Backport upstream patch for CVE-2013-0211 wrt security #463632 by Agostino Sarubbo

Package-Manager: portage-2.2.0_alpha169/cvs/Linux x86_64
Manifest-Sign-Key: 0x4868F14D

4 files changed, 141 insertions, 9 deletions

diff --git a/app-arch/libarchive/ChangeLog b/app-arch/libarchive/ChangeLog
index fa2b3bc82105..4e67926ebb2d 100644
--- a/app-arch/libarchive/ChangeLog
+++ b/app-arch/libarchive/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for app-arch/libarchive
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-arch/libarchive/ChangeLog,v 1.141 2013/03/30 15:13:07 ssuominen Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-arch/libarchive/ChangeLog,v 1.142 2013/03/30 15:19:17 ssuominen Exp $
+
+*libarchive-3.1.2-r1 (30 Mar 2013)
+
+  30 Mar 2013; Samuli Suominen <ssuominen@gentoo.org>
+  +libarchive-3.1.2-r1.ebuild, +files/libarchive-3.1.2-CVE-2013-0211.patch:
+  Backport upstream patch for CVE-2013-0211 wrt security #463632 by Agostino
+  Sarubbo
 
 *libarchive-3.1.2 (30 Mar 2013)
 
diff --git a/app-arch/libarchive/Manifest b/app-arch/libarchive/Manifest
index 6fe30ad883fb..773c5192410c 100644
--- a/app-arch/libarchive/Manifest
+++ b/app-arch/libarchive/Manifest
@@ -2,22 +2,24 @@
 Hash: SHA256
 
 AUX libarchive-3.0.4-handle-unsupported-acl-types.patch 788 SHA256 c555174c835d29bf8c6e99a3bce1603d127108dc4de0727f203ef17a3766e463 SHA512 6c6a47aaf6c7863c1b449b06547322d1265c8f2849f281c3c4d8a5a9cd6447905de1aac9b0d1dead12ae7ae864319091b23606bd7e3ea6d16bdd646109b0eba3 WHIRLPOOL c3312100cd52e7081de88a2889a2b80f18324cf1e069994885a33285dfa1bc9b36d172873ade92c0c5ceb98416e0d9be55eb34d35890e99b95dbe0ba162397c1
+AUX libarchive-3.1.2-CVE-2013-0211.patch 1087 SHA256 6e9940a1b148f3ceb43bb172416b332ba922bb951e7832193ff997c2d9026bb4 SHA512 38ef32b30b3eb5a7c68e31086da64b871bae70002600080541ea6d0ea3680f68f9e65760f803a0e96d233e1a21858a83946c1fd63fd67d5eb030120940896c7a WHIRLPOOL 6c9a8586e011a7f392a925261adb9a5b5f8b5a9725b322bd6f8dd56fb3f2bee15b7651c0e6dd3c0a23ddc76c22b84fb6ab041215116076f015ba68aa12ededbe
 DIST libarchive-3.0.4.tar.gz 3632806 SHA256 76e8d7c7b100ec4071e48c1b7d3f3ea1d22b39db3e45b7189f75b5ff4df90fac SHA512 7287881977cc08430baa2b755f579849f2419e0446df124bd31eb1ffa3920938235808a8fc5162f140d9c2231a8ab83974ce10bdb5b1a71540687d0be24c75fc WHIRLPOOL 2ebf2ba83ce69084769bc764b44f2a4d0b3f9df0f8acebd615de90109efb73ff6114ad83b659235eb93d03e900e0db67ea25c4abbf12a73ce4cd2b453ebc9947
