~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH edge] main/libgit2: security upgrade to 0.25.1 - fixes #6739

Details
Message ID
<20170126075615.12006-1-sergej.lukin@gmail.com>
Sender timestamp
1485417375
DKIM signature
missing
Download raw message
Patch: +29 -6
CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE
CVE-2016-10129: smart_pkt: treat empty packet lines as error
CVE-2016-10130: http: check certificate validity before clobbering the error variable
---
 main/libgit2/APKBUILD       | 23 +++++++++++++++++------
 main/libgit2/libressl.patch | 12 ++++++++++++
 2 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 main/libgit2/libressl.patch

diff --git a/main/libgit2/APKBUILD b/main/libgit2/APKBUILD
index a164327de6..c5783d0ce6 100644
--- a/main/libgit2/APKBUILD
+++ b/main/libgit2/APKBUILD
@@ -1,9 +1,10 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Contributor: Pierre-Gilas MILLON <pgmillon@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libgit2
pkgver=0.24.3
pkgrel=1
pkgver=0.25.1
pkgrel=0
pkgdesc="A linkable library for Git"
url="https://libgit2.github.com/"
arch="all"
@@ -14,10 +15,17 @@ makedepends="$depends_dev python2 cmake zlib-dev libressl-dev"
subpackages="$pkgname-dev"
provides="$pkgname-libs"  # for backward compatibility with v3.4
replaces="$pkgname-libs"  # for backward compatibility with v3.4
source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz"
source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz
	libressl.patch
	"

builddir="$srcdir/$pkgname-$pkgver"

# secfixes:
#   0.25.1-r0:
#   - CVE-2016-10128
#   - CVE-2016-10129
#   - CVE-2016-10130
#   0.24.3-r0:
#   - CVE-2016-8568
#   - CVE-2016-8569
@@ -40,6 +48,9 @@ package() {
		-C "$builddir" install || return 1
}

md5sums="df626711b16bd5e7021123cbf1655399  libgit2-0.24.3.tar.gz"
sha256sums="0a24e6a51dbf3beecb0ebcd2cafb1e09b1212e910be6477b5de03c84a5586754  libgit2-0.24.3.tar.gz"
sha512sums="cb7b482664a5527e2d7c8f7c98755fd578f5331bc39fa2a5c8b841508e075b06b936f2c4a55cb4d10fe5d1677b596387bb16d68c220f1f23fce0a894b092f8c4  libgit2-0.24.3.tar.gz"
md5sums="3b285ce94200f00c34962711f001b192  libgit2-0.25.1.tar.gz
cbe35a6ce1ae8e87426af0c172fdaafd  libressl.patch"
sha256sums="7ae8e699ff7ff9a1fa702249140ee31ea6fd556bf7968e84e38165870667bcb1  libgit2-0.25.1.tar.gz
4f9f801c6b50a731d96a2f0f75497b2ae5762ee0be0ef626964c63a50d1c40dc  libressl.patch"
sha512sums="bbd0d27c95406b548185ce02e2a9288a9dcb8c3b28476ba20f4f4917f6bd67f1ddee80de3054d30b79cdb9d973c3061a15ea7847c79bfa4e0c62e41d5195cb99  libgit2-0.25.1.tar.gz
3674957d09207b11d268ba9fcb442a081b8efe318d0e8501b7afa0ae2397efc9aff8572b1ffd9f2286c46a06a647fbe943c2cc7e8f97d1a0288e74010846d439  libressl.patch"
diff --git a/main/libgit2/libressl.patch b/main/libgit2/libressl.patch
new file mode 100644
index 0000000000..967cdc4982
--- /dev/null
+++ b/main/libgit2/libressl.patch
@@ -0,0 +1,12 @@
diff -ru src.orig/libgit2-0.25.1/src/openssl_stream.h src/libgit2-0.25.1/src/openssl_stream.h
--- libgit2-0.25.1/src/copenssl_stream.h.orig
+++ libgit2-0.25.1/src/openssl_stream.h
@@ -27,7 +27,7 @@
 
 
 
-# if OPENSSL_VERSION_NUMBER < 0x10100000L
+# if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 GIT_INLINE(BIO_METHOD*) BIO_meth_new(int type, const char *name)
 {
-- 
2.11.0



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)