed, 30 Mar 2016 10:22:27 +0200
Description: bzip2recover: Fix potential use-after-free
Origin: https://bugzilla.redhat.com/attachment.cgi?id=1169843&action=edit
--- a/bzip2recover.c
+++ b/bzip2recover.c
@@ -472,6 +472,7 @@ Int32 main ( Int32 argc, Char** argv )
bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
bsPutUInt32 ( bsWr, blockCRC );
bsClose ( bsWr );
+ outFile = NULL;
}
if (wrBlock >= rbCtr) break;
wrBlock++;

View File

@ -1,7 +1,7 @@
Index: bzip2-1.0.6/bzgrep
Index: bzip2-1.0.7/bzgrep
===================================================================
--- bzip2-1.0.6.orig/bzgrep
+++ bzip2-1.0.6/bzgrep
--- bzip2-1.0.7.orig/bzgrep 2019-06-27 23:10:21.375272508 +0200
+++ bzip2-1.0.7/bzgrep 2019-06-27 23:10:21.415272635 +0200
@@ -65,8 +65,20 @@ for i do
else
j=$(echo "$i" | sed 's/\\/&&/g;s/|/\\&/g;s/&/\\&/g')

View File

@ -1,6 +1,7 @@
diff -Ndurp bzip2-1.0.6/bzgrep bzip2-1.0.6-fix-bashisms/bzgrep
--- bzip2-1.0.6/bzgrep 2007-01-03 04:00:55.000000000 +0200
+++ bzip2-1.0.6-fix-bashisms/bzgrep 2014-10-19 02:07:30.036033876 +0300
Index: bzip2-1.0.7/bzgrep
===================================================================
--- bzip2-1.0.7.orig/bzgrep 2019-06-27 20:15:39.000000000 +0200
+++ bzip2-1.0.7/bzgrep 2019-06-27 23:12:37.027916706 +0200
@@ -63,9 +63,7 @@ for i do
bzip2 -cdfq "$i" | $grep $opt "$pat"
r=$?

View File

@ -1,5 +1,7 @@
--- /dev/null
+++ autogen.sh
Index: bzip2-1.0.7/autogen.sh
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ bzip2-1.0.7/autogen.sh 2019-06-27 23:12:37.015916631 +0200
@@ -0,0 +1,8 @@
+mv LICENSE COPYING
+mv CHANGES NEWS
@ -9,8 +11,10 @@
+aclocal
+automake --add-missing --gnu
+autoconf
--- /dev/null
+++ README.autotools
Index: bzip2-1.0.7/README.autotools
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ bzip2-1.0.7/README.autotools 2019-06-27 23:12:37.015916631 +0200
@@ -0,0 +1,41 @@
+bzip2 autoconfiscated
+=====================
@ -53,8 +57,10 @@
+
+To be super-safe, I incremented minor number of the library file, so
+both instances of the shared library can live together.
--- /dev/null
+++ configure.ac
Index: bzip2-1.0.7/configure.ac
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ bzip2-1.0.7/configure.ac 2019-06-27 23:12:37.015916631 +0200
@@ -0,0 +1,62 @@
+# -*- Autoconf -*-
+# Process this file with autoconf to produce a configure script.
@ -118,8 +124,10 @@
+AC_SUBST([BZIP2_LT_AGE])
+AC_CONFIG_FILES([Makefile bzip2.pc])
+AC_OUTPUT
--- /dev/null
+++ Makefile.am
Index: bzip2-1.0.7/Makefile.am
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ bzip2-1.0.7/Makefile.am 2019-06-27 23:12:37.015916631 +0200
@@ -0,0 +1,137 @@
+ACLOCAL_AMFLAGS = -I m4
+lib_LTLIBRARIES = libbz2.la
@ -258,8 +266,10 @@
+ words2 \
+ words3 \
+ xmlproc.sh
--- /dev/null
+++ bzip2.pc.in
Index: bzip2-1.0.7/bzip2.pc.in
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ bzip2-1.0.7/bzip2.pc.in 2019-06-27 23:12:37.015916631 +0200
@@ -0,0 +1,11 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
@ -272,8 +282,10 @@
+Version: @VERSION@
+Libs: -L${libdir} -lbz2
+Cflags: -I${includedir}
--- /dev/null
+++ m4/visibility.m4
Index: bzip2-1.0.7/m4/visibility.m4
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ bzip2-1.0.7/m4/visibility.m4 2019-06-27 23:12:37.015916631 +0200
@@ -0,0 +1,78 @@
+# visibility.m4 serial 4 (gettext-0.18.2)
+dnl Copyright (C) 2005, 2008, 2010-2011 Free Software Foundation, Inc.
@ -353,8 +365,10 @@
+ AC_DEFINE_UNQUOTED([HAVE_VISIBILITY], [$HAVE_VISIBILITY],
+ [Define to 1 or 0, depending whether the compiler supports simple visibility declarations.])
+])
--- bzlib.h.orig
+++ bzlib.h
Index: bzip2-1.0.7/bzlib.h
===================================================================
--- bzip2-1.0.7.orig/bzlib.h 2019-06-27 20:15:39.000000000 +0200
+++ bzip2-1.0.7/bzlib.h 2019-06-27 23:12:37.015916631 +0200
@@ -91,9 +91,11 @@ typedef
# endif
#else