 DIST libarchive-3.1.1.tar.gz 3287387 SHA256 bd37f66cb0789bc147d5aa2913365b7f0f13398aa8728e31f201ecb79e87ee02 SHA512 3a2a4469e798c8ac2533fa0fb3300c7e0f0f83f45476177ecdc94d799b9bc9671173e7191abe286a6e9bd07608d72c22887757ce54bfa447ebab2d450bb6d712 WHIRLPOOL 9f30eb019427d52707c6185603b8107fba35cf62e230e2df90a77c5441ea8a9a17c1b886c45e3541d77bb70088615c2a1dfdd8e9d45ab02396709276253ed6c2
 DIST libarchive-3.1.2.tar.gz 4527540 SHA256 eb87eacd8fe49e8d90c8fdc189813023ccc319c5e752b01fb6ad0cc7b2c53d5e SHA512 1f3c2a675031f93c7d42ae2ed06742b0b1e2236ff57d9117791d62fb8ae77d6cafffbcb5d45b5bd98daa908bd18c576cf82e01a9b1eba699705e23eff3688114 WHIRLPOOL b90f336afb5264be91fb17d7dae3d5697e3f84e24d276af1d5ac076fe15ef6f5756488f09506fabe470473becb5449cd1f34865309dcf8a914e6e83506e8695f
 EBUILD libarchive-3.0.4-r1.ebuild 2470 SHA256 49291fa09df9a0bc12e54f8b6107f8d9bd9f8c09e5633b49ed3023629e3f6f0c SHA512 3a4511ca6dd596667ec65141470b813c370bac013aa047eb52541aff1fbf306c07f1a4d9ad97df5f66ed927bcd38f6159db71c6db2557c42677ced7f2b16da3b WHIRLPOOL 326aaf8ed5d67675b67fd422afc207e289053a852347374f8b4dbcf1eb8461d37640fb92ff2614b09f95977f5042d3ae01526cab81bcd5523f4e4a9e27be4c1b
 EBUILD libarchive-3.1.1.ebuild 2535 SHA256 cf63965a37636d082510f1a536494d846ea0fe0455211570132131132acdaeee SHA512 b5d03093ea0fd6034c9f5d62441ef505dd59a9be76fbc25085aedff9699a6fd01a0c6e73627f71c7382a1365222d2131359d4bda8392f46f610a0559657d9b8f WHIRLPOOL f4ccbb9e436ecd8173b32f3090f8df639214ea713af80c675ee4bffb7aa4835d6761d9a0080d33c4f6dfe4b5cdf412de2deb6ead30119986e447856bb699caf0
+EBUILD libarchive-3.1.2-r1.ebuild 2506 SHA256 aca1563f877977f47f54eb67e9980a4a56b9300183bb166c170889d8232e318b SHA512 f95bf779c4c84a85df1e7fd495724ded889792b3d7bd77757be498f049d7d5d4c3605a98ddc5039e4f85bf2a5f8f6f608f16247633475e1313179e3ade9fe080 WHIRLPOOL 0e2c8f469823df5936b8b34ddee1d34a27ce9a1062610a44f7b5070ee1c6db5e020a43431e3313f23a71e1ba1d987a7ac3f7b6ef9910b0906c5fa980a2759c67
 EBUILD libarchive-3.1.2.ebuild 2456 SHA256 b42919f5e40d93446f031966e5586cc3f648c02722a6e201afed891199e6d88c SHA512 d016bee938bdc0fbcffb22b0cba015b93a9d8fafb7106986d90728957776026f89d689abfa54ecbe933b647f6cc65741a262dc60da62fabb9b1dcc694186d0d6 WHIRLPOOL f320dd2ddcf84b336162d548668de5f54d0cbb072858e3b6dfc96ec6d9aa054f92f69d45f1902c86be0bb58512b887ab7cd0f45610729e3ba097440c1b63fa74
