diff options
author | tron <tron> | 2010-09-22 18:04:23 +0000 |
---|---|---|
committer | tron <tron> | 2010-09-22 18:04:23 +0000 |
commit | 6e7f04bccae794fe2779b3bfc90ff9d43b66c2df (patch) | |
tree | 9cffe3d3b6c30784ec078a31aba87cf63c4d2401 | |
parent | 7d55367e65d8eec68ded28f5f1d93a212b53eb56 (diff) | |
download | pkgsrc-6e7f04bccae794fe2779b3bfc90ff9d43b66c2df.tar.gz |
Pullup ticket #3228 - requested by joerg
archivers/bzip2: security update
Revisions pulled up:
- archivers/bzip2/Makefile 1.50
- archivers/bzip2/PLIST 1.4
- archivers/bzip2/files/CHANGES 1.3
- archivers/bzip2/files/README 1.3
- archivers/bzip2/files/bzdiff new file
- archivers/bzip2/files/bzdiff.1 new file
- archivers/bzip2/files/bzgrep new file
- archivers/bzip2/files/bzgrep.1 new file
- archivers/bzip2/files/decompress.c 1.3
---
Module Name: pkgsrc
Committed By: joerg
Date: Wed Sep 22 14:32:18 UTC 2010
Update of /cvsroot/pkgsrc/archivers/bzip2/files
In directory ivanova.netbsd.org:/tmp/cvs-serv13227
Log Message:
Import stripped down bzip2-1.0.6.
---
Module Name: pkgsrc
Committed By: joerg
Date: Wed Sep 22 14:48:41 UTC 2010
Modified Files:
pkgsrc/archivers/bzip2/files: CHANGES README decompress.c
Log Message:
Update to bzip2-1.0.6: Fix for CVE-2010-0405
---
Module Name: pkgsrc
Committed By: joerg
Date: Wed Sep 22 14:53:22 UTC 2010
Modified Files:
pkgsrc/archivers/bzip2: Makefile PLIST
Log Message:
Update to bzip2-1.0.6: Fix for CVE-2010-0405. Also install various
helper scripts.
-rw-r--r-- | archivers/bzip2/Makefile | 21 | ||||
-rw-r--r-- | archivers/bzip2/PLIST | 16 | ||||
-rw-r--r-- | archivers/bzip2/builtin.mk | 5 | ||||
-rw-r--r-- | archivers/bzip2/files/CHANGES | 12 | ||||
-rw-r--r-- | archivers/bzip2/files/README | 9 | ||||
-rw-r--r-- | archivers/bzip2/files/bzdiff | 76 | ||||
-rw-r--r-- | archivers/bzip2/files/bzdiff.1 | 47 | ||||
-rw-r--r-- | archivers/bzip2/files/bzgrep | 75 | ||||
-rw-r--r-- | archivers/bzip2/files/bzgrep.1 | 56 | ||||
-rw-r--r-- | archivers/bzip2/files/decompress.c | 24 |
10 files changed, 328 insertions, 13 deletions
diff --git a/archivers/bzip2/Makefile b/archivers/bzip2/Makefile index 728c433cf3a..80152f2cd0b 100644 --- a/archivers/bzip2/Makefile +++ b/archivers/bzip2/Makefile @@ -1,10 +1,9 @@ -# $NetBSD: Makefile,v 1.49 2009/04/09 00:48:06 joerg Exp $ +# $NetBSD: Makefile,v 1.49.10.1 2010/09/22 18:04:23 tron Exp $ # -DISTNAME= bzip2-1.0.5 -PKGREVISION= 1 +DISTNAME= bzip2-1.0.6 CATEGORIES= archivers -MASTER_SITES= http://www.bzip.org/1.0.5/ +MASTER_SITES= http://www.bzip.org/1.0.6/ MAINTAINER= joerg@NetBSD.org HOMEPAGE= http://www.bzip.org/ @@ -42,5 +41,19 @@ do-install: ${LN} -s bzip2.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1/bzcat.1 ${LN} -s bzip2.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1/bzip2recover.1 ${INSTALL_DATA} ${WRKSRC}/bzlib.h ${DESTDIR}${PREFIX}/include + ${INSTALL_SCRIPT} ${WRKSRC}/bzmore ${DESTDIR}${PREFIX}/bin/bzmore + ${LN} -s bzmore ${DESTDIR}${PREFIX}/bin/bzless + ${INSTALL_MAN} ${WRKSRC}/bzmore.