Mail archive
alpine-aports

[alpine-aports] [PATCH v3.5] main/libgit2: security upgrade to 0.24.6 - fixes #6740

From: Sergei Lukin <sergej.lukin_at_gmail.com>
Date: Thu, 26 Jan 2017 09:21:51 +0000

CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE
CVE-2016-10129: smart_pkt: treat empty packet lines as error
CVE-2016-10130: http: check certificate validity before clobbering the error variable
---
Upgrading from 0.24.3 to 0.24.6 (no major changes)
0.24.5 is maintenance Release (replaces the mis-tagged v0.24.4)
https://github.com/libgit2/libgit2/releases/tag/v0.24.5
0.24.6 is a security release
https://github.com/libgit2/libgit2/releases/tag/v0.24.6
 main/libgit2/APKBUILD       | 23 +++++++++++++++++------
 main/libgit2/libressl.patch | 12 ++++++++++++
 2 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 main/libgit2/libressl.patch
diff --git a/main/libgit2/APKBUILD b/main/libgit2/APKBUILD
index a164327de6..1eadcad14d 100644
--- a/main/libgit2/APKBUILD
+++ b/main/libgit2/APKBUILD
_at_@ -1,9 +1,10 @@
+# Contributor: Sergei Lukin <sergej.lukin_at_gmail.com>
 # Contributor: Sören Tempel <soeren+alpine_at_soeren-tempel.net>
 # Contributor: Pierre-Gilas MILLON <pgmillon_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=libgit2
-pkgver=0.24.3
-pkgrel=1
+pkgver=0.24.6
+pkgrel=0
 pkgdesc="A linkable library for Git"
 url="https://libgit2.github.com/"
 arch="all"
_at_@ -14,10 +15,17 @@ makedepends="$depends_dev python2 cmake zlib-dev libressl-dev"
 subpackages="$pkgname-dev"
 provides="$pkgname-libs"  # for backward compatibility with v3.4
 replaces="$pkgname-libs"  # for backward compatibility with v3.4
-source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz
+	libressl.patch
+	"
+
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   0.24.6-r0:
+#   - CVE-2016-10128
+#   - CVE-2016-10129
+#   - CVE-2016-10130
 #   0.24.3-r0:
 #   - CVE-2016-8568
 #   - CVE-2016-8569
_at_@ -40,6 +48,9 @@ package() {
 		-C "$builddir" install || return 1
 }
 
-md5sums="df626711b16bd5e7021123cbf1655399  libgit2-0.24.3.tar.gz"
-sha256sums="0a24e6a51dbf3beecb0ebcd2cafb1e09b1212e910be6477b5de03c84a5586754  libgit2-0.24.3.tar.gz"
-sha512sums="cb7b482664a5527e2d7c8f7c98755fd578f5331bc39fa2a5c8b841508e075b06b936f2c4a55cb4d10fe5d1677b596387bb16d68c220f1f23fce0a894b092f8c4  libgit2-0.24.3.tar.gz"
+md5sums="cbdf07ec58f63fd01a48d1a6f7b9c37d  libgit2-0.24.6.tar.gz
+cbe35a6ce1ae8e87426af0c172fdaafd  libressl.patch"
+sha256sums="7b441a96967ff525e790f8b66859faba5c6be4c347124011f536ae9075ebc30c  libgit2-0.24.6.tar.gz
+4f9f801c6b50a731d96a2f0f75497b2ae5762ee0be0ef626964c63a50d1c40dc  libressl.patch"
+sha512sums="ea928629450f6619c17e76cf32e5d76ddd9e00d914b8a0fc2efdcc32ae271637c124a27a8d4c595b8dcf2048551b22f1bc3c5b6394b3022a2f852a06f7ab3396  libgit2-0.24.6.tar.gz
+3674957d09207b11d268ba9fcb442a081b8efe318d0e8501b7afa0ae2397efc9aff8572b1ffd9f2286c46a06a647fbe943c2cc7e8f97d1a0288e74010846d439  libressl.patch"
diff --git a/main/libgit2/libressl.patch b/main/libgit2/libressl.patch
new file mode 100644
index 0000000000..967cdc4982
--- /dev/null
+++ b/main/libgit2/libressl.patch
_at_@ -0,0 +1,12 @@
+diff -ru src.orig/libgit2-0.25.1/src/openssl_stream.h src/libgit2-0.25.1/src/openssl_stream.h
+--- libgit2-0.25.1/src/copenssl_stream.h.orig
++++ libgit2-0.25.1/src/openssl_stream.h
+_at_@ -27,7 +27,7 @@
+ 
+ 
+ 
+-# if OPENSSL_VERSION_NUMBER < 0x10100000L
++# if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ GIT_INLINE(BIO_METHOD*) BIO_meth_new(int type, const char *name)
+ {
-- 
2.11.0
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Thu Jan 26 2017 - 09:21:51 GMT