~alpine/aports

main/libgit2: security upgrade to 0.24.3 v1 PROPOSED

Daniel Sabogal: 2
 main/libgit2: security upgrade to 0.24.3
 main/p7zip: security fix for CVE-2016-9296

 3 files changed, 42 insertions(+), 17 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/2351/mbox | git am -3
Learn more about email & git

[alpine-aports] [PATCH] main/libgit2: security upgrade to 0.24.3 Export this patch

CVE-2016-8568
CVE-2016-8569
---
 main/libgit2/APKBUILD | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/main/libgit2/APKBUILD b/main/libgit2/APKBUILD
index e768971..9af3a89 100644
--- a/main/libgit2/APKBUILD
+++ b/main/libgit2/APKBUILD
@@ -2,8 +2,8 @@
# Contributor: Pierre-Gilas MILLON <pgmillon@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libgit2
pkgver=0.24.2
pkgrel=1
pkgver=0.24.3
pkgrel=0
pkgdesc="A linkable library for Git"
url="https://libgit2.github.com/"
arch="all"
@@ -11,11 +11,15 @@ license="GPLv2"
depends=""
depends_dev="curl-dev libssh2-dev"
makedepends="$depends_dev python2 cmake zlib-dev libressl-dev"
install=""
subpackages="$pkgname-dev $pkgname-libs"
source="$pkgname-$pkgver.tar.gz::https://github.com/${pkgname}/${pkgname}/archive/v${pkgver}.tar.gz"
source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/v$pkgver.tar.gz"
builddir="$srcdir/$pkgname-$pkgver"

# secfixes:
#   0.24.3-r0:
#   - CVE-2016-8568
#   - CVE-2016-8569

build() {
	cd "$builddir"
	cmake \
@@ -34,6 +38,6 @@ package() {
		-C "$builddir" install || return 1
}

md5sums="735661b5b73e3c120d13e2bae21e49b3  libgit2-0.24.2.tar.gz"
sha256sums="00f0a7403143fba69601accc80cacf49becc568b890ba232f300c1b2a37475e6  libgit2-0.24.2.tar.gz"
sha512sums="aaba85ef65e00b5916642121dbf0e785c20332f29312e772186eef0eebba5c997a60f94dfb651cbab25c3070c7b4cc37e8619d9cb9fed590e1fb0460bcb7af02  libgit2-0.24.2.tar.gz"
md5sums="df626711b16bd5e7021123cbf1655399  libgit2-0.24.3.tar.gz"
sha256sums="0a24e6a51dbf3beecb0ebcd2cafb1e09b1212e910be6477b5de03c84a5586754  libgit2-0.24.3.tar.gz"
sha512sums="cb7b482664a5527e2d7c8f7c98755fd578f5331bc39fa2a5c8b841508e075b06b936f2c4a55cb4d10fe5d1677b596387bb16d68c220f1f23fce0a894b092f8c4  libgit2-0.24.3.tar.gz"
-- 
2.10.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---

[alpine-aports] [PATCH] main/p7zip: security fix for CVE-2016-9296 Export this patch

---
 main/p7zip/APKBUILD            | 29 +++++++++++++++++++----------
 main/p7zip/CVE-2016-9296.patch | 12 ++++++++++++
 2 files changed, 31 insertions(+), 10 deletions(-)
 create mode 100644 main/p7zip/CVE-2016-9296.patch

diff --git a/main/p7zip/APKBUILD b/main/p7zip/APKBUILD
index 24f1bce..0d5ea43 100644
--- a/main/p7zip/APKBUILD
+++ b/main/p7zip/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=p7zip
pkgver=16.02
pkgrel=0
pkgrel=1
pkgdesc="A command-line port of the 7zip compression utility"
url="http://p7zip.sourceforge.net"
arch="all"
@@ -11,18 +11,24 @@ license="LGPL2+"
subpackages="$pkgname-doc"
depends=""
makedepends="bash yasm nasm"
install=""
source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2"
source="http://downloads.sourceforge.net/sourceforge/$pkgname/${pkgname}_${pkgver}_src_all.tar.bz2
	CVE-2016-9296.patch"
builddir="$srcdir/${pkgname}_$pkgver"

