upgrade version to 1.9.5

2023-07-24 10:40:26 +08:00 · 2023-07-24 10:40:26 +08:00 · 93b732e012
commit 93b732e012
parent 759335e09c
4 changed files with 16 additions and 75 deletions
--- a/backport-CVE-2023-24056.patch
+++ b/backport-CVE-2023-24056.patch
@ -1,71 +0,0 @@
-From 628b2b2bafa5d3a2017193ddf375093e70666059 Mon Sep 17 00:00:00 2001
-From: Ariadne Conill <ariadne@dereferenced.org>
-Date: Fri, 20 Jan 2023 22:07:03 +0000
-Subject: [PATCH] tuple: test for, and stop string processing, on truncation
-
-otherwise a buffer overflow occurs.
-this has been a bug in pkgconf since the beginning, it seems.
-instead of disclosing the bug correctly, a "hotshot" developer
-decided to blog about it instead.  sigh.
-
-https://nullprogram.com/blog/2023/01/18/
---
- libpkgconf/tuple.c | 28 +++++++++++++++++++++++-----
- 1 file changed, 23 insertions(+), 5 deletions(-)
-
-diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c
-index 2d550d8..b831070 100644
--- a/libpkgconf/tuple.c
-+++ b/libpkgconf/tuple.c
-@@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
- 				}
- 			}
- 
-+			size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
- 			ptr += (pptr - ptr);
- 			kv = pkgconf_tuple_find_global(client, varname);
- 			if (kv != NULL)
- 			{
-				strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
-				bptr += strlen(kv);
-+				size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
-+				if (nlen > remain)
-+				{
-+					pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
-+
-+					bptr = buf + (PKGCONF_BUFSIZE - 1);
-+					break;
-+				}
-+
-+				bptr += nlen;
- 			}
- 			else
- 			{
-@@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
- 
- 				if (kv != NULL)
- 				{
-+					size_t nlen;
-+
- 					parsekv = pkgconf_tuple_parse(client, vars, kv);
-+					nlen = pkgconf_strlcpy(bptr, parsekv, remain);
-+					free(parsekv);
- 
-					strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
-					bptr += strlen(parsekv);
-+					if (nlen > remain)
-+					{
-+						pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
- 
-					free(parsekv);
-+						bptr = buf + (PKGCONF_BUFSIZE - 1);
-+						break;
-+					}
-+
-+					bptr += nlen;
- 				}
- 			}
- 		}
-- 
-2.33.0
-
--- a/pkgconf-1.8.0.tar.xz
+++ b/pkgconf-1.8.0.tar.xz
--- a/pkgconf-1.9.5.tar.xz
+++ b/pkgconf-1.9.5.tar.xz
--- a/pkgconf.spec
+++ b/pkgconf.spec
@ -1,16 +1,14 @@
 %global pkgconf_libdirs %{_libdir}/pkgconfig:%{_datadir}/pkgconfig

 Name:           pkgconf
-Version:        1.8.0
-Release:        3
+Version:        1.9.5
+Release:        1
 Summary:        Package compiler and linker metadata toolkit

 License:        ISC
 URL:            http://pkgconf.org/
 Source0:        https://distfiles.dereferenced.org/%{name}/%{name}-%{version}.tar.xz

-Patch6000:      backport-CVE-2023-24056.patch
-
 BuildRequires:  gcc, make, autoconf, automake, libtool
 #tests
 BuildRequires:  kyua, atf-tests
@ -45,6 +43,14 @@ Development headers and auxiliary files for developing apps for %{name}.

 %package_help

+%package        bomtool
+Summary:        Simple SBOM generator using pc(5) files
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description    bomtool
+bomtool is a program which helps generate a Software Bill of Materials
+manifest using data from installed .pc files.
+
 %prep
 %autosetup -p1

@ -105,7 +111,13 @@ mkdir -p %{buildroot}%{_datadir}/pkgconfig
 %files help
 %{_mandir}/*/*

+%files bomtool
+%{_bindir}/bomtool
+
 %changelog
+* Mon Jul 24 2023 dongyuzhen <dongyuzhen@h-partners.com> - 1.9.5-1
+- upgrade version to 1.9.5
+
 * Sun Jan 29 2023 dongyuzhen <dongyuzhen@h-partners.com> - 1.8.0-3
 - fix CVE-2023-24056