On 2019/06/27 17:08, T.J. Townsend wrote: > Here's an update to 1.0.7, released today.
I had a quick look at a source code diff, despite 9 years gap there's not a lot of change. It looks pretty safe to me but given the risk of breakage I'd prefer to have more eyes on it. > 1.0.7 (27 Jun 19) > ~~~~~~~~~~~~~~~~ > > * Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH > * bzip2: Fix return value when combining --test,-t and -q. > * bzip2recover: Fix buffer overflow for large argv[0] > * bzip2recover: Fix use after free issue with outFile (CVE-2016-3189) > * Make sure nSelectors is not out of range (CVE-2019-12900) > > https://www.sourceware.org/bzip2/CHANGES > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/archivers/bzip2/Makefile,v > retrieving revision 1.75 > diff -u -p -r1.75 Makefile > --- Makefile 24 Jun 2019 14:46:36 -0000 1.75 > +++ Makefile 27 Jun 2019 20:17:38 -0000 > @@ -2,8 +2,7 @@ > > COMMENT= block-sorting file compressor, unencumbered > > -DISTNAME= bzip2-1.0.6 > -REVISION= 10 > +DISTNAME= bzip2-1.0.7 > > CATEGORIES= archivers > > @@ -17,8 +16,7 @@ PERMIT_PACKAGE_CDROM= Yes > # uses pledge() > WANTLIB += c > > -# originally at bzip.org, domain expired > -MASTER_SITES= https://spacehopper.org/mirrors/ > +MASTER_SITES= https://sourceware.org/pub/bzip2/ > > BZ2_CFLAGS= -Wall -Winline -fomit-frame-pointer -fno-strength-reduce > MAKE_FLAGS= CC="${CC}" CFLAGS="${CFLAGS} ${BZ2_CFLAGS}" \ > Index: distinfo > =================================================================== > RCS file: /cvs/ports/archivers/bzip2/distinfo,v > retrieving revision 1.8 > diff -u -p -r1.8 distinfo > --- distinfo 4 Apr 2013 16:03:55 -0000 1.8 > +++ distinfo 27 Jun 2019 20:17:38 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (bzip2-1.0.6.tar.gz) = ooSPNPzV1s9H3vAEYfy1KKBITY7e+CCNbS4pCdxh2c0= > -SIZE (bzip2-1.0.6.tar.gz) = 782025 > +SHA256 (bzip2-1.0.7.tar.gz) = 52iofFsaeVEUmb60FQC8xMryA3Jv/0am9fmtJ/4Iqys= > +SIZE (bzip2-1.0.7.tar.gz) = 809680 > Index: patches/patch-bzip2recover_c > =================================================================== > RCS file: patches/patch-bzip2recover_c > diff -N patches/patch-bzip2recover_c > --- patches/patch-bzip2recover_c 28 Jun 2016 09:56:23 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,15 +0,0 @@ > -$OpenBSD: patch-bzip2recover_c,v 1.1 2016/06/28 09:56:23 jasper Exp $ > - > -CVE-2016-3189 bzip2: heap use after free in bzip2recover > -Patch from: https://bugzilla.redhat.com/show_bug.cgi?id=1319648 > - > ---- bzip2recover.c.orig Tue Jun 28 11:54:25 2016 > -+++ bzip2recover.c Tue Jun 28 11:54:43 2016 > -@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv ) > - bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); > - bsPutUInt32 ( bsWr, blockCRC ); > - bsClose ( bsWr ); > -+ outFile = NULL; > - } > - if (wrBlock >= rbCtr) break; > - wrBlock++; > Index: patches/patch-decompress_c > =================================================================== > RCS file: patches/patch-decompress_c > diff -N patches/patch-decompress_c > --- patches/patch-decompress_c 24 Jun 2019 14:46:36 -0000 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,27 +0,0 @@ > -$OpenBSD: patch-decompress_c,v 1.1 2019/06/24 14:46:36 sthen Exp $ > - > -From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001 > -From: Albert Astals Cid <aa...@kde.org> > -Date: Tue, 28 May 2019 19:35:18 +0200 > -Subject: [PATCH] Make sure nSelectors is not out of range > - > -nSelectors is used in a loop from 0 to nSelectors to access selectorMtf > -which is > - UChar selectorMtf[BZ_MAX_SELECTORS]; > -so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory > -access > - > -Fixes out of bounds access discovered while fuzzying karchive > - > -Index: decompress.c > ---- decompress.c.orig > -+++ decompress.c > -@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) > - GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); > - if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); > - GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); > -- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); > -+ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) > RETURN(BZ_DATA_ERROR); > - for (i = 0; i < nSelectors; i++) { > - j = 0; > - while (True) { >