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a2848f34fcd5d6cf47def00461fcb528a0484d8edef8208d6d2e2909dc61d9cd
size 782025

3
bzip2-1.0.7.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e768a87c5b1a79511499beb41500bcc4caf203726fff46a6f5f9ad27fe08ab2b
size 809680

View File

@ -1,5 +1,7 @@
--- bzlib.c.orig
+++ bzlib.c
Index: bzip2-1.0.7/bzlib.c
===================================================================
--- bzip2-1.0.7.orig/bzlib.c 2019-06-27 20:15:39.000000000 +0200
+++ bzip2-1.0.7/bzlib.c 2019-06-27 23:10:21.399272583 +0200
@@ -1414,7 +1414,15 @@ BZFILE * bzopen_or_bzdopen
}
mode++;

View File

@ -1,7 +1,7 @@
Index: bzip2-1.0.6/README
Index: bzip2-1.0.7/README
===================================================================
--- bzip2-1.0.6.orig/README
+++ bzip2-1.0.6/README
--- bzip2-1.0.7.orig/README 2019-06-27 20:15:39.000000000 +0200
+++ bzip2-1.0.7/README 2019-06-27 23:10:21.387272546 +0200
@@ -17,7 +17,8 @@ in the file LICENSE.
Complete documentation is available in Postscript form (manual.ps),

View File

@ -1,12 +0,0 @@
--- bzip2recover.c
+++ bzip2recover.c
@@ -309,7 +309,8 @@
UInt32 buffHi, buffLo, blockCRC;
Char* p;
- strcpy ( progName, argv[0] );
+ strncpy ( progName, argv[0], BZ_MAX_FILENAME-1);
+ progName[BZ_MAX_FILENAME-1]='\0';
inFileName[0] = outFileName[0] = 0;
fprintf ( stderr,

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Thu Jun 27 21:01:36 UTC 2019 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 1.0.7:
* Fix undefined behavior in the macros SET_BH, CLEAR_BH, &
ISSET_BH.
* bzip2: Fix return value when combining --test,-t and -q.
* bzip2recover: Fix buffer overflow for large argv[0].
* bzip2recover: Fix use after free issue with outFile
(CVE-2016-3189).
* Make sure nSelectors is not out of range (CVE-2019-12900).
- Drop patches fixed upstream:
* bzip2-unsafe_strcpy.patch.
* bzip2-1.0.6-CVE-2016-3189.patch.
- Refresh patches with quilt.
-------------------------------------------------------------------
Thu Apr 18 10:28:36 UTC 2019 - Kristýna Streitová <kstreitova@suse.com>

View File

@ -12,13 +12,13 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define libname libbz2-1
Name: bzip2
Version: 1.0.6
Version: 1.0.7
Release: 0
Summary: A Program for Compressing Files
License: BSD-3-Clause
@ -32,12 +32,10 @@ Source100: bzip2-rpmlintrc
# PATCH-FEATURE-OPENSUSE bzip2-1.0.6-autoconfiscated.patch sbrabec@suse.cz -- Convert to a standard autoconf based package.
Patch0: ftp://ftp.suse.com/pub/people/sbrabec/bzip2/for_downstream/bzip2-1.0.6.2-autoconfiscated.patch
Patch1: bzip2-1.0.6-fix-bashisms.patch
Patch2: bzip2-unsafe_strcpy.patch
Patch3: bzip2-point-to-doc-pkg.patch
Patch4: bzip2-ocloexec.patch
# PATCH-FIX-UPSTREAM bnc#970260 kstreitova@suse.com -- fix a wrong exit code when grepping multiple archives
Patch5: bzip2-1.0.6-bzgrep_return_value.patch
Patch6: bzip2-1.0.6-CVE-2016-3189.patch
BuildRequires: autoconf >= 2.57
BuildRequires: libtool
BuildRequires: pkgconfig
@ -74,14 +72,7 @@ Requires: glibc-devel
The bzip2 runtime library development files.
%prep
%setup -q
%patch0
%patch1 -p1
%patch2
%patch3 -p1
%patch4
%patch5 -p1
%patch6 -p1
%autosetup -p1
%build
autoreconf -fiv