-MISC ChangeLog 33547 SHA256 87968fa5eef0f0783b6fae84710b45aed82b81dbb92e989686daacc644d8472a SHA512 5e55ba65057a55136b1b1f06872705a1ec9fae1ff11cf20876ecb02ab4afb1490756e6b72f9cd7d14b41b4e8179b46fc3eb20838b19431e7dafeb2d1eb09bec8 WHIRLPOOL f295da3cd3af5a37f23861f087ae9209f8e59393c2273253fd129fd037fe2345611767896da33aacb677a483d30b75006f85c9b1070bff0d13265829f9a8e50f
+MISC ChangeLog 33801 SHA256 ba71195f3218972e07d94e1f671e86a5caa5b3570e3d130d8a8a5acf7f111c64 SHA512 504cf6aaad952bd8fa80e137e509c6f46f0b182bad75fa156202e979a85d4ec8a74eaf9dfeeb7c9dd8d503d9b081df75c153e269dd9fa3e7fefeea8e5bde09c0 WHIRLPOOL 155f3b572e32ed0f90ff858694bd6bc9f37e8c895070dbc1cae8fe06ddac5c6005bd26775167a85c607d9de21a35584ef6037820716a3a0380c834228a5cac68
 MISC metadata.xml 1402 SHA256 4a65c32b25d2a97de2b24e2f40298cef694814d1ff05d7191da5e54c66db5933 SHA512 af66ac92b8b88b183db12b330932771d303b93ff629ae5cdc8f5e00bc9730c4df794d7618a1039cb6c2312dee49dcbbb58dc8a7e61bb3dcde704d8a951e32c87 WHIRLPOOL 5cb7fde05acf8b48311aa4f4bdd12c86555318033055fd43721c5ef1c44ef5e6e564ddb4a384224aff8abe31218216fe423739dbd75427b5ff0c3b052ac0f059
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 
-iQEcBAEBCAAGBQJRVwCtAAoJEEdUh39IaPFNg8wH/0kTEb2eydq8ehIjlRmS00We
-GNclWENDFZxfc5Kbb3fWcxJvlOAa9+abg6GquMJuKlpcpKu8yFy3HPkI9wWkK33S
-52TdpjlzqioKB0NILWmVbL2CahQU/b0eA3+6ZEty4YPLbdjuzabduxkd4CCsx6iu
-PUx4fLovEBCrp+sUS/VOvcjhgdO17bUPtZ2ej60ZAfA/23oOTO3bhY3bT7teVcwH
-BCX1VVxhPhB/v6y3V7dMtDtjWiJuoLXmYxKssjdftf7DQU9y77nz5vTHUqEFt720
-tvjzpOl7c+gOo0psEjYASGaUacntVbwbtLJdC5LSiQCUNe+aYFco1CoFp6D2hnY=
-=md+C
+iQEcBAEBCAAGBQJRVwIeAAoJEEdUh39IaPFNAsgH/imnZKfpkyQIpqF09+wYBzdp
+zKjM9hZGNWXLC6LSO9sJ0DApjBq1QYqyqneSnEiXTJPcQcQMt+YrEDytSH0VEvwu
+iwE21pFYV9Kd8CZtwoe81Jro9M3rOwR06FHOCOYBaFKxQdtFp45DTCzxfuORBBfA
+7qgPt9G0+DusrDJ4LHvrU14LlWMBgZQRmcMYbUqA9HGTn59O0hddcO6vgqGTOooX
+ecZLAcFtQZ/84Du8MLYl7IbBraIfJPUoAYfE8POy1di9hxzc120b+/1LnTAp68e+
+IcAm3Yv01QbeiqUqzLM7Xc0M1m3sWMEPSz5q5dVCWx+490Ea1ypfh+kNnB2QxlM=
+=fqD5
 -----END PGP SIGNATURE-----
diff --git a/app-arch/libarchive/files/libarchive-3.1.2-CVE-2013-0211.patch b/app-arch/libarchive/files/libarchive-3.1.2-CVE-2013-0211.patch
new file mode 100644
index 000000000000..78427ce47740
--- /dev/null
+++ b/app-arch/libarchive/files/libarchive-3.1.2-CVE-2013-0211.patch
@@ -0,0 +1,32 @@
+From 22531545514043e04633e1c015c7540b9de9dbe4 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Fri, 22 Mar 2013 23:48:41 -0700
+Subject: [PATCH] Limit write requests to at most INT_MAX. This prevents a
+ certain common programming error (passing -1 to write) from leading to other
+ problems deeper in the library.