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1 + ${LN} -s bzmore.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1/bzless.1 + ${INSTALL_SCRIPT} ${WRKSRC}/bzdiff ${DESTDIR}${PREFIX}/bin/bzdiff + ${LN} -s bzdiff ${DESTDIR}${PREFIX}/bin/bzcmp + ${INSTALL_MAN} ${WRKSRC}/bzdiff.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1 + ${LN} -s bzdiff.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1/bzcmp.1 + ${INSTALL_SCRIPT} ${WRKSRC}/bzgrep ${DESTDIR}${PREFIX}/bin/bzgrep + ${LN} -s bzgrep ${DESTDIR}${PREFIX}/bin/bzegrep + ${LN} -s bzgrep ${DESTDIR}${PREFIX}/bin/bzfgrep + ${INSTALL_MAN} ${WRKSRC}/bzgrep.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1 + ${LN} -s bzgrep.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1/bzegrep.1 + ${LN} -s bzgrep.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1/bzfgrep.1 .include "../../mk/bsd.pkg.mk" diff --git a/archivers/bzip2/PLIST b/archivers/bzip2/PLIST index 404427f9e63..c95897d5d71 100644 --- a/archivers/bzip2/PLIST +++ b/archivers/bzip2/PLIST @@ -1,11 +1,25 @@ -@comment $NetBSD: PLIST,v 1.3 2005/05/23 06:49:29 rillig Exp $ +@comment $NetBSD: PLIST,v 1.3.46.1 2010/09/22 18:04:23 tron Exp $ bin/bunzip2 bin/bzcat +bin/bzcmp +bin/bzdiff +bin/bzegrep +bin/bzfgrep +bin/bzgrep bin/bzip2 bin/bzip2recover +bin/bzless +bin/bzmore include/bzlib.h lib/libbz2.la man/man1/bunzip2.1 man/man1/bzcat.1 +man/man1/bzcmp.1 +man/man1/bzdiff.1 +man/man1/bzegrep.1 +man/man1/bzfgrep.1 +man/man1/bzgrep.1 man/man1/bzip2.1 man/man1/bzip2recover.1 +man/man1/bzless.1 +man/man1/bzmore.1 diff --git a/archivers/bzip2/builtin.mk b/archivers/bzip2/builtin.mk index 1f32dd384d9..27f02c2482b 100644 --- a/archivers/bzip2/builtin.mk +++ b/archivers/bzip2/builtin.mk @@ -1,9 +1,10 @@ -# $NetBSD: builtin.mk,v 1.7 2006/07/13 13:04:54 heinz Exp $ +# $NetBSD: builtin.mk,v 1.7.36.1 2010/09/22 18:04:23 tron Exp $ BUILTIN_PKG:= bzip2 BUILTIN_FIND_FILES_VAR:= H_BZIP2 -BUILTIN_FIND_FILES.H_BZIP2= /usr/include/bzlib.h +BUILTIN_FIND_FILES.H_BZIP2= /usr/include/bzlib.h \ + /boot/common/include/bzlib.h BUILTIN_FIND_GREP.H_BZIP2= BZ2_ .include "../../mk/buildlink3/bsd.builtin.mk" diff --git a/archivers/bzip2/files/CHANGES b/archivers/bzip2/files/CHANGES index 6e4f65e2e0a..81e97ca6fa2 100644 --- a/archivers/bzip2/files/CHANGES +++ b/archivers/bzip2/files/CHANGES @@ -2,8 +2,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward <jseward@bzip.org> + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -317,3 +317,11 @@ Fixes some minor bugs since the last version, 1.0.3. ~~~~~~~~~~~~~~~~~ Security fix only. Fixes CERT-FI 20469 as it applies to bzip2. + +1.0.6 (6 Sept 10) +~~~~~~~~~~~~~~~~~ + +* Security fix for CVE-2010-0405. This was reported by Mikolaj + Izdebski. + +* Make the documentation build on Ubuntu 10.04 diff --git