summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRandy Barlow <randy@electronsweatshop.com>2023-04-25 23:45:40 -0400
committerJoonas Niilola <juippis@gentoo.org>2023-05-18 10:26:00 +0300
commitc2e3eb85c45e83591be7faee69d58af55a10f8f4 (patch)
tree8506c37cbbe56eb2a5a25a3f1b57d7e4fbbe9642 /net-libs
parentnet-libs/libsignal-protocol-c: Drop -9999 ebuild (diff)
downloadgentoo-c2e3eb85c45e83591be7faee69d58af55a10f8f4.tar.gz
gentoo-c2e3eb85c45e83591be7faee69d58af55a10f8f4.tar.bz2
gentoo-c2e3eb85c45e83591be7faee69d58af55a10f8f4.zip
net-libs/libsignal-protocol-c: Fix CVE-2022-48468
This commit fixes CVE-2022-48468 for this package's bundled protobuf-c. Here are some reference links about the issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468 https://bugzilla.redhat.com/show_bug.cgi?id=2186673 For reference, here is the commit I made in Fedora to address the issue, which includes this patch: https://src.fedoraproject.org/rpms/libsignal-protocol-c/c/152eb06d164e7973fda49139bc5a51f3b23c0cf6?branch=rawhide Closes: https://bugs.gentoo.org/905098 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Closes: https://github.com/gentoo/gentoo/pull/30764 Signed-off-by: Joonas Niilola <juippis@gentoo.org>
Diffstat (limited to 'net-libs')
-rw-r--r--net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch53
-rw-r--r--net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild18
2 files changed, 71 insertions, 0 deletions
diff --git a/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch b/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch
new file mode 100644
index 000000000000..8b3706dd8829
--- /dev/null
+++ b/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch
@@ -0,0 +1,53 @@
+From 478dfe51552243b367cf2e9c5d047cbbd3c21635 Mon Sep 17 00:00:00 2001
+From: Randy Barlow <randy@electronsweatshop.com>
+Date: Fri, 18 Mar 2022 12:42:57 -0400
+Subject: [PATCH] CVE-2022-48468: unsigned integer overflow
+
+This commit combines two upstream commits from protobuf-c[0][1].
+The first fixes an unsigned integer overflow, and the second fixes a
+regression introduced by the first. I originally decided to amend the
+commit message of the first to mention that it fixes a CVE, but then I
+realized it would be better to bring the fix for the regression together
+with it.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468
+https://bugzilla.redhat.com/show_bug.cgi?id=2186673
+
+[0]
+https://github.com/protobuf-c/protobuf-c/pull/513/commits/289f5c18b195aa43d46a619d1188709abbfa9c82
+[1]
+https://github.com/protobuf-c/protobuf-c/pull/513/commits/0d1fd124a4e0a07b524989f6e64410ff648fba61
+
+Co-authored-by: 10054172 <hui.zhang@thalesgroup.com>
+Co-authored-by: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Signed-off-by: 10054172 <hui.zhang@thalesgroup.com>
+Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
+---
+ src/protobuf-c/protobuf-c.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/protobuf-c/protobuf-c.c b/src/protobuf-c/protobuf-c.c
+index 4f2f5bc..6ae5287 100644
+--- a/src/protobuf-c/protobuf-c.c
++++ b/src/protobuf-c/protobuf-c.c
+@@ -2456,10 +2456,13 @@ parse_required_member(ScannedMember *scanned_member,
+ return FALSE;
+
+ def_mess = scanned_member->field->default_value;
+- subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+- allocator,
+- len - pref_len,
+- data + pref_len);
++ if (len >= pref_len)
++ subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
++ allocator,
++ len - pref_len,
++ data + pref_len);
++ else
++ subm = NULL;
+
+ if (maybe_clear &&
+ *pmessage != NULL &&
+--
+2.39.2
+
diff --git a/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild b/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild
new file mode 100644
index 000000000000..27fe1d46128e
--- /dev/null
+++ b/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit cmake
+
+DESCRIPTION="Signal Protocol C Library"
+HOMEPAGE="https://www.whispersystems.org/"
+SRC_URI="https://github.com/signalapp/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="~amd64 ~arm64 ~x86"
+
+LICENSE="GPL-3"
+SLOT="0"
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-2.3.3-CVE-2022-48468.patch
+)