main/iniparser: fix CVE-2023-33461

34508015 · alice · 399fabe8 · 34508015 · 34508015
Commit 34508015 authored 1 year ago by alice
--- a/main/iniparser/APKBUILD
+++ b/main/iniparser/APKBUILD
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=iniparser
 pkgver=4.1
-pkgrel=1
-pkgdesc="C library for parsing "INI-style" files"
+pkgrel=2
+pkgdesc="C library for parsing INI-style files"
 url="http://ndevilla.free.fr/iniparser/"
 arch="all"
 license="MIT"
 makedepends="bash"
 subpackages="$pkgname-dev"
 source="$pkgname-$pkgver.tar.gz::https://github.com/ndevilla/iniparser/archive/v$pkgver.tar.gz
-	rpath.patch"
+	CVE-2023-33461.patch
+	rpath.patch
+	"
+
+# secfixes:
+#   4.1-r2:
+#     - CVE-2023-33461

 build() {
 	make
@@ -27,5 +33,8 @@ package() {
 	ln -s libiniparser.so.1 "$pkgdir"/usr/lib/libiniparser.so
 }

-sha512sums="a8125aaaead1f9dfde380fa1e45bae31ca2312be029f2c53b4072cb3b127d16578a95c7c0aee1e3dda5e7b8db7a865ba6dfe8a1d80eb673061b3babef744e968  iniparser-4.1.tar.gz
-db7bdab6f8faafd47c8b50104e1a461fbd9324b75482b1455a8fc059c07278e7e60f088a3f712b0ade05a9bb989168d17684455b9863018f22a61e0190a888c6  rpath.patch"
+sha512sums="
+a8125aaaead1f9dfde380fa1e45bae31ca2312be029f2c53b4072cb3b127d16578a95c7c0aee1e3dda5e7b8db7a865ba6dfe8a1d80eb673061b3babef744e968  iniparser-4.1.tar.gz
+d2becc2fdbe5a57c7bdd05c61ba4f5a199c43fac55cd98c9b54e11ca06d74d5c592e7fea86c634c91db92c74fa3ec95abad379ff4caa4c79449198528d5b6e48  CVE-2023-33461.patch
+db7bdab6f8faafd47c8b50104e1a461fbd9324b75482b1455a8fc059c07278e7e60f088a3f712b0ade05a9bb989168d17684455b9863018f22a61e0190a888c6  rpath.patch
+"
--- a/main/iniparser/CVE-2023-33461.patch
+++ b/main/iniparser/CVE-2023-33461.patch
+Patch-Source: https://github.com/ndevilla/iniparser/pull/146
+--
+From ace9871f65d11b5d73f0b9ee8cf5d2807439442d Mon Sep 17 00:00:00 2001
+From: Antonio <antoniolrt@gmail.com>
+Date: Fri, 2 Jun 2023 15:03:10 -0300
+Subject: [PATCH] Handle null return from iniparser_getstring
+
+Fix handling of NULL returns from iniparser_getstring in
+iniparser_getboolean, iniparser_getlongint and iniparser_getdouble,
+avoiding a crash.
+---
+ src/iniparser.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/iniparser.c b/src/iniparser.c
+index f1d1658..dbceb20 100644
+--- a/src/iniparser.c
+++ b/src/iniparser.c
+@@ -456,7 +456,7 @@ long int iniparser_getlongint(const dictionary * d, const char * key, long int n
+     const char * str ;
+ 
+     str = iniparser_getstring(d, key, INI_INVALID_KEY);
+-    if (str==INI_INVALID_KEY) return notfound ;
+    if (str==NULL || str==INI_INVALID_KEY) return notfound ;
+     return strtol(str, NULL, 0);
+ }
+ 
+@@ -511,7 +511,7 @@ double iniparser_getdouble(const dictionary * d, const char * key, double notfou
+     const char * str ;
+ 
+     str = iniparser_getstring(d, key, INI_INVALID_KEY);
+-    if (str==INI_INVALID_KEY) return notfound ;
+    if (str==NULL || str==INI_INVALID_KEY) return notfound ;
+     return atof(str);
+ }
+ 
+@@ -553,7 +553,7 @@ int iniparser_getboolean(const dictionary * d, const char * key, int notfound)
+     const char * c ;
+ 
+     c = iniparser_getstring(d, key, INI_INVALID_KEY);
+-    if (c==INI_INVALID_KEY) return notfound ;
+    if (c==NULL || c==INI_INVALID_KEY) return notfound ;
+     if (c[0]=='y' || c[0]=='Y' || c[0]=='1' || c[0]=='t' || c[0]=='T') {
+         ret = 1 ;
+     } else if (c[0]=='n' || c[0]=='N' || c[0]=='0' || c[0]=='f' || c[0]=='F') {