commit: c2e3eb85c45e83591be7faee69d58af55a10f8f4 Author: Randy Barlow <randy <AT> electronsweatshop <DOT> com> AuthorDate: Wed Apr 26 03:45:40 2023 +0000 Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org> CommitDate: Thu May 18 07:26:00 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2e3eb85
net-libs/libsignal-protocol-c: Fix CVE-2022-48468 This commit fixes CVE-2022-48468 for this package's bundled protobuf-c. Here are some reference links about the issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468 https://bugzilla.redhat.com/show_bug.cgi?id=2186673 For reference, here is the commit I made in Fedora to address the issue, which includes this patch: https://src.fedoraproject.org/rpms/libsignal-protocol-c/c/152eb06d164e7973fda49139bc5a51f3b23c0cf6?branch=rawhide Closes: https://bugs.gentoo.org/905098 Signed-off-by: Randy Barlow <randy <AT> electronsweatshop.com> Closes: https://github.com/gentoo/gentoo/pull/30764 Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org> ...libsignal-protocol-c-2.3.3-CVE-2022-48468.patch | 53 ++++++++++++++++++++++ .../libsignal-protocol-c-2.3.3-r1.ebuild | 18 ++++++++ 2 files changed, 71 insertions(+) diff --git a/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch b/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch new file mode 100644 index 000000000000..8b3706dd8829 --- /dev/null +++ b/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch @@ -0,0 +1,53 @@ +From 478dfe51552243b367cf2e9c5d047cbbd3c21635 Mon Sep 17 00:00:00 2001 +From: Randy Barlow <[email protected]> +Date: Fri, 18 Mar 2022 12:42:57 -0400 +Subject: [PATCH] CVE-2022-48468: unsigned integer overflow + +This commit combines two upstream commits from protobuf-c[0][1]. +The first fixes an unsigned integer overflow, and the second fixes a +regression introduced by the first. I originally decided to amend the +commit message of the first to mention that it fixes a CVE, but then I +realized it would be better to bring the fix for the regression together +with it. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468 +https://bugzilla.redhat.com/show_bug.cgi?id=2186673 + +[0] +https://github.com/protobuf-c/protobuf-c/pull/513/commits/289f5c18b195aa43d46a619d1188709abbfa9c82 +[1] +https://github.com/protobuf-c/protobuf-c/pull/513/commits/0d1fd124a4e0a07b524989f6e64410ff648fba61 + +Co-authored-by: 10054172 <[email protected]> +Co-authored-by: "Todd C. Miller" <[email protected]> +Signed-off-by: 10054172 <[email protected]> +Signed-off-by: Randy Barlow <[email protected]> +--- + src/protobuf-c/protobuf-c.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/protobuf-c/protobuf-c.c b/src/protobuf-c/protobuf-c.c +index 4f2f5bc..6ae5287 100644 +--- a/src/protobuf-c/protobuf-c.c ++++ b/src/protobuf-c/protobuf-c.c +@@ -2456,10 +2456,13 @@ parse_required_member(ScannedMember *scanned_member, + return FALSE; + + def_mess = scanned_member->field->default_value; +- subm = protobuf_c_message_unpack(scanned_member->field->descriptor, +- allocator, +- len - pref_len, +- data + pref_len); ++ if (len >= pref_len) ++ subm = protobuf_c_message_unpack(scanned_member->field->descriptor, ++ allocator, ++ len - pref_len, ++ data + pref_len); ++ else ++ subm = NULL; + + if (maybe_clear && + *pmessage != NULL && +-- +2.39.2 + diff --git a/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild b/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild new file mode 100644 index 000000000000..27fe1d46128e --- /dev/null +++ b/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild @@ -0,0 +1,18 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit cmake + +DESCRIPTION="Signal Protocol C Library" +HOMEPAGE="https://www.whispersystems.org/"; +SRC_URI="https://github.com/signalapp/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" +KEYWORDS="~amd64 ~arm64 ~x86" + +LICENSE="GPL-3" +SLOT="0" + +PATCHES=( + "${FILESDIR}"/${PN}-2.3.3-CVE-2022-48468.patch +)
