Date: Sun, 20 Sep 2015 09:22:45 +0000 (UTC) From: Jan Beich <jbeich@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r397361 - in head: devel/radare2 devel/radare2/files emulators/ppsspp emulators/ppsspp-devel emulators/ppsspp-devel/files emulators/ppsspp/files games/openlierox games/openlierox/files Message-ID: <201509200922.t8K9Mjje004466@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jbeich Date: Sun Sep 20 09:22:44 2015 New Revision: 397361 URL: https://svnweb.freebsd.org/changeset/ports/397361 Log: Backport CVE-2015-2331 fix to bundled libzip MFH: 2015Q3 Security: 264749ae-d565-11e4-b545-00269ee29e57 Added: head/devel/radare2/files/ head/devel/radare2/files/patch-CVE-2015-2331 (contents, props changed) head/emulators/ppsspp-devel/files/patch-CVE-2015-2331 (contents, props changed) head/emulators/ppsspp/files/patch-CVE-2015-2331 (contents, props changed) head/games/openlierox/files/ head/games/openlierox/files/patch-CVE-2015-2331 (contents, props changed) Modified: head/devel/radare2/Makefile (contents, props changed) head/emulators/ppsspp-devel/Makefile (contents, props changed) head/emulators/ppsspp/Makefile (contents, props changed) head/games/openlierox/Makefile (contents, props changed) Modified: head/devel/radare2/Makefile ============================================================================== --- head/devel/radare2/Makefile Sun Sep 20 07:33:37 2015 (r397360) +++ head/devel/radare2/Makefile Sun Sep 20 09:22:44 2015 (r397361) @@ -3,6 +3,7 @@ PORTNAME= radare2 PORTVERSION= 0.9.8 +PORTREVISION= 1 CATEGORIES= devel MASTER_SITES= http://rada.re/get/ Added: head/devel/radare2/files/patch-CVE-2015-2331 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/radare2/files/patch-CVE-2015-2331 Sun Sep 20 09:22:44 2015 (r397361) @@ -0,0 +1,17 @@ +changeset: 1718:9f11d54f692e +user: Thomas Klausner <tk@giga.or.at> +date: Sat Mar 21 12:28:42 2015 +0100 +summary: Avoid integer overflow. Addresses CVE-2015-2331. + +diff --git a/lib/zip_dirent.c b/lib/zip_dirent.c +--- shlr/zip/zip/zip_dirent.c ++++ shlr/zip/zip/zip_dirent.c +@@ -110,7 +110,7 @@ _zip_cdir_new(zip_uint64_t nentry, struc + + if (nentry == 0) + cd->entry = NULL; +- else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*nentry)) == NULL) { ++ else if ((nentry > SIZE_MAX/sizeof(*(cd->entry))) || (cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { + _zip_error_set(error, ZIP_ER_MEMORY, 0); + free(cd); + return NULL; Modified: head/emulators/ppsspp-devel/Makefile ============================================================================== --- head/emulators/ppsspp-devel/Makefile Sun Sep 20 07:33:37 2015 (r397360) +++ head/emulators/ppsspp-devel/Makefile Sun Sep 20 09:22:44 2015 (r397361) @@ -2,7 +2,7 @@ DISTVERSION= 1.0.1-2668 DISTVERSIONSUFFIX= -g253ed9f -PORTREVISION= 0 +PORTREVISION= 1 PKGNAMESUFFIX= -devel GH_TAGNAME= e22d7a5:lang a0b878f:ext_armips Added: head/emulators/ppsspp-devel/files/patch-CVE-2015-2331 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/emulators/ppsspp-devel/files/patch-CVE-2015-2331 Sun Sep 20 09:22:44 2015 (r397361) @@ -0,0 +1,18 @@ +From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 17 Mar 2015 21:59:56 -0700 +Subject: Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary + +diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c +index b9dac5c..0090801 100644 +--- ext/native/ext/libzip/zip_dirent.c ++++ ext/native/ext/libzip/zip_dirent.c +@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error) + return NULL; + } + +- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry)) ++ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) + == NULL) { + _zip_error_set(error, ZIP_ER_MEMORY, 0); + free(cd); Modified: head/emulators/ppsspp/Makefile ============================================================================== --- head/emulators/ppsspp/Makefile Sun Sep 20 07:33:37 2015 (r397360) +++ head/emulators/ppsspp/Makefile Sun Sep 20 09:22:44 2015 (r397361) @@ -3,7 +3,7 @@ PORTNAME= ppsspp DISTVERSIONPREFIX= v DISTVERSION?= 1.0.1 -PORTREVISION?= 4 +PORTREVISION?= 5 CATEGORIES= emulators .ifndef PKGNAMESUFFIX Added: head/emulators/ppsspp/files/patch-CVE-2015-2331 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/emulators/ppsspp/files/patch-CVE-2015-2331 Sun Sep 20 09:22:44 2015 (r397361) @@ -0,0 +1,18 @@ +From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 17 Mar 2015 21:59:56 -0700 +Subject: Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary + +diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c +index b9dac5c..0090801 100644 +--- native/ext/libzip/zip_dirent.c ++++ native/ext/libzip/zip_dirent.c +@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error) + return NULL; + } + +- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry)) ++ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) + == NULL) { + _zip_error_set(error, ZIP_ER_MEMORY, 0); + free(cd); Modified: head/games/openlierox/Makefile ============================================================================== --- head/games/openlierox/Makefile Sun Sep 20 07:33:37 2015 (r397360) +++ head/games/openlierox/Makefile Sun Sep 20 09:22:44 2015 (r397361) @@ -3,7 +3,7 @@ PORTNAME= openlierox DISTVERSION= 0.58_rc3 -PORTREVISION= 4 +PORTREVISION= 5 PORTEPOCH= 1 CATEGORIES= games MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/OpenLieroX%20${DISTVERSION:C/_/%20/} Added: head/games/openlierox/files/patch-CVE-2015-2331 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/games/openlierox/files/patch-CVE-2015-2331 Sun Sep 20 09:22:44 2015 (r397361) @@ -0,0 +1,18 @@ +From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 17 Mar 2015 21:59:56 -0700 +Subject: Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary + +diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c +index b9dac5c..0090801 100644 +--- libs/libzip/zip_dirent.c ++++ libs/libzip/zip_dirent.c +@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error) + return NULL; + } + +- if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry)) ++ if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) + == NULL) { + _zip_error_set(error, ZIP_ER_MEMORY, 0); + free(cd);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509200922.t8K9Mjje004466>