~alpine/aports

[alpine-aports] [PATCH v3.4] main/libgit2: security upgrade to 0.24.6 - fixes #6741

Sergei Lukin <sergej.lukin@gmail.com>
Details
Message ID
<20170126095340.322-1-sergej.lukin@gmail.com>
Sender timestamp
1485424420
DKIM signature
missing
Download raw message
7 years ago
Patch: +24 -2 
CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE
CVE-2016-10129: smart_pkt: treat empty packet lines as error
CVE-2016-10130: http: check certificate validity before clobbering the error variable
---
Upgrading from 0.24.3 to 0.24.6 (no major changes)
0.24.5 is maintenance Release (replaces the mis-tagged v0.24.4)
https://github.com/libgit2/libgit2/releases/tag/v0.24.5
0.24.6 is a security release
https://github.com/libgit2/libgit2/releases/tag/v0.24.6

 main/libgit2/APKBUILD       | 14 ++++++++++++--
 main/libgit2/libressl.patch | 12 ++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 main/libgit2/libressl.patch

diff --git a/main/libgit2/APKBUILD b/main/libgit2/APKBUILD
index 8082165..c1e8098 100644
--- a/main/libgit2/APKBUILD
+++ b/main/libgit2/APKBUILD
@@ -1,8 +1,9 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Contributor: Pierre-Gilas MILLON <pgmillon@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libgit2
pkgver=0.24.3
pkgver=0.24.6
 # Maintenance Release. It contains fixes for CVE-2016-8568 and CVE-2016-8569
pkgrel=0
pkgdesc="A linkable library for Git"
@@ -14,7 +15,16 @@ depends_dev="curl-dev libssh2-dev"
makedepends="$depends_dev python cmake zlib-dev openssl-dev"
install=""
subpackages="$pkgname-dev $pkgname-libs"
source="$pkgname-$pkgver.tar.gz::https://github.com/${pkgname}/${pkgname}/archive/v${pkgver}.tar.gz"
source="$pkgname-$pkgver.tar.gz::https://github.com/${pkgname}/${pkgname}/archive/v${pkgver}.tar.gz
	libressl.patch
	"

# secfixes:
#   0.24.6-r0:
#   - CVE-2016-10128
#   - CVE-2016-10129
#   - CVE-2016-10130

builddir="$srcdir/$pkgname-$pkgver"

build() {
diff --git a/main/libgit2/libressl.patch b/main/libgit2/libressl.patch
new file mode 100644
index 0000000..967cdc4
--- /dev/null
+++ b/main/libgit2/libressl.patch
@@ -0,0 +1,12 @@
diff -ru src.orig/libgit2-0.25.1/src/openssl_stream.h src/libgit2-0.25.1/src/openssl_stream.h
--- libgit2-0.25.1/src/copenssl_stream.h.orig
+++ libgit2-0.25.1/src/openssl_stream.h
@@ -27,7 +27,7 @@
 
 
 
-# if OPENSSL_VERSION_NUMBER < 0x10100000L
+# if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 GIT_INLINE(BIO_METHOD*) BIO_meth_new(int type, const char *name)
 {
-- 
2.8.3



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)