a/archivers/bzip2/files/README b/archivers/bzip2/files/README index e17a84e049f..9fb0f636013 100644 --- a/archivers/bzip2/files/README +++ b/archivers/bzip2/files/README @@ -6,8 +6,8 @@ This version is fully compatible with the previous public releases. This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. -bzip2/libbzip2 version 1.0.5 of 10 December 2007 -Copyright (C) 1996-2007 Julian Seward <jseward@bzip.org> +bzip2/libbzip2 version 1.0.6 of 6 September 2010 +Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> Please read the WARNING, DISCLAIMER and PATENTS sections in this file. @@ -181,6 +181,10 @@ WHAT'S NEW IN 1.0.5 ? See the CHANGES file. +WHAT'S NEW IN 1.0.6 ? + + See the CHANGES file. + I hope you find bzip2 useful. Feel free to contact me at jseward@bzip.org @@ -208,3 +212,4 @@ Cambridge, UK. 15 February 2005 (bzip2, version 1.0.3) 20 December 2006 (bzip2, version 1.0.4) 10 December 2007 (bzip2, version 1.0.5) + 6 Sept 2010 (bzip2, version 1.0.6) diff --git a/archivers/bzip2/files/bzdiff b/archivers/bzip2/files/bzdiff new file mode 100644 index 00000000000..6fc38f92d27 --- /dev/null +++ b/archivers/bzip2/files/bzdiff @@ -0,0 +1,76 @@ +#!/bin/sh +# sh is buggy on RS/6000 AIX 3.2. Replace above line with #!/bin/ksh + +# Bzcmp/diff wrapped for bzip2, +# adapted from zdiff by Philippe Troin <phil@fifi.org> for Debian GNU/Linux. + +# Bzcmp and bzdiff are used to invoke the cmp or the diff pro- +# gram on compressed files. All options specified are passed +# directly to cmp or diff. If only 1 file is specified, then +# the files compared are file1 and an uncompressed file1.gz. +# If two files are specified, then they are uncompressed (if +# necessary) and fed to cmp or diff. The exit status from cmp +# or diff is preserved. + +PATH="/usr/bin:/bin:$PATH"; export PATH +prog=`echo $0 | sed 's|.*/||'` +case "$prog" in + *cmp) comp=${CMP-cmp} ;; + *) comp=${DIFF-diff} ;; +esac + +OPTIONS= +FILES= +for ARG +do + case "$ARG" in + -*) OPTIONS="$OPTIONS $ARG";; + *) if test -f "$ARG"; then + FILES="$FILES $ARG" + else + echo "${prog}: $ARG not found or not a regular file" + exit 1 + fi ;; + esac +done +if test -z "$FILES"; then + echo "Usage: $prog [${comp}_options] file [file]" + exit 1 +fi +tmp=`mktemp ${TMPDIR:-/tmp}/bzdiff.XXXXXXXXXX` || { + echo 'cannot create a temporary file' >&2 + exit 1 +} +set $FILES +if test $# -eq 1; then + FILE=`echo "$1" | sed 's/.bz2$//'` + bzip2 -cd "$FILE.bz2" | $comp $OPTIONS - "$FILE" + STAT="$?" + +elif test $# -eq 2; then + case "$1" in + *.bz2) + case "$2" in + *.bz2) + F=`echo "$2" | sed 's|.