main/coreutils: patch CVE-2024-0684

2026-05-05 20:36:40 +02:00 · 2024-01-25 23:43:46 +01:00 · 2024-01-25 23:43:46 +01:00 · 4bc611f0ff
commit 4bc611f0ff
parent c947bf9b0f
2 changed files with 42 additions and 4 deletions
--- a/main/coreutils/APKBUILD
+++ b/main/coreutils/APKBUILD
@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=coreutils
 pkgver=9.4
-pkgrel=1
+pkgrel=2
 pkgdesc="The basic file, shell and text manipulation utilities"
 url="https://www.gnu.org/software/coreutils/"
 arch="all"
@ -11,10 +11,14 @@ license="GPL-3.0-or-later"
 makedepends="acl-dev attr-dev utmps-dev perl openssl-dev"
 subpackages="$pkgname-doc $pkgname-env $pkgname-fmt $pkgname-sha512sum:_sha512sum"
 install="$pkgname.post-deinstall"
-source="https://ftp.gnu.org/gnu/coreutils/coreutils-$pkgver.tar.xz"
-options="!check"
+source="https://ftp.gnu.org/gnu/coreutils/coreutils-$pkgver.tar.xz
+	CVE-2024-0684.patch
+	"
+options="!check" # FAIL: tests/cp/reflink-auto

 # secfixes:
+#   9.4-r2:
+#     - CVE-2024-0684
 #   8.30-r0:
 #     - CVE-2017-18018

@ -36,7 +40,6 @@ build() {
 	make
 }

-# XXX - some gnulib tests broken, find a way to patch out gnulib tests
 check() {
 	make check
 }
@ -88,4 +91,5 @@ _sha512sum() {

 sha512sums="
 7c55ee23b685a0462bbbd118b04d25278c902604a0dcf3bf4f8bf81faa0500dee5a7813cba6f586d676c98e520cafd420f16479619305e94ea6798d8437561f5  coreutils-9.4.tar.xz
+ce65374aae922452a2e4b90534aee8b81db6c9c1e16f403aa2dd3f1cc2329005b6e1b5f8eaf10731be315f4ff6408ea17b41be8a99e6be729cd102e92748e4be  CVE-2024-0684.patch
 "
--- a/main/coreutils/CVE-2024-0684.patch
+++ b/main/coreutils/CVE-2024-0684.patch
@ -0,0 +1,34 @@
+From c4c5ed8f4e9cd55a12966d4f520e3a13101637d9 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Tue, 16 Jan 2024 13:48:32 -0800
+Subject: [PATCH 1/1] split: do not shrink hold buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+* src/split.c (line_bytes_split): Do not shrink hold buffer.
+If itâs large for this batch itâs likely to be large for the next
+batch, and for âsplitâ itâs not worth the complexity/CPU hassle to
+shrink it.  Do not assume hold_size can be bufsize.
+---
+ src/split.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/split.c b/src/split.c
+index 64020c859..037960a59 100644
+--- a/src/split.c
+++ b/src/split.c
+@@ -809,10 +809,7 @@ line_bytes_split (intmax_t n_bytes, char *buf, idx_t bufsize)
+             {
+               cwrite (n_out == 0, hold, n_hold);
+               n_out += n_hold;
+-              if (n_hold > bufsize)
+-                hold = xirealloc (hold, bufsize);
+               n_hold = 0;
+-              hold_size = bufsize;
+             }
+ 
+           /* Output to eol if present.  */
+-- 
+2.17.1
+