[pkgsrc/pkgsrc-2009Q4]: pkgsrc/archivers/gzip Pullup ticket #2895 - requested...

[tron <tron%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/8ca84a9fc8a5
branches:  pkgsrc-2009Q4
changeset: 569236:8ca84a9fc8a5
user:      tron <tron%pkgsrc.org@localhost>
date:      Tue Feb 02 17:15:32 2010 +0000

description:
Pullup ticket #2895 - requested by taca
gzip: security patch

Revisions pulled up:
- archivers/gzip/Makefile                       1.23
- archivers/gzip/distinfo                       1.4
- archivers/gzip/patches/patch-ag               1.1
- archivers/gzip/patches/patch-ah               1.1
---
Module Name:    pkgsrc
Committed By:   taca
Date:           Tue Feb  2 14:42:43 UTC 2010

Modified Files:
        pkgsrc/archivers/gzip: Makefile distinfo
Added Files:
        pkgsrc/archivers/gzip/patches: patch-ag patch-ah

Log Message:
Add patches for CVE-2009-2624 and CVE-2010-0001.

Bump PKGREVISION.

diffstat:

 archivers/gzip/Makefile         |   5 +++--
 archivers/gzip/distinfo         |   4 +++-
 archivers/gzip/patches/patch-ag |  24 ++++++++++++++++++++++++
 archivers/gzip/patches/patch-ah |  16 ++++++++++++++++
 4 files changed, 46 insertions(+), 3 deletions(-)

diffs (85 lines):

diff -r 12dff75acca6 -r 8ca84a9fc8a5 archivers/gzip/Makefile
--- a/archivers/gzip/Makefile   Mon Feb 01 15:01:34 2010 +0000
+++ b/archivers/gzip/Makefile   Tue Feb 02 17:15:32 2010 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.22 2008/09/07 08:02:27 dholland Exp $
+# $NetBSD: Makefile,v 1.22.14.1 2010/02/02 17:15:32 tron Exp $
 #
 
 DISTNAME=      gzip-1.3.12
-PKGREVISION=   2
+PKGREVISION=   3
 SVR4_PKGNAME=  gzip
 CATEGORIES=    archivers
 MASTER_SITES=  ${MASTER_SITE_GNU:=gzip/}
@@ -11,6 +11,7 @@
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=      http://www.gnu.org/software/gzip/gzip.html
 COMMENT=       Compress or expand files
+LICENSE=       gnu-gpl-v2
 
 PKG_INSTALLATION_TYPES=        overwrite pkgviews
 PKG_DESTDIR_SUPPORT=   user-destdir
diff -r 12dff75acca6 -r 8ca84a9fc8a5 archivers/gzip/distinfo
--- a/archivers/gzip/distinfo   Mon Feb 01 15:01:34 2010 +0000
+++ b/archivers/gzip/distinfo   Tue Feb 02 17:15:32 2010 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2008/09/07 08:02:27 dholland Exp $
+$NetBSD: distinfo,v 1.3.14.1 2010/02/02 17:15:32 tron Exp $
 
 SHA1 (gzip-1.3.12.tar) = 330eb5f1b3dfab13a491352cb00b6573e5b55a5f
 RMD160 (gzip-1.3.12.tar) = 6845dfba2a275f4de488c3fb97e64405838a5005
@@ -9,3 +9,5 @@
 SHA1 (patch-ad) = 082ced7d4a89a49b750525cc71bbf9a9abfc5b9e
 SHA1 (patch-ae) = a1d245c5cf055e9bd35fb7e810d5183a71cbfc74
 SHA1 (patch-af) = 28639dbe11ed8ce81bd1c29248b53af6cea55b88
+SHA1 (patch-ag) = 6b499fe28525643bfd5e5ece73fcd221eb9f964f
+SHA1 (patch-ah) = 0f92048912c2e682ba28d93bf5f309774d337790
diff -r 12dff75acca6 -r 8ca84a9fc8a5 archivers/gzip/patches/patch-ag
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/archivers/gzip/patches/patch-ag   Tue Feb 02 17:15:32 2010 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-ag,v 1.1.2.2 2010/02/02 17:15:32 tron Exp $
+
+Fix for CVE-2009-2624.
+
+--- inflate.c.orig     2006-12-20 23:30:17.000000000 +0000
++++ inflate.c
+@@ -335,13 +335,15 @@ int *m;                 /* maximum looku
+   } while (--i);
+   if (c[0] == n)                /* null input--all zero length codes */
+   {
+-    q = (struct huft *) malloc (2 * sizeof *q);
++    q = (struct huft *) malloc (3 * sizeof *q);
+     if (!q)
+       return 3;
+-    hufts += 2;
++    hufts += 3;
+     q[0].v.t = (struct huft *) NULL;
+     q[1].e = 99;    /* invalid code marker */
+     q[1].b = 1;
++    q[2].e = 99;    /* invalid code marker */
++    q[2].b = 1;
+     *t = q + 1;
+     *m = 1;
+     return 0;
diff -r 12dff75acca6 -r 8ca84a9fc8a5 archivers/gzip/patches/patch-ah
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/archivers/gzip/patches/patch-ah   Tue Feb 02 17:15:32 2010 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-ah,v 1.1.2.2 2010/02/02 17:15:32 tron Exp $
+
+Fix for CVE-2010-0001.
+
+--- unlzw.c.orig       2006-12-11 18:54:39.000000000 +0000
++++ unlzw.c
+@@ -248,7 +248,8 @@ int unlzw(in, out)
+       int  o;
+ 
+     resetbuf:
+-      e = insize-(o = (posbits>>3));
++      o = posbits >> 3;
++      e = o <= insize ? insize - o : 0;
+ 
+       for (i = 0 ; i < e ; ++i) {
+           inbuf[i] = inbuf[i+o];