main/bzip2: security fix for CVE-2016-3189

2 files changed, 36 insertions, 3 deletions

diff --git a/main/bzip2/APKBUILD b/main/bzip2/APKBUILD
index 48e5571ef08..4b05b80cf21 100644
--- a/main/bzip2/APKBUILD
+++ b/main/bzip2/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=bzip2
 pkgver=1.0.6
-pkgrel=4
+pkgrel=5
 pkgdesc="A high-quality data compression program"
 url="http://sources.redhat.com/bzip2"
 arch="all"
@@ -16,8 +16,12 @@ source="http://www.bzip.org/$pkgver/$pkgname-$pkgver.tar.gz
 	bzip2-1.0.2-progress.patch
 	bzip2-1.0.3-no-test.patch
 	bzip2-1.0.4-POSIX-shell.patch
+	CVE-2016-3189.patch
 	"
 
+# secfixes:
+#   1.0.6-r5: CVE-2016-3189
+
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	local i
@@ -44,7 +48,7 @@ prepare() {
 		bzip2.1 bzip2.txt Makefile-libbz2_so manual.* || return 1
 }
 
-build () { 
+build () {
 	cd "$_builddir"
 	make -f Makefile-libbz2_so all || return 1
 	make all || return 1
@@ -70,4 +74,21 @@ d47a4aa8f08d101aa5aa0dd2030338d1  bzip2-1.0.6-saneso.patch
 fd13ef6bc55276c7e3adc346bde56cd1  bzip2-1.0.4-man-links.patch
 5f7a98f0aaaed6554126d30e28383ee0  bzip2-1.0.2-progress.patch
 804bd17c96297968a89fc4eddc9a6713  bzip2-1.0.3-no-test.patch
-55ac0e9be7821190b99376e0205707be  bzip2-1.0.4-POSIX-shell.patch"
+55ac0e9be7821190b99376e0205707be  bzip2-1.0.4-POSIX-shell.patch
+bb267d21004b2e756a18c3b5f31a8257  CVE-2016-3189.patch"
+sha256sums="a2848f34fcd5d6cf47def00461fcb528a0484d8edef8208d6d2e2909dc61d9cd  bzip2-1.0.6.tar.gz
+8b625c4a37395ef94b19854b6a43f7e756edc3e238924669bc01d858853a1703  bzip2-1.0.4-makefile-CFLAGS.patch
+5591ef4d3ccc1ea08750ce5650efadb0e8e2255b50e506cc8d66b131f8d891f2  bzip2-1.0.6-saneso.patch
+1fc9d91f3f7bd3eecd86149b9c95b3162d9d7956f7de543aa8bc41cbcd04f88b  bzip2-1.0.4-man-links.patch
+a76f6d082a1a1fef2eff111177d7c7568e1d457fb2b98cde71bbbe6ea1c7c787  bzip2-1.0.2-progress.patch
+3478e797662d85996c03d3b7612d548d2d377fe7efc3dc190332741a11082ef6  bzip2-1.0.3-no-test.patch
+a810bda8ff824a3da6c5eb2659e388c6f6d8b7f09d08ca5b3ace18f96d5299fe  bzip2-1.0.4-POSIX-shell.patch
+b47515cf71a5773c5e26aa4faf1486d3a60de127cb99cdc0c6aee229d362ae7c  CVE-2016-3189.patch"
+sha512sums="00ace5438cfa0c577e5f578d8a808613187eff5217c35164ffe044fbafdfec9e98f4192c02a7d67e01e5a5ccced630583ad1003c37697219b0f147343a3fdd12  bzip2-1.0.6.tar.gz
+58cc37430555520b6e35db2740e699cf37eacdd82989c21a222a593e36288710a0defb003662d4238235c12b3764bfc89cd646e6be9d0a08d54bd2c9baa6ad15  bzip2-1.0.4-makefile-CFLAGS.patch
+8a7528b5b931bb72f637c6940bc811d54fb816fd5bb453af56d9b4a87091004eb5e191ba799d972794b24c56cf8134344a618b58946d3f1d985c508f88190845  bzip2-1.0.6-saneso.patch
+2d9a306bc0f552a58916ebc702d32350a225103c487e070d2082121a54e07f1813d3228f43293cc80a4bee62053fd597294c99a1751b1685cd678f4e5c6a2fe7  bzip2-1.0.4-man-links.patch
+b6810c73428f17245e0d7c2decd00c88986cd8ad1cfe4982defe34bdab808d53870ed92cb513b2d00c15301747ceb6ca958fb0e0458d0663b7d8f7c524f7ba4e  bzip2-1.0.2-progress.patch
+aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030  bzip2-1.0.3-no-test.patch
+64ab461bf739c29615383750e7f260abb2d49df7eb23916940d512bd61fd9a37aaade4d8f6f94280c95fc781b8f92587ad4f3dda51e87dec7a92a7a6f8d8ae86  bzip2-1.0.4-POSIX-shell.patch
+cef6f448b661a775cc433f9636730e89c1285d07075536217657056be56e0a11e96f41f7c14f6ec59e235464b9ddd649a71fb8de1c60eda2fd5c2cdfbb6a8fdc  CVE-2016-3189.patch"
diff --git a/main/bzip2/CVE-2016-3189.patch b/main/bzip2/CVE-2016-3189.patch
new file mode 100644
index 00000000000..6622670c91b
--- /dev/null
+++ b/main/bzip2/CVE-2016-3189.patch
@@ -0,0 +1,12 @@
+diff --git a/bzip2recover.c b/bzip2recover.c
+index f9de049..d159c92 100644
+--- a/bzip2recover.c
++++ b/bzip2recover.c
+@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv )
+             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
+             bsPutUInt32 ( bsWr, blockCRC );
+             bsClose ( bsWr );
++	    outFile = NULL;
+          }
+          if (wrBlock >= rbCtr) break;
+          wrBlock++;