Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dev-util/bsdiff: Fix CVE-2014-9862 #14970

Closed
wants to merge 1 commit into from
Closed

dev-util/bsdiff: Fix CVE-2014-9862 #14970

wants to merge 1 commit into from

Conversation

thesamesam
Copy link
Member

Includes a patch from ChromiumOS.

Bug: https://bugs.gentoo.org/701848
Signed-off-by: Sam James (sam_c) sam@cmpct.info

@thesamesam
dev-util/bsdiff: Fix CVE-2014-9862
40b0532 
Includes a patch from ChromiumOS.

Bug: https://bugs.gentoo.org/701848
Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
@gentoo-bot
Copy link

Pull Request assignment

Submitter: @thesamesam
Areas affected: ebuilds
Packages affected: dev-util/bsdiff

dev-util/bsdiff: @gentoo/proxy-maint (maintainer needed)

Linked bugs

Bugs linked: 701848

In order to force reassignment and/or bug reference scan, please append [please reassign] to the pull request title.

Docs: Code of ConductCopyright policy (expl.) ● DevmanualGitHub PRsProxy-maint guide

@gentoo-bot gentoo-bot added maintainer-needed There is at least one affected package with no maintainer. Review it if you can. assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. labels Mar 15, 2020
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2020-03-15 19:58 UTC
Newest commit scanned: 40b0532
Status: ✅ good

Issues already there before the PR (double-check them):
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-admin/puppet
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-admin/rsyslog
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-admin/system-tools-backends
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-emulation/bochs
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-emulation/virtualbox-additions
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-emulation/virtualbox-guest-additions
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-emulation/virtualbox-modules
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-i18n/tomoe
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-office/libreoffice-l10n
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-shells/hstr
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-text/jo
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#app-text/webgen
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#dev-db/pgagent
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#dev-lang/rust
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#dev-libs/gjs
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#dev-python/genson
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#dev-util/jenkins-bin
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#mail-client/claws-mail
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#mail-mta/nullmailer
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#media-libs/mlt
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#media-tv/kodi
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#media-video/unifi-video
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-analyzer/wireshark
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-analyzer/zabbix
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-dns/avahi
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-dns/bind
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-dns/unbound
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-im/mattermost-desktop-bin
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-misc/openssh
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-misc/rabbitmq-server
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-misc/youtube-dl
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-proxy/dante
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-proxy/haproxy
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-wireless/kismet
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-wireless/tempestsdr
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#net-wireless/urh
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#sci-libs/ceres-solver
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#sci-libs/eccodes
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#sci-libs/spqr
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#sci-libs/suitesparse
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#sci-libs/umfpack
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#sys-apps/agedu
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#sys-apps/coreutils
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#sys-cluster/swift
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#sys-power/nut
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#www-apps/jekyll
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#www-apps/netbox
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#www-apps/trac
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#www-client/firefox
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#www-client/seamonkey
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#www-servers/nginx
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#www-servers/tomcat
https://qa-reports.gentoo.org/output/gentoo-ci/3bbb1c8/output.html#www-servers/tornado

Whissi
Whissi reviewed Mar 15, 2020
View reviewed changes
Copy link
Contributor

@Whissi Whissi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few comments, I'll fix on merge.

dev-util/bsdiff/bsdiff-4.3-r4.ebuild

SLOT="0"
LICENSE="BSD-2"
KEYWORDS="~alpha amd64 ~arm hppa ia64 ~mips ppc sparc x86 ~amd64-linux ~x86-linux ~ppc-macos"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On rev bump, we have to drop keywords to ~arch.

dev-util/bsdiff/bsdiff-4.3-r4.ebuild
KEYWORDS="~alpha amd64 ~arm hppa ia64 ~mips ppc sparc x86 ~amd64-linux ~x86-linux ~ppc-macos"

DEPEND="app-arch/bzip2"
RDEPEND="${DEPEND}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bzip2 is just a RDEPEND.

dev-util/bsdiff/bsdiff-4.3-r4.ebuild

EAPI=7

inherit eutils flag-o-matic toolchain-funcs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

eutils isn't needed.

dev-util/bsdiff/files/bsdiff-4.3-CVE-2014-9862.patch
@@ -0,0 +1,15 @@
diff --git a/bspatch.c b/bspatch.c
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please try to add link to source in future.

@Whissi Whissi self-assigned this Mar 15, 2020
@Whissi Whissi added the fix on merge There is at least one issue still needing fixing. Please read the comments and fix it while merging. label Mar 15, 2020
@thesamesam thesamesam deleted the bsdiff-sec-patch branch March 28, 2020 01:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Whissi Whissi Whissi left review comments

Assignees

@Whissi Whissi

Labels
assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. fix on merge There is at least one issue still needing fixing. Please read the comments and fix it while merging. maintainer-needed There is at least one affected package with no maintainer. Review it if you can.
Projects
None yet
Milestone
No milestone
4 participants
@thesamesam @gentoo-bot @gentoo-repo-qa-bot @Whissi