Mail archive
alpine-aports

[alpine-aports] [PATCH edge] main/libgit2: security upgrade to 0.25.1 - fixes #6739

From: Sergei Lukin <sergej.lukin_at_gmail.com>
Date: Thu, 26 Jan 2017 07:56:15 +0000

CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE
CVE-2016-10129: smart_pkt: treat empty packet lines as error
CVE-2016-10130: http: check certificate validity before clobbering the error variable
---
 main/libgit2/APKBUILD       | 23 +++++++++++++++++------
 main/libgit2/libressl.patch | 12 ++++++++++++
 2 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 main/libgit2/libressl.patch
diff --git a/main/libgit2/APKBUILD b/main/libgit2/APKBUILD
index a164327de6..c5783d0ce6 100644
--- a/main/libgit2/APKBUILD
+++ b/main/libgit2/APKBUILD
_at_@ -1,9 +1,10 @@
+# Contributor: Sergei Lukin <sergej.lukin_at_gmail.com>
 # Contributor: Sören Tempel <soeren+alpine_at_soeren-tempel.net>
 # Contributor: Pierre-Gilas MILLON <pgmillon_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=libgit2
-pkgver=0.24.3
-pkgrel=1
+pkgver=0.25.1
+pkgrel=0
 pkgdesc="A linkable library for Git"
 url="https://libgit2.github.com/"
 arch="all"
_at_@ -14,10 +15,17 @@ makedepends="$depends_dev python2 cmake zlib-dev libressl-dev"
 subpackages="$pkgname-dev"
 provides="$pkgname-libs"  # for backward compatibility with v3.4
 replaces="$pkgname-libs"  # for backward compatibility with v3.4
-source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz
+	libressl.patch
+	"
+
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   0.25.1-r0:
+#   - CVE-2016-10128
+#   - CVE-2016-10129
+#   - CVE-2016-10130
 #   0.24.3-r0:
 #   - CVE-2016-8568
 #   - CVE-2016-8569
_at_@ -40,6 +48,9 @@ package() {
 		-C "$builddir" install || return 1
 }
 
-md5sums="df626711b16bd5e7021123cbf1655399  libgit2-0.24.3.tar.gz"
-sha256sums="0a24e6a51dbf3beecb0ebcd2cafb1e09b1212e910be6477b5de03c84a5586754  libgit2-0.24.3.tar.gz"
-sha512sums="cb7b482664a5527e2d7c8f7c98755fd578f5331bc39fa2a5c8b841508e075b06b936f2c4a55cb4d10fe5d1677b596387bb16d68c220f1f23fce0a894b092f8c4  libgit2-0.24.3.tar.gz"
+md5sums="3b285ce94200f00c34962711f001b192  libgit2-0.25.1.tar.gz
+cbe35a6ce1ae8e87426af0c172fdaafd  libressl.patch"
+sha256sums="7ae8e699ff7ff9a1fa702249140ee31ea6fd556bf7968e84e38165870667bcb1  libgit2-0.25.1.tar.gz
+4f9f801c6b50a731d96a2f0f75497b2ae5762ee0be0ef626964c63a50d1c40dc  libressl.patch"
+sha512sums="bbd0d27c95406b548185ce02e2a9288a9dcb8c3b28476ba20f4f4917f6bd67f1ddee80de3054d30b79cdb9d973c3061a15ea7847c79bfa4e0c62e41d5195cb99  libgit2-0.25.1.tar.gz
+3674957d09207b11d268ba9fcb442a081b8efe318d0e8501b7afa0ae2397efc9aff8572b1ffd9f2286c46a06a647fbe943c2cc7e8f97d1a0288e74010846d439  libressl.patch"
diff --git a/main/libgit2/libressl.patch b/main/libgit2/libressl.patch
new file mode 100644
index 0000000000..967cdc4982
--- /dev/null
+++ b/main/libgit2/libressl.patch
_at_@ -0,0 +1,12 @@
+diff -ru src.orig/libgit2-0.25.1/src/openssl_stream.h src/libgit2-0.25.1/src/openssl_stream.h
+--- libgit2-0.25.1/src/copenssl_stream.h.orig
++++ libgit2-0.25.1/src/openssl_stream.h
+_at_@ -27,7 +27,7 @@
+ 
+ 
+ 
+-# if OPENSSL_VERSION_NUMBER < 0x10100000L
++# if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ GIT_INLINE(BIO_METHOD*) BIO_meth_new(int type, const char *name)
+ {
-- 
2.11.0
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Thu Jan 26 2017 - 07:56:15 GMT