*/||;s|.bz2$||'` + bzip2 -cdfq "$2" > $tmp + bzip2 -cdfq "$1" | $comp $OPTIONS - $tmp + STAT="$?" + /bin/rm -f $tmp;; + + *) bzip2 -cdfq "$1" | $comp $OPTIONS - "$2" + STAT="$?";; + esac;; + *) case "$2" in + *.bz2) + bzip2 -cdfq "$2" | $comp $OPTIONS "$1" - + STAT="$?";; + *) $comp $OPTIONS "$1" "$2" + STAT="$?";; + esac;; + esac + exit "$STAT" +else + echo "Usage: $prog [${comp}_options] file [file]" + exit 1 +fi diff --git a/archivers/bzip2/files/bzdiff.1 b/archivers/bzip2/files/bzdiff.1 new file mode 100644 index 00000000000..adb7a8e724e --- /dev/null +++ b/archivers/bzip2/files/bzdiff.1 @@ -0,0 +1,47 @@ +\"Shamelessly copied from zmore.1 by Philippe Troin <phil@fifi.org> +\"for Debian GNU/Linux +.TH BZDIFF 1 +.SH NAME +bzcmp, bzdiff \- compare bzip2 compressed files +.SH SYNOPSIS +.B bzcmp +[ cmp_options ] file1 +[ file2 ] +.br +.B bzdiff +[ diff_options ] file1 +[ file2 ] +.SH DESCRIPTION +.I Bzcmp +and +.I bzdiff +are used to invoke the +.I cmp +or the +.I diff +program on bzip2 compressed files. All options specified are passed +directly to +.I cmp +or +.IR diff "." +If only 1 file is specified, then the files compared are +.I file1 +and an uncompressed +.IR file1 ".bz2." +If two files are specified, then they are uncompressed if necessary and fed to +.I cmp +or +.IR diff "." +The exit status from +.I cmp +or +.I diff +is preserved. +.SH "SEE ALSO" +cmp(1), diff(1), bzmore(1), bzless(1), bzgrep(1), bzip2(1) +.SH BUGS +Messages from the +.I cmp +or +.I diff +programs refer to temporary filenames instead of those specified. diff --git a/archivers/bzip2/files/bzgrep b/archivers/bzip2/files/bzgrep new file mode 100644 index 00000000000..9a04b8337d7 --- /dev/null +++ b/archivers/bzip2/files/bzgrep @@ -0,0 +1,75 @@ +#!/bin/sh + +# Bzgrep wrapped for bzip2, +# adapted from zgrep by Philippe Troin <phil@fifi.org> for Debian GNU/Linux. +## zgrep notice: +## zgrep -- a wrapper around a grep program that decompresses files as needed +## Adapted from a version sent by Charles Levert <charles@comm.polymtl.ca> + +PATH="/usr/bin:$PATH"; export PATH + +prog=`echo $0 | sed 's|.*/||'` +case "$prog" in + *egrep) grep=${EGREP-egrep} ;; + *fgrep) grep=${FGREP-fgrep} ;; + *) grep=${GREP-grep} ;; +esac +pat="" +while test $# -ne 0; do + case "$1" in + -e | -f) opt="$opt $1"; shift; pat="$1" + if test "$grep" = grep; then # grep is buggy with -e on SVR4 + grep=egrep + fi;; + -A | -B) opt="$opt $1 $2"; shift;; + -*) opt="$opt $1";; + *) if test -z "$pat"; then + pat="$1" + else + break; + fi;; + esac + shift +done + +if test -z "$pat"; then + echo "grep through bzip2 files" + echo "usage: $prog [grep_options] pattern [files]" + exit 1 +fi + +list=0 +silent=0 +op=`echo "$opt" | sed -e 's/ //g' -e 's/-//g'` +case "$op" in + *l*) list=1 +esac +case "$op" in + *h*) silent=1 +esac + +if test $# -eq 0; then + bzip2 -cdfq | $grep $opt "$pat" + exit $? +fi + +res=0 +for i do + if test -f "$i"; then :; else if test -f "$i.bz2"; then i="$i.bz2"; fi; fi + if test $list -eq 1; then + bzip2 -cdfq "$i" | $grep $opt "$pat" 2>&1 > /dev/null && echo $i + r=$? + elif test $# -eq 1 -o $silent -eq 1; then + bzip2 -cdfq "$i" | $grep $opt "$pat" + r=$? + else + j=${i//\\/\\\\} + j=${j//|/\\|} + j=${j//&/\\&} + j=`printf "%s" "$j" | tr '\n' ' '` + bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${j}:|" + r=$? + fi + test "$r" -ne 0 && res="$r" +done +exit $res diff --git a/archivers/bzip2/files/bzgrep.1 b/archivers/bzip2/files/bzgrep.1 new file mode 100644 index 00000000000..930af8c7fcb --- /dev/null +++ b/archivers/bzip2/files/bzgrep.1 @@ -0,0 +1,56 @@ +\"Shamelessly copied from zmore.1 by Philippe Troin <phil@fifi.org> +\"for Debian GNU/Linux +.TH BZGREP 1 +.SH NAME +bzgrep, bzfgrep, bzegrep \- search possibly bzip2 compressed files for a regular expression +.SH SYNOPSIS +.B bzgrep +[ grep_options ] +.BI [\ -e\ ] " pattern" +.IR filename ".\|.\|." +.br +.B bzegrep +[ egrep_options ] +.BI [\ -e\ ] " pattern" +.IR filename ".\|.\|." +.br +.B bzfgrep +[ fgrep_options ] +.BI [\ -e\ ] " pattern" +.IR filename ".\|.\|." +.SH DESCRIPTION +.IR Bzgrep +is used to invoke the +.I grep +on bzip2-compressed files. All options specified are passed directly to +.I grep. +If no file is specified, then the standard input is decompressed +if necessary and fed to grep. +Otherwise the given files are uncompressed if necessary and fed to +.I grep. +.PP +If +.I bzgrep +is invoked as +.I bzegrep +or +.I bzfgrep +then +.I egrep +or +.I fgrep +is used instead of +.I grep. +If the GREP environment variable is set, +.I bzgrep +uses it as the +.I grep +program to be invoked. For example: + + for sh: GREP=fgrep bzgrep string files + for csh: (setenv GREP fgrep; bzgrep string files) +.SH AUTHOR +Charles Levert (charles@comm.polymtl.ca). Adapted to bzip2 by Philippe +Troin <phil@fifi.org> for Debian GNU/Linux. +.SH "SEE ALSO" +grep(1), egrep(1), fgrep(1), bzdiff(1), bzmore(1), bzless(1), bzip2(1) diff --git a/archivers/bzip2/files/decompress.c b/archivers/bzip2/files/decompress.c index bba5e0fa36d..311f5668f9a 100644 --- a/archivers/bzip2/files/decompress.c +++ b/archivers/bzip2/files/decompress.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward <jseward@bzip.org> + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; @@ -485,15 +492,28 @@ Int32 BZ2_decompress ( DState* s ) RETURN(BZ_DATA_ERROR); /*-- Set up cftab to facilitate generation of T^(-1) --*/ + /* Check: unzftab entries in range. */ + for (i = 0; i <= 255; i++) { + if (s->unzftab[i] < 0 || s->unzftab[i] > nblock) + RETURN(BZ_DATA_ERROR); + } + /* Actually generate cftab. */ s->cftab[0] = 0; for (i = 1; i <= 256; i++) s->cftab[i] = s->unzftab[i-1]; for (i = 1; i <= 256; i++) s->cftab[i] += s->cftab[i-1]; + /* Check: cftab entries in range. */ for (i = 0; i <= 256; i++) { if (s->cftab[i] < 0 || s->cftab[i] > nblock) { /* s->cftab[i] can legitimately be == nblock */ RETURN(BZ_DATA_ERROR); } } + /* Check: cftab entries non-descending. */ + for (i = 1; i <= 256; i++) { + if (s->cftab[i-1] > s->cftab[i]) { + RETURN(BZ_DATA_ERROR); + } + } s->state_out_len = 0; s->state_out_ch = 0; |