main/c-ares: patch CVE-2024-25629

main/c-ares/APKBUILD

@@ -2,16 +2,20 @@
 # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
 pkgname=c-ares
 pkgver=1.19.1
-pkgrel=0
+pkgrel=1
 pkgdesc="An asynchronously DNS/names resolver library"
-url="https://c-ares.haxx.se/"
+url="https://c-ares.org/"
 arch="all"
 options="!check"
 license="MIT"
 subpackages="$pkgname-doc $pkgname-static $pkgname-dev"
-source="https://c-ares.haxx.se/download/c-ares-$pkgver.tar.gz"
+source="https://c-ares.haxx.se/download/c-ares-$pkgver.tar.gz
+	CVE-2024-25629.patch
+	"
 
 # secfixes:
+#   1.19.1-r1:
+#     - CVE-2024-25629
 #   1.17.2-r0:
 #     - CVE-2021-3672
 
@@ -42,4 +46,5 @@ package() {
 
 sha512sums="
 466a94efda626e815a6ef7a890637056339f883d549ea6055e289fd8cd2391130e5682c905c0fb3bd7e955af7f6deb793562c170eb0ee066a4a62085a82ba470  c-ares-1.19.1.tar.gz
+353223ab92581d652ef9f282207f8a9a9af6dc83737df3dacd163f3de64dc1c8f3d32db7536e8815704cca8e0e2291720057e98a426eb8590261a43c82ce60fe  CVE-2024-25629.patch
 "

main/c-ares/CVE-2024-25629.patch

+Based on upstream commit a804c04ddc8245fc8adf0e92368709639125e183
+
+  "Merge pull request from GHSA-mg26-v6qh-x48q"
+
+--- a/src/lib/ares__read_line.c
++++ b/src/lib/ares__read_line.c
+@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf
+       if (!fgets(*buf + offset, bytestoread, fp))
+         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+       len = offset + strlen(*buf + offset);
++
++      /* Probably means there was an embedded NULL as the first character in
++       * the line, throw away line */
++      if (len == 0) {
++        offset = 0;
++        continue;
++      }
++
+       if ((*buf)[len - 1] == '\n')
+         {
+           (*buf)[len - 1] = 0;