diff options
author | Randy Barlow <randy@electronsweatshop.com> | 2023-04-25 23:45:40 -0400 |
---|---|---|
committer | Joonas Niilola <juippis@gentoo.org> | 2023-05-18 10:26:00 +0300 |
commit | c2e3eb85c45e83591be7faee69d58af55a10f8f4 (patch) | |
tree | 8506c37cbbe56eb2a5a25a3f1b57d7e4fbbe9642 /net-libs | |
parent | net-libs/libsignal-protocol-c: Drop -9999 ebuild (diff) | |
download | gentoo-c2e3eb85c45e83591be7faee69d58af55a10f8f4.tar.gz gentoo-c2e3eb85c45e83591be7faee69d58af55a10f8f4.tar.bz2 gentoo-c2e3eb85c45e83591be7faee69d58af55a10f8f4.zip |
net-libs/libsignal-protocol-c: Fix CVE-2022-48468
This commit fixes CVE-2022-48468 for this package's bundled
protobuf-c.
Here are some reference links about the issue:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468
https://bugzilla.redhat.com/show_bug.cgi?id=2186673
For reference, here is the commit I made in Fedora to address the issue,
which includes this patch:
https://src.fedoraproject.org/rpms/libsignal-protocol-c/c/152eb06d164e7973fda49139bc5a51f3b23c0cf6?branch=rawhide
Closes: https://bugs.gentoo.org/905098
Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
Closes: https://github.com/gentoo/gentoo/pull/30764
Signed-off-by: Joonas Niilola <juippis@gentoo.org>
Diffstat (limited to 'net-libs')
-rw-r--r-- | net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch | 53 | ||||
-rw-r--r-- | net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild | 18 |
2 files changed, 71 insertions, 0 deletions
diff --git a/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch b/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch new file mode 100644 index 000000000000..8b3706dd8829 --- /dev/null +++ b/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch @@ -0,0 +1,53 @@ +From 478dfe51552243b367cf2e9c5d047cbbd3c21635 Mon Sep 17 00:00:00 2001 +From: Randy Barlow <randy@electronsweatshop.com> +Date: Fri, 18 Mar 2022 12:42:57 -0400 +Subject: [PATCH] CVE-2022-48468: unsigned integer overflow + +This commit combines two upstream commits from protobuf-c[0][1]. +The first fixes an unsigned integer overflow, and the second fixes a +regression introduced by the first. I originally decided to amend the +commit message of the first to mention that it fixes a CVE, but then I +realized it would be better to bring the fix for the regression together +with it. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468 +https://bugzilla.redhat.com/show_bug.cgi?id=2186673 + +[0] +https://github.com/protobuf-c/protobuf-c/pull/513/commits/289f5c18b195aa43d46a619d1188709abbfa9c82 +[1] +https://github.com/protobuf-c/protobuf-c/pull/513/commits/0d1fd124a4e0a07b524989f6e64410ff648fba61 + +Co-authored-by: 10054172 <hui.zhang@thalesgroup.com> +Co-authored-by: "Todd C. Miller" <Todd.Miller@sudo.ws> +Signed-off-by: 10054172 <hui.zhang@thalesgroup.com> +Signed-off-by: Randy Barlow <randy@electronsweatshop.com> +--- + src/protobuf-c/protobuf-c.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/protobuf-c/protobuf-c.c b/src/protobuf-c/protobuf-c.c +index 4f2f5bc..6ae5287 100644 +--- a/src/protobuf-c/protobuf-c.c ++++ b/src/protobuf-c/protobuf-c.c +@@ -2456,10 +2456,13 @@ parse_required_member(ScannedMember *scanned_member, + return FALSE; + + def_mess = scanned_member->field->default_value; +- subm = protobuf_c_message_unpack(scanned_member->field->descriptor, +- allocator, +- len - pref_len, +- data + pref_len); ++ if (len >= pref_len) ++ subm = protobuf_c_message_unpack(scanned_member->field->descriptor, ++ allocator, ++ len - pref_len, ++ data + pref_len); ++ else ++ subm = NULL; + + if (maybe_clear && + *pmessage != NULL && +-- +2.39.2 + diff --git a/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild b/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild new file mode 100644 index 000000000000..27fe1d46128e --- /dev/null +++ b/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild @@ -0,0 +1,18 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit cmake + +DESCRIPTION="Signal Protocol C Library" +HOMEPAGE="https://www.whispersystems.org/" +SRC_URI="https://github.com/signalapp/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" +KEYWORDS="~amd64 ~arm64 ~x86" + +LICENSE="GPL-3" +SLOT="0" + +PATCHES=( + "${FILESDIR}"/${PN}-2.3.3-CVE-2022-48468.patch +) |