diff --git a/.bzip2.metadata b/.bzip2.metadata deleted file mode 100644 index 1a6fb9e..0000000 --- a/.bzip2.metadata +++ /dev/null @@ -1 +0,0 @@ -3f89f861209ce81a6bab1fd1998c0ef311712002 SOURCES/bzip2-1.0.6.tar.gz diff --git a/.gitignore b/.gitignore index 0423b4f..4893193 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -SOURCES/bzip2-1.0.6.tar.gz +bzip2-1.0.8.tar.gz +bzip2-1.0.8.tar.gz.sig +gpgkey-5C1D1AA44BE649DE760A.gpg diff --git a/SOURCES/bzip2-1.0.4-bzip2recover.patch b/SOURCES/bzip2-1.0.4-bzip2recover.patch deleted file mode 100644 index e2bfe1c..0000000 --- a/SOURCES/bzip2-1.0.4-bzip2recover.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- bzip2-1.0.4/bzip2recover.c.pom 2007-01-03 03:00:55.000000000 +0100 -+++ bzip2-1.0.4/bzip2recover.c 2007-02-05 11:55:17.000000000 +0100 -@@ -309,7 +309,8 @@ - UInt32 buffHi, buffLo, blockCRC; - Char* p; - -- strcpy ( progName, argv[0] ); -+ strncpy ( progName, argv[0], BZ_MAX_FILENAME-1); -+ progName[BZ_MAX_FILENAME-1]='\0'; - inFileName[0] = outFileName[0] = 0; - - fprintf ( stderr, diff --git a/SOURCES/decompress-out-of-bounds.patch b/SOURCES/decompress-out-of-bounds.patch deleted file mode 100644 index 0780957..0000000 --- a/SOURCES/decompress-out-of-bounds.patch +++ /dev/null @@ -1,61 +0,0 @@ -From b07b105d1b66e32760095e3602261738443b9e13 Mon Sep 17 00:00:00 2001 -From: Mark Wielaard -Date: Wed, 3 Jul 2019 01:28:11 +0200 -Subject: Accept as many selectors as the file format allows. - -But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS. - -The theoretical maximum number of selectors depends on the maximum -blocksize (900000 bytes) and the number of symbols (50) that can be -encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002. - -But the bzip2 file format allows the number of selectors to be encoded -with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in -14 bits). So the file format maximum is 32767 selectors. - -Some bzip2 encoders might actually have written out more selectors -than the theoretical maximum because they rounded up the number of -selectors to some convenient factor of 8. - -The extra 14766 selectors can never be validly used by the decompression -algorithm. So we can read them, but then discard them. - -This is effectively what was done (by accident) before we added a -check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate -CVE-2019-12900. - -The extra selectors were written out after the array inside the -EState struct. But the struct has extra space allocated after the -selector arrays of 18060 bytes (which is larger than 14766). -All of which will be initialized later (so the overwrite of that -space with extra selector values would have been harmless). - -Note by jamartis: -The original patch Described above also reverts some changes that were made after 1.0.6. -Since these changes are not yet present in 1.0.6, they don't need to be reverted and are thus -removed from the original patch - - ---- -diff --git a/decompress.c b/decompress.c -index 20ce493..3303499 100644 ---- a/decompress.c -+++ b/decompress.c -@@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s ) - j++; - if (j >= nGroups) RETURN(BZ_DATA_ERROR); - } -- s->selectorMtf[i] = j; -+ /* Having more than BZ_MAX_SELECTORS doesn't make much sense -+ since they will never be used, but some implementations might -+ "round up" the number of selectors, so just ignore those. */ -+ if (i < BZ_MAX_SELECTORS) -+ s->selectorMtf[i] = j; - } -+ if (nSelectors > BZ_MAX_SELECTORS) -+ nSelectors = BZ_MAX_SELECTORS; - - /*--- Undo the MTF values for the selectors. ---*/ - { --- -cgit diff --git a/SOURCES/set-out-file-to-null.patch b/SOURCES/set-out-file-to-null.patch deleted file mode 100644 index 18d193b..0000000 --- a/SOURCES/set-out-file-to-null.