Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability

To: pkgsrc-users%netbsd.org@localhost
Subject: Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
From: "J. Lewis Muir" <jlmuir%imca-cat.org@localhost>
Date: Thu, 1 May 2014 14:35:40 -0500

On Thu, Apr 24, 2014 at 04:35:34PM -0500, J. Lewis Muir wrote:
> On 4/24/14, 8:51 AM, Havard Eidnes wrote:
> >>> he, could you file a pullup ticket for your commit?
> >>
> >> Already done, wiz@ pinged me about it a little earlier.
> > 
> > ...and I see now also already pulled up.
> > 
> > Regards,
> > 
> > - Håvard
> 
> Thanks everyone for getting this fixed!
> 
> Unfortunately, after updating the tree from CVS it won't compile
> with clang for me because the return type of the heap_add_entry
> function has changed from void to int, and there is an empty return in
> heap_add_entry.  Here's the clang error:
> 
> ===
> libarchive/archive_read_support_format_iso9660.c:2680:4: error: non-void
>       function 'heap_add_entry' should return a value [-Wreturn-type]
>                         return;
>                         ^
> ===
> 
> This is on Mac OS X Mavericks (10.9.2) with a clang that reports the
> following:
> 
> ===
> $ clang -v
> Apple LLVM version 5.1 (clang-503.0.40) (based on LLVM 3.4svn)
> Target: x86_64-apple-darwin13.1.0
> Thread model: posix
> ===
> 
> Below is a patch for archivers/libarchive against the stable branch
> (pkgsrc-2014Q1) to fix this.

Hello.

The patch has not been committed to CVS.  Would a developer be willing
to commit this?  The "archivers/libarchive" package won't compile for me
without it.

On a related note, is there a better way to send such a patch so that
it doesn't get missed?  I included the patch directly in the email; is
that preferred, or should I have made it an attachment?  Should I have
prepended something like "[patch]" to the subject?

Thanks!

Lewis

> 
> Index: files/libarchive/archive_read_support_format_iso9660.c
> ===================================================================
> RCS file: 
> /cvsroot/pkgsrc/archivers/libarchive/files/libarchive/archive_read_support_format_iso9660.c,v
> retrieving revision 1.3.34.1
> diff -b -u -r1.3.34.1 archive_read_support_format_iso9660.c
> --- files/libarchive/archive_read_support_format_iso9660.c    24 Apr 2014 
> 09:34:06 -0000      1.3.34.1
> +++ files/libarchive/archive_read_support_format_iso9660.c    24 Apr 2014 
> 21:05:49 -0000
> @@ -2677,7 +2677,7 @@
>               parent_key = heap->files[parent]->key;
>               if (file_key >= parent_key) {
>                       heap->files[hole] = file;
> -                     return;
> +                     return (ARCHIVE_OK);
>               }
>               // Move parent into hole <==> move hole up tree.
>               heap->files[hole] = heap->files[parent];

Follow-Ups:
- Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
  - From: Greg Troxel

References:
- Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
  - From: J. Lewis Muir
- Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
  - From: Benny Siegert
- Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
  - From: Havard Eidnes
- Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
  - From: Havard Eidnes
- Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
  - From: J. Lewis Muir

Prev by Date: Re: CVS commit: pkgsrc/www/firefox
Next by Date: Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
Previous by Thread: Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
Next by Thread: Re: libarchive-2.8.4nb3 has a multiple-vulnerabilities vulnerability
Indexes:

Home | Main Index | Thread Index | Old Index