Mail archive
alpine-aports

[alpine-aports] [PATCH v3.4] main/libgit2: security upgrade to 0.24.6 - fixes #6741

From: Sergei Lukin <sergej.lukin_at_gmail.com>
Date: Thu, 26 Jan 2017 09:48:25 +0000

CVE-2016-10128: smart_pkt: verify packet length exceeds PKT_LEN_SIZE
CVE-2016-10129: smart_pkt: treat empty packet lines as error
CVE-2016-10130: http: check certificate validity before clobbering the error variable
---
 main/libgit2/APKBUILD       | 14 ++++++++++++--
 main/libgit2/libressl.patch | 12 ++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 main/libgit2/libressl.patch
diff --git a/main/libgit2/APKBUILD b/main/libgit2/APKBUILD
index 8082165..c1e8098 100644
--- a/main/libgit2/APKBUILD
+++ b/main/libgit2/APKBUILD
_at_@ -1,8 +1,9 @@
+# Contributor: Sergei Lukin <sergej.lukin_at_gmail.com>
 # Contributor: Sören Tempel <soeren+alpine_at_soeren-tempel.net>
 # Contributor: Pierre-Gilas MILLON <pgmillon_at_gmail.com>
 # Maintainer: Natanael Copa <ncopa_at_alpinelinux.org>
 pkgname=libgit2
-pkgver=0.24.3
+pkgver=0.24.6
  # Maintenance Release. It contains fixes for CVE-2016-8568 and CVE-2016-8569
 pkgrel=0
 pkgdesc="A linkable library for Git"
_at_@ -14,7 +15,16 @@ depends_dev="curl-dev libssh2-dev"
 makedepends="$depends_dev python cmake zlib-dev openssl-dev"
 install=""
 subpackages="$pkgname-dev $pkgname-libs"
-source="$pkgname-$pkgver.tar.gz::https://github.com/${pkgname}/${pkgname}/archive/v${pkgver}.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/${pkgname}/${pkgname}/archive/v${pkgver}.tar.gz
+	libressl.patch
+	"
+
+# secfixes:
+#   0.24.6-r0:
+#   - CVE-2016-10128
+#   - CVE-2016-10129
+#   - CVE-2016-10130
+
 builddir="$srcdir/$pkgname-$pkgver"
 
 build() {
diff --git a/main/libgit2/libressl.patch b/main/libgit2/libressl.patch
new file mode 100644
index 0000000..967cdc4
--- /dev/null
+++ b/main/libgit2/libressl.patch
_at_@ -0,0 +1,12 @@
+diff -ru src.orig/libgit2-0.25.1/src/openssl_stream.h src/libgit2-0.25.1/src/openssl_stream.h
+--- libgit2-0.25.1/src/copenssl_stream.h.orig
++++ libgit2-0.25.1/src/openssl_stream.h
+_at_@ -27,7 +27,7 @@
+ 
+ 
+ 
+-# if OPENSSL_VERSION_NUMBER < 0x10100000L
++# if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ 
+ GIT_INLINE(BIO_METHOD*) BIO_meth_new(int type, const char *name)
+ {
-- 
2.8.3
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Thu Jan 26 2017 - 09:48:25 GMT