# secfixes:
#   16.02-r1:
#   - CVE-2016-9296

_builddir="$srcdir"/${pkgname}_${pkgver}
prepare() {
	default_prepare || return 1

	local makefile="makefile.linux_any_cpu_gcc_4.X"
	case "$CARCH" in
		x86)    makefile="makefile.linux_x86_asm_gcc_4.X" ;;
		x86_64) makefile="makefile.linux_amd64_asm" ;;
	esac

	cd "$_builddir"
	cd "$builddir"
	ln -sf $makefile makefile.machine || return 1

	sed -e "s,g++,${CXX:-g++}," -i makefile.machine
@@ -30,12 +36,12 @@ prepare() {
}

build() {
	cd "$_builddir"
	cd "$builddir"
	make all3 OPTFLAGS="${CXXFLAGS}" || return 1
}

package() {
	cd "$_builddir"
	cd "$builddir"
	make install DEST_DIR="$pkgdir" DEST_HOME="/usr" \
		DEST_MAN="/usr/share/man" \
		DEST_SHARE_DOC="/usr/share/doc/$pkgname" || return 1
@@ -46,6 +52,9 @@ package() {
		"$pkgdir"/usr/share/man/man1/$pkgname.1 || return 1
}

md5sums="a0128d661cfe7cc8c121e73519c54fbf  p7zip_16.02_src_all.tar.bz2"
sha256sums="5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f  p7zip_16.02_src_all.tar.bz2"
sha512sums="d2c4d53817f96bb4c7683f42045198d4cd509cfc9c3e2cb85c8d9dc4ab6dfa7496449edeac4e300ecf986a9cbbc90bd8f8feef8156895d94617c04e507add55f  p7zip_16.02_src_all.tar.bz2"
md5sums="a0128d661cfe7cc8c121e73519c54fbf  p7zip_16.02_src_all.tar.bz2
0f0535ca888273f3779ca14e8f186813  CVE-2016-9296.patch"
sha256sums="5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f  p7zip_16.02_src_all.tar.bz2
f9bcbf21d4aa8938861a6cba992df13dec19538286e9ed747ccec6d9a4e8f983  CVE-2016-9296.patch"
sha512sums="d2c4d53817f96bb4c7683f42045198d4cd509cfc9c3e2cb85c8d9dc4ab6dfa7496449edeac4e300ecf986a9cbbc90bd8f8feef8156895d94617c04e507add55f  p7zip_16.02_src_all.tar.bz2
7a7fddf4122c3f5d4632640149a94c285a18515f38510388709c2fb9ecd450f9f34ae2e5fe4926c1c68507567b0affa2c8e9194c732673171dd5ee625192b194  CVE-2016-9296.patch"
diff --git a/main/p7zip/CVE-2016-9296.patch b/main/p7zip/CVE-2016-9296.patch
new file mode 100644
index 0000000..773f92a
--- /dev/null
+++ b/main/p7zip/CVE-2016-9296.patch
@@ -0,0 +1,12 @@
--- ./CPP/7zip/Archive/7z/7zIn.cpp.orig	2016-11-21 01:42:29.460901230 +0000
+++ ./CPP/7zip/Archive/7z/7zIn.cpp	2016-11-21 01:42:57.481197725 +0000
@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS
       if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i])
         ThrowIncorrect();
   }
-  HeadersSize += folders.PackPositions[folders.NumPackStreams];
+  if (folders.PackPositions)
+      HeadersSize += folders.PackPositions[folders.NumPackStreams];
   return S_OK;
 }
 
-- 
2.10.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---