+
+---
+ libarchive/archive_write.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libarchive/archive_write.c b/libarchive/archive_write.c
+index eede5e0..be85621 100644
+--- a/libarchive/archive_write.c
++++ b/libarchive/archive_write.c
+@@ -673,8 +673,13 @@ static ssize_t
+ _archive_write_data(struct archive *_a, const void *buff, size_t s)
+ {
+ 	struct archive_write *a = (struct archive_write *)_a;
++	const size_t max_write = INT_MAX;
++
+ 	archive_check_magic(&a->archive, ARCHIVE_WRITE_MAGIC,
+ 	    ARCHIVE_STATE_DATA, "archive_write_data");
++	/* In particular, this catches attempts to pass negative values. */
++	if (s > max_write)
++		s = max_write;
+ 	archive_clear_error(&a->archive);
+ 	return ((a->format_write_data)(a, buff, s));
+ }
+-- 
+1.8.1
+
diff --git a/app-arch/libarchive/libarchive-3.1.2-r1.ebuild b/app-arch/libarchive/libarchive-3.1.2-r1.ebuild
new file mode 100644
index 000000000000..1d91051324cc
--- /dev/null
+++ b/app-arch/libarchive/libarchive-3.1.2-r1.ebuild
@@ -0,0 +1,91 @@
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-arch/libarchive/libarchive-3.1.2-r1.ebuild,v 1.1 2013/03/30 15:19:17 ssuominen Exp $
+
+EAPI=5
+inherit eutils libtool multilib
+
+DESCRIPTION="BSD tar command"
+HOMEPAGE="http://www.libarchive.org/"
+SRC_URI="http://www.libarchive.org/downloads/${P}.tar.gz"
+
+LICENSE="BSD BSD-2 BSD-4 public-domain"
+SLOT="0/13"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="acl +bzip2 +e2fsprogs expat +iconv kernel_linux +lzma lzo nettle static-libs xattr +zlib"
+
+RDEPEND="dev-libs/openssl:0
+	acl? ( virtual/acl )
+	bzip2? ( app-arch/bzip2 )
+	expat? ( dev-libs/expat )
+	!expat? ( dev-libs/libxml2 )
+	iconv? ( virtual/libiconv )
+	kernel_linux? (
+		xattr? ( sys-apps/attr )
+		)
+	lzma? ( app-arch/xz-utils )
+	lzo? ( >=dev-libs/lzo-2 )
+	nettle? ( dev-libs/nettle )
+	zlib? ( sys-libs/zlib )"
+DEPEND="${RDEPEND}
+	kernel_linux? (
+		virtual/os-headers
+		e2fsprogs? ( sys-fs/e2fsprogs )
+		)"
+
+DOCS="NEWS README"
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-CVE-2013-0211.patch
+	elibtoolize
+}
+
+src_configure() {
+	export ac_cv_header_ext2fs_ext2_fs_h=$(usex e2fsprogs) #354923
+
+	# We disable lzmadec because we support the newer liblzma from xz-utils
+	# and not liblzmadec with this version.
+	econf \
+		$(use_enable static-libs static) \
+		--enable-bsdtar=shared \
+		--enable-bsdcpio=shared \
+		$(use_enable xattr) \
+		$(use_enable acl) \
+		$(use_with zlib) \
+		$(use_with bzip2 bz2lib) \
+		--without-lzmadec \
+		$(use_with iconv) \
+		$(use_with lzma) \
+		$(use_with lzo lzo2) \
+		$(use_with nettle) \
+		$(use_with !expat xml2) \
+		$(use_with expat)
+}
+
+src_test() {
+	# Replace the default src_test so that it builds tests in parallel
+	emake check
+}
+
+src_install() {
+	default
+
+	# Libs.private: should be used from libarchive.pc instead
+	prune_libtool_files
+
+	# Create tar symlink for FreeBSD
+	if ! use prefix && [[ ${CHOST} == *-freebsd* ]]; then
+		dosym bsdtar /usr/bin/tar
+		echo '.so bsdtar.1' > "${T}"/tar.1
+		doman "${T}"/tar.1
+		# We may wish to switch to symlink bsdcpio to cpio too one day
+	fi
+}
+
+pkg_preinst() {
+	preserve_old_lib /usr/$(get_libdir)/${PN}$(get_libname 12)
+}
+
+pkg_postinst() {
+	preserve_old_lib_notify /usr/$(get_libdir)/${PN}$(get_libname 12)
+}