Date: Monday, July 4, 2016 @ 19:46:22 Author: bpiotrowski Revision: 270944
archrelease: copy trunk to testing-i686, testing-x86_64 Added: expat/repos/testing-i686/ expat/repos/testing-i686/PKGBUILD (from rev 270943, expat/trunk/PKGBUILD) expat/repos/testing-i686/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 (from rev 270943, expat/trunk/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283) expat/repos/testing-x86_64/ expat/repos/testing-x86_64/PKGBUILD (from rev 270943, expat/trunk/PKGBUILD) expat/repos/testing-x86_64/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 (from rev 270943, expat/trunk/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283) ---------------------------------------------------------------------------------+ testing-i686/PKGBUILD | 33 ++++++++ testing-i686/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 | 37 ++++++++++ testing-x86_64/PKGBUILD | 33 ++++++++ testing-x86_64/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 | 37 ++++++++++ 4 files changed, 140 insertions(+) Copied: expat/repos/testing-i686/PKGBUILD (from rev 270943, expat/trunk/PKGBUILD) =================================================================== --- testing-i686/PKGBUILD (rev 0) +++ testing-i686/PKGBUILD 2016-07-04 19:46:22 UTC (rev 270944) @@ -0,0 +1,33 @@ +# $Id$ +# Maintainer: Bartłomiej Piotrowski <bpiotrow...@archlinux.org> +# Contributor: Allan McRae <al...@archlinux.org> +# Contributor: Judd Vinet <jvi...@zeroflux.org> + +pkgname=expat +pkgver=2.2.0 +pkgrel=1 +pkgdesc='An XML parser library' +arch=('i686' 'x86_64') +url='http://expat.sourceforge.net/' +license=('custom') +depends=('glibc') +source=(http://downloads.sourceforge.net/sourceforge/expat/$pkgname-$pkgver.tar.bz2 + expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283) +md5sums=('2f47841c829facb346eb6e3fab5212e2' + '216b1b11e155b11a84f11149bc476d30') + +build() { + cd $pkgname-$pkgver + ./configure --prefix=/usr + make +} + +check() { + make -C $pkgname-$pkgver check +} + +package() { + cd $pkgname-$pkgver + make DESTDIR="$pkgdir" install + install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING +} Copied: expat/repos/testing-i686/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 (from rev 270943, expat/trunk/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283) =================================================================== --- testing-i686/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 (rev 0) +++ testing-i686/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 2016-07-04 19:46:22 UTC (rev 270944) @@ -0,0 +1,37 @@ +From f0bec73b018caa07d3e75ec8dd967f3785d71bde Mon Sep 17 00:00:00 2001 +From: Pascal Cuoq <c...@trust-in-soft.com> +Date: Sun, 15 May 2016 09:05:46 +0200 +Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. It + does not really work: https://godbolt.org/g/Zl8gdF + +--- + expat/lib/xmlparse.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 7586b24..620a820 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -1730,7 +1730,8 @@ XML_GetBuffer(XML_Parser parser, int len) + #ifdef XML_CONTEXT_BYTES + int keep; + #endif /* defined XML_CONTEXT_BYTES */ +- int neededSize = len + (int)(bufferEnd - bufferPtr); ++ /* Do not invoke signed arithmetic overflow: */ ++ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; +@@ -1761,7 +1762,8 @@ XML_GetBuffer(XML_Parser parser, int len) + if (bufferSize == 0) + bufferSize = INIT_BUFFER_SIZE; + do { +- bufferSize *= 2; ++ /* Do not invoke signed arithmetic overflow: */ ++ bufferSize = (int) (2U * (unsigned) bufferSize); + } while (bufferSize < neededSize && bufferSize > 0); + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; +-- +2.9.0 + Copied: expat/repos/testing-x86_64/PKGBUILD (from rev 270943, expat/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2016-07-04 19:46:22 UTC (rev 270944) @@ -0,0 +1,33 @@ +# $Id$ +# Maintainer: Bartłomiej Piotrowski <bpiotrow...@archlinux.org> +# Contributor: Allan McRae <al...@archlinux.org> +# Contributor: Judd Vinet <jvi...@zeroflux.org> + +pkgname=expat +pkgver=2.2.0 +pkgrel=1 +pkgdesc='An XML parser library' +arch=('i686' 'x86_64') +url='http://expat.sourceforge.net/' +license=('custom') +depends=('glibc') +source=(http://downloads.sourceforge.net/sourceforge/expat/$pkgname-$pkgver.tar.bz2 + expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283) +md5sums=('2f47841c829facb346eb6e3fab5212e2' + '216b1b11e155b11a84f11149bc476d30') + +build() { + cd $pkgname-$pkgver + ./configure --prefix=/usr + make +} + +check() { + make -C $pkgname-$pkgver check +} + +package() { + cd $pkgname-$pkgver + make DESTDIR="$pkgdir" install + install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING +} Copied: expat/repos/testing-x86_64/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 (from rev 270943, expat/trunk/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283) =================================================================== --- testing-x86_64/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 (rev 0) +++ testing-x86_64/expat-2.2.0-Avoid-relying-on-undefined-behavior-in-CVE-2015-1283 2016-07-04 19:46:22 UTC (rev 270944) @@ -0,0 +1,37 @@ +From f0bec73b018caa07d3e75ec8dd967f3785d71bde Mon Sep 17 00:00:00 2001 +From: Pascal Cuoq <c...@trust-in-soft.com> +Date: Sun, 15 May 2016 09:05:46 +0200 +Subject: [PATCH] Avoid relying on undefined behavior in CVE-2015-1283 fix. It + does not really work: https://godbolt.org/g/Zl8gdF + +--- + expat/lib/xmlparse.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 7586b24..620a820 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -1730,7 +1730,8 @@ XML_GetBuffer(XML_Parser parser, int len) + #ifdef XML_CONTEXT_BYTES + int keep; + #endif /* defined XML_CONTEXT_BYTES */ +- int neededSize = len + (int)(bufferEnd - bufferPtr); ++ /* Do not invoke signed arithmetic overflow: */ ++ int neededSize = (int) ((unsigned)len + (unsigned)(bufferEnd - bufferPtr)); + if (neededSize < 0) { + errorCode = XML_ERROR_NO_MEMORY; + return NULL; +@@ -1761,7 +1762,8 @@ XML_GetBuffer(XML_Parser parser, int len) + if (bufferSize == 0) + bufferSize = INIT_BUFFER_SIZE; + do { +- bufferSize *= 2; ++ /* Do not invoke signed arithmetic overflow: */ ++ bufferSize = (int) (2U * (unsigned) bufferSize); + } while (bufferSize < neededSize && bufferSize > 0); + if (bufferSize <= 0) { + errorCode = XML_ERROR_NO_MEMORY; +-- +2.9.0 +