system/bzip2: [CVE] bump to 1.0.8

bzip2-1.0.4-POSIX-shell.patch integrated: https://sourceware.org/git/?p=bzip2.git;a=commit;h=33414da1d2bedf2cbe693f0e21fdaef11d221b1d CVE-2016-3189.patch integrated: https://sourceware.org/git/?p=bzip2.git;a=commit;h=c1cdd98db3238cb711c7d9cdc5671452ce2822cb

system/bzip2: [CVE] bump to 1.0.8
b0c732de · Max Rees · 0b09c67b · b0c732de · 0b09c67b · b0c732de
Verified Commit b0c732de authored 5 years ago by Max Rees
--- a/system/bzip2/APKBUILD
+++ b/system/bzip2/APKBUILD
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=bzip2
-pkgver=1.0.6
-pkgrel=7
+pkgver=1.0.8
+pkgrel=0
 pkgdesc="A high-quality data compression program"
-url="http://sources.redhat.com/bzip2"
+url="https://www.sourceware.org/bzip2/"
 arch="all"
 license="BSD-4-Clause"
 depends=""
 subpackages="$pkgname-dev $pkgname-doc libbz2"
-source="https://downloads.sourceforge.net/bzip2/$pkgname-$pkgver.tar.gz
+source="https://sourceware.org/pub/bzip2/$pkgname-$pkgver.tar.gz
 	bzip2-1.0.4-makefile-CFLAGS.patch
-	bzip2-1.0.6-saneso.patch
+	bzip2-1.0.8-saneso.patch
 	bzip2-1.0.4-man-links.patch
 	bzip2-1.0.2-progress.patch
 	bzip2-1.0.3-no-test.patch
-	bzip2-1.0.4-POSIX-shell.patch
-	CVE-2016-3189.patch
 	"
+builddir="$srcdir/$pkgname-$pkgver"

 # secfixes:
 #   1.0.6-r5:
-#   - CVE-2016-3189
+#     - CVE-2016-3189
+#   1.0.8-r0:
+#     - CVE-2019-12900

-builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	default_prepare

@@ -64,11 +64,9 @@ libbz2() {
 	mv "$pkgdir"/usr/lib/*.so.* "$subpkgdir"/usr/lib/
 }

-sha512sums="00ace5438cfa0c577e5f578d8a808613187eff5217c35164ffe044fbafdfec9e98f4192c02a7d67e01e5a5ccced630583ad1003c37697219b0f147343a3fdd12  bzip2-1.0.6.tar.gz
+sha512sums="083f5e675d73f3233c7930ebe20425a533feedeaaa9d8cc86831312a6581cefbe6ed0d08d2fa89be81082f2a5abdabca8b3c080bf97218a1bd59dc118a30b9f3  bzip2-1.0.8.tar.gz
 58cc37430555520b6e35db2740e699cf37eacdd82989c21a222a593e36288710a0defb003662d4238235c12b3764bfc89cd646e6be9d0a08d54bd2c9baa6ad15  bzip2-1.0.4-makefile-CFLAGS.patch
-8a7528b5b931bb72f637c6940bc811d54fb816fd5bb453af56d9b4a87091004eb5e191ba799d972794b24c56cf8134344a618b58946d3f1d985c508f88190845  bzip2-1.0.6-saneso.patch
+bc52f6efc63ac8d06fcbbb0446cc9c8025964ba0651ef493b5a124e838bf03bebb0ef56247fdd007265c8ea091f3458e832a53856228e7fefa4d20a55065bba3  bzip2-1.0.8-saneso.patch
 2d9a306bc0f552a58916ebc702d32350a225103c487e070d2082121a54e07f1813d3228f43293cc80a4bee62053fd597294c99a1751b1685cd678f4e5c6a2fe7  bzip2-1.0.4-man-links.patch
 b6810c73428f17245e0d7c2decd00c88986cd8ad1cfe4982defe34bdab808d53870ed92cb513b2d00c15301747ceb6ca958fb0e0458d0663b7d8f7c524f7ba4e  bzip2-1.0.2-progress.patch
-aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030  bzip2-1.0.3-no-test.patch
-64ab461bf739c29615383750e7f260abb2d49df7eb23916940d512bd61fd9a37aaade4d8f6f94280c95fc781b8f92587ad4f3dda51e87dec7a92a7a6f8d8ae86  bzip2-1.0.4-POSIX-shell.patch
-cef6f448b661a775cc433f9636730e89c1285d07075536217657056be56e0a11e96f41f7c14f6ec59e235464b9ddd649a71fb8de1c60eda2fd5c2cdfbb6a8fdc  CVE-2016-3189.patch"
+aefcafaaadc7f19b20fe023e0bd161127b9f32e0cd364621f6e5c03e95fb976e7e69e354ec46673a554392519532a3bfe56d982a5cde608c10e0b18c3847a030  bzip2-1.0.3-no-test.patch"
--- a/system/bzip2/bzip2-1.0.4-POSIX-shell.patch
+++ b/system/bzip2/bzip2-1.0.4-POSIX-shell.patch
-bzgrep uses !/bin/sh but then uses the bashism ${var//} so replace those
-with calls to sed so POSIX shells work
-
-http://bugs.gentoo.org/193365
-
--- ./bzgrep
-+++ ./bzgrep
-@@ -63,10 +63,9 @@
-     bzip2 -cdfq "$i" | $grep $opt "$pat"
-     r=$?
-   else
-    j=${i//\\/\\\\}
-    j=${j//|/\\|}
-    j=${j//&/\\&}
-    j=`printf "%s" "$j" | tr '\n' ' '`
-+    # the backslashes here are doubled up as we have to escape each one for the
-+    # shell and then escape each one for the sed expression
-+    j=`printf "%s" "${i}" | sed -e 's:\\\\:\\\\\\\\:g' -e 's:[|]:\\\\|:g' -e 's:[&]:\\\\&:g' | tr '\n' ' '`
-     bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${j}:|"
-     r=$?
-   fi
--- a/system/bzip2/bzip2-1.0.6-saneso.patch
+++ b/system/bzip2/bzip2-1.0.6-saneso.patch
--- ./Makefile-libbz2_so
-+++ ./Makefile-libbz2_so
-@@ -35,8 +35,8 @@
+--- bzip2-1.0.8/Makefile-libbz2_so	2019-07-13 17:50:05.000000000 +0000
+++ bzip2-1.0.8/Makefile-libbz2_so	2019-07-23 22:36:08.050034514 +0000
+@@ -35,8 +35,8 @@ OBJS= blocksort.o  \
       bzlib.o
 
 all: $(OBJS)
-	$(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.6 $(OBJS)
-	$(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6
-+	$(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS)
-+	$(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6
+-	$(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.8 $(OBJS)
+-	$(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8
+	$(CC) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS)
+	$(CC) $(LDFLAGS) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8
 	rm -f libbz2.so.1.0
- 	ln -s libbz2.so.1.0.6 libbz2.so.1.0
+ 	ln -s libbz2.so.1.0.8 libbz2.so.1.0