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up ./bzip2recover.c.old ./bzip2recover.c ---- ./bzip2recover.c.old 2016-03-22 08:49:38.855620000 +0100 -+++ ./bzip2recover.c 2016-03-30 10:22:27.341430099 +0200 -@@ -458,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv ) - bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); - bsPutUInt32 ( bsWr, blockCRC ); - bsClose ( bsWr ); -+ outFile = NULL; - } - if (wrBlock >= rbCtr) break; - wrBlock++; diff --git a/bzip2-6.0-sast.patch b/bzip2-6.0-sast.patch new file mode 100644 index 0000000..5ffbdc7 --- /dev/null +++ b/bzip2-6.0-sast.patch @@ -0,0 +1,11 @@ +--- ./bzip2recover.c.old 2024-12-03 11:00:07.024976697 +0100 ++++ ./bzip2recover.c 2024-12-03 11:02:28.832219809 +0100 +@@ -402,7 +402,7 @@ + rbEnd[rbCtr] = bEnd[currBlock]; + rbCtr++; + } +- if (currBlock >= BZ_MAX_HANDLED_BLOCKS) ++ if (currBlock >= (BZ_MAX_HANDLED_BLOCKS-1)) + tooManyBlocks(BZ_MAX_HANDLED_BLOCKS); + currBlock++; + diff --git a/SOURCES/bzip2-1.0.4-cflags.patch b/bzip2-cflags.patch similarity index 68% rename from SOURCES/bzip2-1.0.4-cflags.patch rename to bzip2-cflags.patch index 209d738..992abbf 100644 --- a/SOURCES/bzip2-1.0.4-cflags.patch +++ b/bzip2-cflags.patch @@ -5,8 +5,8 @@ diff -up bzip2-1.0.6/Makefile-libbz2_so.pom bzip2-1.0.6/Makefile-libbz2_so bzlib.o all: $(OBJS) -- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS) -+ $(CC) $(CFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS) - $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6 +- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS) ++ $(CC) $(CFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS) + $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8 rm -f libbz2.so.1.0 - ln -s libbz2.so.1.0.6 libbz2.so.1.0 + ln -s libbz2.so.1.0.8 libbz2.so.1.0 diff --git a/SOURCES/bzip2-ldflags.patch b/bzip2-ldflags.patch similarity index 88% rename from SOURCES/bzip2-ldflags.patch rename to bzip2-ldflags.patch index 2281262..53c6ecc 100644 --- a/SOURCES/bzip2-ldflags.patch +++ b/bzip2-ldflags.patch @@ -27,10 +27,10 @@ diff -up bzip2-1.0.6/Makefile-libbz2_so.jx bzip2-1.0.6/Makefile-libbz2_so bzlib.o all: $(OBJS) -- $(CC) $(CFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS) -- $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6 -+ $(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6 +- $(CC) $(CFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS) +- $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8 ++ $(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS) ++ $(CC) $(CFLAGS) $(LDFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8 rm -f libbz2.so.1.0 - ln -s libbz2.so.1.0.6 libbz2.so.1.0 + ln -s libbz2.so.1.0.8 libbz2.so.1.0 diff --git a/SOURCES/bzip2-1.0.4-saneso.patch b/bzip2-saneso.patch similarity index 59% rename from SOURCES/bzip2-1.0.4-saneso.patch rename to bzip2-saneso.patch index 6b3430c..ec76a4c 100644 --- a/SOURCES/bzip2-1.0.4-saneso.patch +++ b/bzip2-saneso.patch @@ -5,8 +5,8 @@ diff -up bzip2-1.0.6/Makefile-libbz2_so.pom bzip2-1.0.6/Makefile-libbz2_so bzlib.o all: $(OBJS) -- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.6 $(OBJS) -+ $(CC) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.6 $(OBJS) - $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.6 +- $(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.8 $(OBJS) ++ $(CC) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS) + $(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8 rm -f libbz2.so.1.0 - ln -s libbz2.so.1.0.6 libbz2.so.1.0 + ln -s libbz2.so.1.0.8 libbz2.so.1.0 diff --git a/SOURCES/bzip2.pc b/bzip2.pc similarity index 100% rename from SOURCES/bzip2.pc rename to bzip2.pc diff --git a/SPECS/bzip2.spec b/bzip2.spec similarity index 72% rename from SPECS/bzip2.spec rename to bzip2.spec index 261043b..e459924 100644 --- a/SPECS/bzip2.spec +++ b/bzip2.spec @@ -1,23 +1,30 @@ -%global library_version 1.0.6 +%global library_version 1.0.8 -Summary: A file compression utility +Summary: File compression utility Name: bzip2 -Version: 1.0.6 -Release: 28%{?dist} -License: BSD -Group: Applications/File -URL: http://www.bzip.org/ -Source0: http://www.bzip.org/%{version}/%{name}-%{version}.tar.gz +Version: 1.0.8 +Release: 25%{?dist} +License: BSD-4-Clause +URL: https://sourceware.org/bzip2 +#Source0: http://www.bzip.org/%{version}/%{name}-%{version}.tar.gz +Source0: https://sourceware.org/pub/bzip2/%{name}-%{version}.tar.gz Source1: bzip2.pc +Source2: https://sourceware.org/pub/bzip2/%{name}-%{version}.tar.gz.sig +# https://sourceware.org/bzip2/downloads.html links to the gpg key +# https://sourceware.org/pub/bzip2/gpgkey-5C1D1AA44BE649DE760A.gpg +# with which the tarballs are signed +Source3: gpgkey-5C1D1AA44BE649DE760A.gpg -Patch0: bzip2-1.0.4-saneso.patch -Patch1: bzip2-1.0.4-cflags.patch -# resolves: #226979 -Patch2: bzip2-1.0.4-bzip2recover.patch -Patch3: bzip2-ldflags.patch -# resolves: #1348179 -Patch4: set-out-file-to-null.patch -Patch5: decompress-out-of-bounds.patch +Patch0: bzip2-saneso.patch +Patch1: bzip2-cflags.patch +Patch2: bzip2-ldflags.patch +Patch3: man_gzipdiff.patch +Patch4: bzip2-6.0-sast.patch + +BuildRequires: gcc +BuildRequires: make +BuildRequires: gnupg2 +Requires: bzip2-libs%{?_isa} = %{version}-%{release} %description Bzip2 is a freely available, patent-free, high quality data compressor. @@ -32,63 +39,48 @@ Install bzip2 if you need a compression utility. %package devel Summary: Libraries and header files for apps which will use bzip2 -Group: Development/Libraries -Requires: bzip2-libs = %{version}-%{release} +Requires: bzip2-libs%{?_isa} = %{version}-%{release} %description devel - Header files and a library of bzip2 functions, for developing apps which will use the library. %package libs Summary: Libraries for applications using bzip2 -Group: System Environment/Libraries %description libs - Libraries for applications using the bzip2 compression format. %package static Summary: Libraries for applications using bzip2 -Group: System Environment/Libraries %description static - Static libraries for applications using the bzip2 compression format. %prep +%{gpgverify} --keyring='%{SOURCE3}' --signature='%{SOURCE2}' --data='%{SOURCE0}' %setup -q -%patch0 -p1 -b .saneso -%patch1 -p1 -b .cflags -%patch2 -p1 -b .bz2recover -%patch3 -p1 -b .ldflags -%patch4 -p1 -b .bzip2recover -%patch5 -p1 +%patch 0 -p1 +%patch 1 -p1 +%patch 2 -p1 +%patch 3 -p2 +%patch 4 -p1 cp -a %{SOURCE1} . sed -i "s|^libdir=|libdir=%{_libdir}|" bzip2.pc %build -%if 0%{?rhel} >= 7 - %ifarch ppc64 - export O3="-O3" - %else - export O3="" - %endif -%else - export O3="" -%endif -make -f Makefile-libbz2_so CC="%{__cc}" AR="%{__ar}" RANLIB="%{__ranlib}" \ - CFLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64 -fpic -fPIC $O3" \ +%make_build -f Makefile-libbz2_so CC="%{__cc}" AR="%{__ar}" RANLIB="ranlib" \ + CFLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64 -fpic -fPIC" \ LDFLAGS="%{__global_ldflags}" \ - %{?_smp_mflags} all + all rm -f *.o -make CC="%{__cc}" AR="%{__ar}" RANLIB="%{__ranlib}" \ - CFLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64 $O3" \ +%make_build CC="%{__cc}" AR="%{__ar}" RANLIB="ranlib" \ + CFLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64" \ LDFLAGS="%{__global_ldflags}" \ - %{?_smp_mflags} all + all %install chmod 644 bzlib.h @@ -119,19 +111,16 @@ ln -s bzgrep.1 $RPM_BUILD_ROOT%{_mandir}/man1/bzfgrep.1 %ldconfig_scriptlets libs %files -%doc LICENSE CHANGES README -%{!?_licensedir:%global license %%doc} +%doc CHANGES README %license LICENSE %{_bindir}/* %{_mandir}/*/* %files libs -%{!?_licensedir:%global license %%doc} %license LICENSE %{_libdir}/libbz2.so.1* %files static -%{!?_licensedir:%global license %%doc} %license LICENSE %{_libdir}/libbz2.a @@ -142,13 +131,102 @@ ln -s bzgrep.1 $RPM_BUILD_ROOT%{_mandir}/man1/bzfgrep.1 %{_libdir}/pkgconfig/bzip2.pc %changelog -* Thu Dec 19 2024 Jakub Martisko - 1.0.6-28 -- The previous fix caused some regressions -- Use an updated patch that deals with the original issue+the regressions -Resolves: RHEL-71140 +* Thu Dec 19 2024 Jakub Martisko - 1.0.8-25 +- Revert the changes from 1.0.8-23 +Resolves: RHEL-71750 -* Tue Oct 29 2024 Jacek Migacz - 1.0.6-27 -- Fixes out of bounds access in BZ2_decompress (RHEL-64929) +* Tue Dec 03 2024 Jakub Martisko - 1.0.8-24 +- Fix an off by one error in bzip2recover.c +Resolves: RHEL-36503 + +* Tue Dec 03 2024 Jakub Martisko - 1.0.8-23 +- Fix out of bounds write in bz_decompress +Resolves: CVE-2019-12900 + +* Tue Dec 03 2024 Jakub Martisko - 1.0.8-22 +- Minor spec cleanup +- Add explicit requires for the bzip2 package + Resolves: RHEL-69797 + +* Tue Oct 29 2024 Troy Dawson - 1.0.8-21 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Mon Aug 19 2024 Jakub Martisko - 1.0.8-20 +- Rebuild with enabled gating +Resolves: RHEL-52100 + +* Mon Jun 24 2024 Troy Dawson - 1.0.8-19 +- Bump release for June 2024 mass rebuild + +* Tue Jan 23 2024 Fedora Release Engineering - 1.0.8-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 1.0.8-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Jul 20 2023 Stewart Smith - 1.0.8-16 +- gpgverify source tarball + +* Wed Jul 19 2023 Fedora Release Engineering - 1.0.8-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Apr 13 2023 Lukáš Zaoral - 1.0.8-14 +- migrate to SPDX license format + +* Wed Jan 18 2023 Fedora Release Engineering - 1.0.8-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jul 20 2022 Fedora Release Engineering - 1.0.8-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Jan 19 2022 Fedora Release Engineering - 1.0.8-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Nov 02 2021 Jakub Martisko - 1.0.8-10 +- Fix a typo in the man page + +* Wed Jul 21 2021 Fedora Release Engineering - 1.0.8-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jul 21 2021 Jakub Martisko - 1.0.8-8 +- Fix FTBFS due to _ranlib macro being removed + +* Fri Feb 12 2021 Michal Schorm - 1.0.8-7 +- Remove the ancient ppc64 hack + +* Fri Jan 29 2021 Jakub Martisko - 1.0.8-6 +- Minor man pgae update (gzip/bzip2 differnces) + resolves: #1897104 + +* Tue Jan 26 2021 Fedora Release Engineering - 1.0.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Tue Jul 28 2020 Jakub Martisko - 1.0.8-4 +- Use make macros + +* Mon Jul 27 2020 Fedora Release Engineering - 1.0.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jan 28 2020 Fedora Release Engineering - 1.0.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Aug 06 2019 Jakub Martisko - 1.0.8-1 +- Update to version 1.0.8 + resolves: #1724797 + resolves: #1717478 + +* Wed Jul 24 2019 Fedora Release Engineering - 1.0.6-30 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 1.0.6-29 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 1.0.6-28 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Mar 01 2018 Jakub Martisko - 1.0.6-27 +- Add gcc to buildrequires * Wed Feb 07 2018 Fedora Release Engineering - 1.0.6-26 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/man_gzipdiff.patch b/man_gzipdiff.patch new file mode 100644 index 0000000..cfc1b18 --- /dev/null +++ b/man_gzipdiff.patch @@ -0,0 +1,20 @@ +--- ./bzip2-1.0.8/bzip2.1 2019-07-13 19:50:05.000000000 +0200 ++++ ./bzip2-1.0.8/bzip2.1.new 2021-01-29 11:51:04.091430407 +0100 +@@ -170,6 +170,17 @@ + to try to recover data from + damaged files. + ++Unlike ++.I GNU gzip, ++.I bzip2 ++will not create a cascade of ++.I .bz2 ++suffixes even when using the ++.I --force ++option: ++ ++ filename.bz2 does not become filename.bz2.bz2 ++ + Return values: 0 for a normal exit, 1 for environmental problems (file + not found, invalid flags, I/O errors, &c), 2 to indicate a corrupt + compressed file, 3 for an internal consistency error (eg, bug) which diff --git a/sources b/sources new file mode 100644 index 0000000..c8f1b9e --- /dev/null +++ b/sources @@ -0,0 +1,3 @@ +SHA512 (bzip2-1.0.8.tar.gz) = 083f5e675d73f3233c7930ebe20425a533feedeaaa9d8cc86831312a6581cefbe6ed0d08d2fa89be81082f2a5abdabca8b3c080bf97218a1bd59dc118a30b9f3 +SHA512 (bzip2-1.0.8.tar.gz.sig) = 4a4a3fa0ec1c10a704b9870e8e629fd007cca55184423c6bfc3049a702fb41e4aeb73bfe9ca7442c27d32d278f1f34f27523a6be67d35b37896acdded12bf40d +SHA512 (gpgkey-5C1D1AA44BE649DE760A.gpg) = dc44ed3e38f54c3e57a4d83fa8b48ce2a8694802dd6bbf057cf432958f88ace9b585ee36a59ba98444e76c9aef0e998b9108a3807f97ebd6ba62303b41ab4690