[gentoo-commits] repo/gentoo:master commit in: app-arch/sharutils/, app-arch/sharutils/files/

Wed, 13 Mar 2019 05:03:36 -0700 

commit:     648bdf9134d87d5d6ca086b742964b77c3da87d8
Author:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 13 12:02:46 2019 +0000
Commit:     Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Wed Mar 13 12:02:46 2019 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=648bdf91

app-arch/sharutils: Add patch for CVE-2018-1000097

Bug: https://bugs.gentoo.org/652686
Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>

 .../files/sharutils-4.15.2-CVE-2018-1000097.patch        | 16 ++++++++++++++++
 ...harutils-4.15.2.ebuild => sharutils-4.15.2-r1.ebuild} |  1 +
 2 files changed, 17 insertions(+)

diff --git a/app-arch/sharutils/files/sharutils-4.15.2-CVE-2018-1000097.patch 
b/app-arch/sharutils/files/sharutils-4.15.2-CVE-2018-1000097.patch
new file mode 100644
index 00000000000..f61662040b6
--- /dev/null
+++ b/app-arch/sharutils/files/sharutils-4.15.2-CVE-2018-1000097.patch
@@ -0,0 +1,16 @@
+From: Petr Pisar
+Subject: Fix CVE-2018-1000097, heap buffer overflow in unshar
+Bug-Debian: https://bugs.debian.org/893525
+X-Debian-version: 1:4.15.2-3
+
+--- a/src/unshar.c
++++ b/src/unshar.c
+@@ -240,7 +240,7 @@
+       off_t position = ftello (file);
+ 
+       /* Read next line, fail if no more and no previous process.  */
+-      if (!fgets (rw_buffer, BUFSIZ, file))
++      if (!fgets (rw_buffer, rw_base_size, file))
+       {
+         if (!start)
+           error (0, 0, _("Found no shell commands in %s"), name);

diff --git a/app-arch/sharutils/sharutils-4.15.2.ebuild 
b/app-arch/sharutils/sharutils-4.15.2-r1.ebuild
similarity index 94%
rename from app-arch/sharutils/sharutils-4.15.2.ebuild
rename to app-arch/sharutils/sharutils-4.15.2-r1.ebuild
index ab637e3cd24..2a7873196c5 100644
--- a/app-arch/sharutils/sharutils-4.15.2.ebuild
+++ b/app-arch/sharutils/sharutils-4.15.2-r1.ebuild
@@ -25,6 +25,7 @@ src_prepare() {
        default
 
        epatch "${FILESDIR}/sharutils-4.15.2-glibc228.patch"
+       epatch "${FILESDIR}/sharutils-4.15.2-CVE-2018-1000097.patch"
 
        # Upstream is aware but thinks this isn't a bug/problem in sharutils 
itself
        # See 
http://lists.gnu.org/archive/html/bug-gnu-utils/2013-10/msg00011.html

Reply via email to