From owner-svn-ports-all@freebsd.org  Sun Sep 20 09:22:47 2015
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9E20A05A48;
 Sun, 20 Sep 2015 09:22:47 +0000 (UTC)
 (envelope-from jbeich@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9242D1FE4;
 Sun, 20 Sep 2015 09:22:47 +0000 (UTC)
 (envelope-from jbeich@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.70])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t8K9Mler004478;
 Sun, 20 Sep 2015 09:22:47 GMT (envelope-from jbeich@FreeBSD.org)
Received: (from jbeich@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id t8K9Mjje004466;
 Sun, 20 Sep 2015 09:22:45 GMT (envelope-from jbeich@FreeBSD.org)
Message-Id: <201509200922.t8K9Mjje004466@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jbeich set sender to
 jbeich@FreeBSD.org using -f
From: Jan Beich <jbeich@FreeBSD.org>
Date: Sun, 20 Sep 2015 09:22:45 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r397361 - in head: devel/radare2 devel/radare2/files
 emulators/ppsspp emulators/ppsspp-devel emulators/ppsspp-devel/files
 emulators/ppsspp/files games/openlierox games/openlierox/files
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Sep 2015 09:22:47 -0000

Author: jbeich
Date: Sun Sep 20 09:22:44 2015
New Revision: 397361
URL: https://svnweb.freebsd.org/changeset/ports/397361

Log:
  Backport CVE-2015-2331 fix to bundled libzip
  
  MFH:		2015Q3
  Security:	264749ae-d565-11e4-b545-00269ee29e57

Added:
  head/devel/radare2/files/
  head/devel/radare2/files/patch-CVE-2015-2331   (contents, props changed)
  head/emulators/ppsspp-devel/files/patch-CVE-2015-2331   (contents, props changed)
  head/emulators/ppsspp/files/patch-CVE-2015-2331   (contents, props changed)
  head/games/openlierox/files/
  head/games/openlierox/files/patch-CVE-2015-2331   (contents, props changed)
Modified:
  head/devel/radare2/Makefile   (contents, props changed)
  head/emulators/ppsspp-devel/Makefile   (contents, props changed)
  head/emulators/ppsspp/Makefile   (contents, props changed)
  head/games/openlierox/Makefile   (contents, props changed)

Modified: head/devel/radare2/Makefile
==============================================================================
--- head/devel/radare2/Makefile	Sun Sep 20 07:33:37 2015	(r397360)
+++ head/devel/radare2/Makefile	Sun Sep 20 09:22:44 2015	(r397361)
@@ -3,6 +3,7 @@
 
 PORTNAME=	radare2
 PORTVERSION=	0.9.8
+PORTREVISION=	1
 CATEGORIES=	devel
 MASTER_SITES=	http://rada.re/get/
 

Added: head/devel/radare2/files/patch-CVE-2015-2331
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/devel/radare2/files/patch-CVE-2015-2331	Sun Sep 20 09:22:44 2015	(r397361)
@@ -0,0 +1,17 @@
+changeset:   1718:9f11d54f692e
+user:        Thomas Klausner <tk@giga.or.at>
+date:        Sat Mar 21 12:28:42 2015 +0100
+summary:     Avoid integer overflow. Addresses CVE-2015-2331.
+
+diff --git a/lib/zip_dirent.c b/lib/zip_dirent.c
+--- shlr/zip/zip/zip_dirent.c
++++ shlr/zip/zip/zip_dirent.c
+@@ -110,7 +110,7 @@ _zip_cdir_new(zip_uint64_t nentry, struc
+ 
+     if (nentry == 0)
+ 	cd->entry = NULL;
+-    else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*nentry)) == NULL) {
++    else if ((nentry > SIZE_MAX/sizeof(*(cd->entry))) || (cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) {
+ 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
+ 	free(cd);
+ 	return NULL;

Modified: head/emulators/ppsspp-devel/Makefile
==============================================================================
--- head/emulators/ppsspp-devel/Makefile	Sun Sep 20 07:33:37 2015	(r397360)
+++ head/emulators/ppsspp-devel/Makefile	Sun Sep 20 09:22:44 2015	(r397361)
@@ -2,7 +2,7 @@
 
 DISTVERSION=	1.0.1-2668
 DISTVERSIONSUFFIX=	-g253ed9f
-PORTREVISION=	0
+PORTREVISION=	1
 PKGNAMESUFFIX=	-devel
 
 GH_TAGNAME=	e22d7a5:lang a0b878f:ext_armips

Added: head/emulators/ppsspp-devel/files/patch-CVE-2015-2331
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/ppsspp-devel/files/patch-CVE-2015-2331	Sun Sep 20 09:22:44 2015	(r397361)
@@ -0,0 +1,18 @@
+From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 17 Mar 2015 21:59:56 -0700
+Subject: Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary
+
+diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
+index b9dac5c..0090801 100644
+--- ext/native/ext/libzip/zip_dirent.c
++++ ext/native/ext/libzip/zip_dirent.c
+@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
+ 	return NULL;
+     }
+ 
+-    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
++    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
+ 	== NULL) {
+ 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
+ 	free(cd);

Modified: head/emulators/ppsspp/Makefile
==============================================================================
--- head/emulators/ppsspp/Makefile	Sun Sep 20 07:33:37 2015	(r397360)
+++ head/emulators/ppsspp/Makefile	Sun Sep 20 09:22:44 2015	(r397361)
@@ -3,7 +3,7 @@
 PORTNAME=	ppsspp
 DISTVERSIONPREFIX=	v
 DISTVERSION?=	1.0.1
-PORTREVISION?=	4
+PORTREVISION?=	5
 CATEGORIES=	emulators
 
 .ifndef PKGNAMESUFFIX

Added: head/emulators/ppsspp/files/patch-CVE-2015-2331
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/emulators/ppsspp/files/patch-CVE-2015-2331	Sun Sep 20 09:22:44 2015	(r397361)
@@ -0,0 +1,18 @@
+From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 17 Mar 2015 21:59:56 -0700
+Subject: Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary
+
+diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
+index b9dac5c..0090801 100644
+--- native/ext/libzip/zip_dirent.c
++++ native/ext/libzip/zip_dirent.c
+@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
+ 	return NULL;
+     }
+ 
+-    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
++    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
+ 	== NULL) {
+ 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
+ 	free(cd);

Modified: head/games/openlierox/Makefile
==============================================================================
--- head/games/openlierox/Makefile	Sun Sep 20 07:33:37 2015	(r397360)
+++ head/games/openlierox/Makefile	Sun Sep 20 09:22:44 2015	(r397361)
@@ -3,7 +3,7 @@
 
 PORTNAME=	openlierox
 DISTVERSION=	0.58_rc3
-PORTREVISION=	4
+PORTREVISION=	5
 PORTEPOCH=	1
 CATEGORIES=	games
 MASTER_SITES=	SF/${PORTNAME}/${PORTNAME}/OpenLieroX%20${DISTVERSION:C/_/%20/}

Added: head/games/openlierox/files/patch-CVE-2015-2331
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/games/openlierox/files/patch-CVE-2015-2331	Sun Sep 20 09:22:44 2015	(r397361)
@@ -0,0 +1,18 @@
+From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 17 Mar 2015 21:59:56 -0700
+Subject: Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary
+
+diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
+index b9dac5c..0090801 100644
+--- libs/libzip/zip_dirent.c
++++ libs/libzip/zip_dirent.c
+@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
+ 	return NULL;
+     }
+ 
+-    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
++    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
+ 	== NULL) {
+ 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
+ 	free(cd);