community/libcue: patch CVE-2023-43641

2 files changed, 26 insertions, 3 deletions

diff --git a/community/libcue/APKBUILD b/community/libcue/APKBUILD
index 514e659adf3..20217f22ae6 100644
--- a/community/libcue/APKBUILD
+++ b/community/libcue/APKBUILD
@@ -2,14 +2,19 @@
 # Maintainer:
 pkgname=libcue
 pkgver=2.2.1
-pkgrel=1
+pkgrel=2
 pkgdesc="Library for parsing CUE sheet files"
 url="https://github.com/lipnitsk/libcue"
 license="GPL-2.0-or-later"
 arch="all"
 makedepends="cmake bison flex"
 subpackages="$pkgname-dev"
-source="$pkgname-$pkgver.tar.gz::https://github.com/lipnitsk/libcue/archive/v$pkgver.tar.gz"
+source="$pkgname-$pkgver.tar.gz::https://github.com/lipnitsk/libcue/archive/v$pkgver.tar.gz
+	CVE-2023-43641.patch"
+
+# secfixes:
+#   2.2.1-r0:
+#     - CVE-2023-43641
 
 build() {
 	cmake -B build . \
@@ -29,4 +34,7 @@ package() {
 	make -C build DESTDIR="$pkgdir" install
 }
 
-sha512sums="32e476cb09ed2cb2d64aaba1342fb91e77e448391b493a3a794a8d2a6723a0e6097a90b11c6ad82998cb7f270f4f18c2578d7b8575f6929c2a35502e09ebc964  libcue-2.2.1.tar.gz"
+sha512sums="
+32e476cb09ed2cb2d64aaba1342fb91e77e448391b493a3a794a8d2a6723a0e6097a90b11c6ad82998cb7f270f4f18c2578d7b8575f6929c2a35502e09ebc964  libcue-2.2.1.tar.gz
+1dc3d55df1142c7c39f493586c5aa3678c980aa5a8f49c50b6985301ff99ecfe9e2d368b74a6b492d51093d9b7fecfc1f08a03f10986aa0fe94824859b0db203  CVE-2023-43641.patch
+"
diff --git a/community/libcue/CVE-2023-43641.patch b/community/libcue/CVE-2023-43641.patch
new file mode 100644
index 00000000000..59f1198160f
--- /dev/null
+++ b/community/libcue/CVE-2023-43641.patch
@@ -0,0 +1,15 @@
+https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/
+
+diff --git a/cd.c b/cd.c
+index cf77a18..4bbea19 100644
+--- a/cd.c
++++ b/cd.c
+@@ -339,7 +339,7 @@ track_get_rem(const Track* track)
+ 
+ void track_set_index(Track *track, int i, long ind)
+ {
+-	if (i > MAXINDEX) {
++	if (i < 0 || i > MAXINDEX) {
+ 		fprintf(stderr, "too many indexes\n");
+                 return;
+         }