From 52b1a3831633af81e1edb0ca7e37b22302cc89c4 Mon Sep 17 00:00:00 2001 From: taca Date: Tue, 2 Feb 2010 14:42:43 +0000 Subject: Add patches for CVE-2009-2624 and CVE-2010-0001. Bump PKGREVISION. --- archivers/gzip/Makefile | 5 +++-- archivers/gzip/distinfo | 4 +++- archivers/gzip/patches/patch-ag | 24 ++++++++++++++++++++++++ archivers/gzip/patches/patch-ah | 16 ++++++++++++++++ 4 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 archivers/gzip/patches/patch-ag create mode 100644 archivers/gzip/patches/patch-ah (limited to 'archivers') diff --git a/archivers/gzip/Makefile b/archivers/gzip/Makefile index 53e7f09a615..d8b9730900b 100644 --- a/archivers/gzip/Makefile +++ b/archivers/gzip/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.22 2008/09/07 08:02:27 dholland Exp $ +# $NetBSD: Makefile,v 1.23 2010/02/02 14:42:43 taca Exp $ # DISTNAME= gzip-1.3.12 -PKGREVISION= 2 +PKGREVISION= 3 SVR4_PKGNAME= gzip CATEGORIES= archivers MASTER_SITES= ${MASTER_SITE_GNU:=gzip/} @@ -11,6 +11,7 @@ EXTRACT_SUFX= .tar MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.gnu.org/software/gzip/gzip.html COMMENT= Compress or expand files +LICENSE= gnu-gpl-v2 PKG_INSTALLATION_TYPES= overwrite pkgviews PKG_DESTDIR_SUPPORT= user-destdir diff --git a/archivers/gzip/distinfo b/archivers/gzip/distinfo index 204ddd8f1f6..78bcf07a3a7 100644 --- a/archivers/gzip/distinfo +++ b/archivers/gzip/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.3 2008/09/07 08:02:27 dholland Exp $ +$NetBSD: distinfo,v 1.4 2010/02/02 14:42:43 taca Exp $ SHA1 (gzip-1.3.12.tar) = 330eb5f1b3dfab13a491352cb00b6573e5b55a5f RMD160 (gzip-1.3.12.tar) = 6845dfba2a275f4de488c3fb97e64405838a5005 @@ -9,3 +9,5 @@ SHA1 (patch-ac) = 8ef4b7105ca9b201079f5cf8799642e12184fda4 SHA1 (patch-ad) = 082ced7d4a89a49b750525cc71bbf9a9abfc5b9e SHA1 (patch-ae) = a1d245c5cf055e9bd35fb7e810d5183a71cbfc74 SHA1 (patch-af) = 28639dbe11ed8ce81bd1c29248b53af6cea55b88 +SHA1 (patch-ag) = 6b499fe28525643bfd5e5ece73fcd221eb9f964f +SHA1 (patch-ah) = 0f92048912c2e682ba28d93bf5f309774d337790 diff --git a/archivers/gzip/patches/patch-ag b/archivers/gzip/patches/patch-ag new file mode 100644 index 00000000000..03f98715bba --- /dev/null +++ b/archivers/gzip/patches/patch-ag @@ -0,0 +1,24 @@ +$NetBSD: patch-ag,v 1.1 2010/02/02 14:42:43 taca Exp $ + +Fix for CVE-2009-2624. + +--- inflate.c.orig 2006-12-20 23:30:17.000000000 +0000 ++++ inflate.c +@@ -335,13 +335,15 @@ int *m; /* maximum looku + } while (--i); + if (c[0] == n) /* null input--all zero length codes */ + { +- q = (struct huft *) malloc (2 * sizeof *q); ++ q = (struct huft *) malloc (3 * sizeof *q); + if (!q) + return 3; +- hufts += 2; ++ hufts += 3; + q[0].v.t = (struct huft *) NULL; + q[1].e = 99; /* invalid code marker */ + q[1].b = 1; ++ q[2].e = 99; /* invalid code marker */ ++ q[2].b = 1; + *t = q + 1; + *m = 1; + return 0; diff --git a/archivers/gzip/patches/patch-ah b/archivers/gzip/patches/patch-ah new file mode 100644 index 00000000000..4673d11e765 --- /dev/null +++ b/archivers/gzip/patches/patch-ah @@ -0,0 +1,16 @@ +$NetBSD: patch-ah,v 1.1 2010/02/02 14:42:43 taca Exp $ + +Fix for CVE-2010-0001. + +--- unlzw.c.orig 2006-12-11 18:54:39.000000000 +0000 ++++ unlzw.c +@@ -248,7 +248,8 @@ int unlzw(in, out) + int o; + + resetbuf: +- e = insize-(o = (posbits>>3)); ++ o = posbits >> 3; ++ e = o <= insize ? insize - o : 0; + + for (i = 0 ; i < e ; ++i) { + inbuf[i] = inbuf[i+o]; -- cgit v1.2.3