libosip2: add that fixes multiple CVEs

This commit adds a patch copied from Debian that addresses the following
bugs:

CVE-2016-10324
CVE-2016-10325
CVE-2016-10326
CVE-2017-7853

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>

diff --git a/libs/libosip2/Makefile b/libs/libosip2/Makefile
index fe4066b26eea2e773f54f2e5c1659b7e1c6b8b18..d5d6a84dd09c26947b675c917e4b93f5b779d93d 100644 (file)
--- a/libs/libosip2/Makefile
+++ b/libs/libosip2/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libosip2
 PKG_VERSION:=4.1.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=@GNU/osip

diff --git a/libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch b/libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch
new file mode 100644 (file)
index 0000000..b217d0d
--- /dev/null
+++ b/libs/libosip2/patches/002-CVE-2016-10324_CVE-2016-10325_CVE-2016-10326_CVE-2017-7853.patch
@@ -0,0 +1,69 @@
+Upstream patches by Aymeric Moizard <amoizard@gmail.com>:
+
+7e0793e15e21f68337e130c67b031ca38edf055f
+1d9fb1d3a71cc85ef95352e549b140c706cf8696
+b9dd097b5b24f5ee54b0a8739e59641cd51b6ead
+1ae06daf3b2375c34af23083394a6f010be24a45
+
+--- libosip2-4.1.0.orig/src/osipparser2/osip_body.c
++++ libosip2-4.1.0/src/osipparser2/osip_body.c
+@@ -417,6 +417,14 @@ osip_body_to_str (const osip_body_t * bo
+   }
+ 
+   if ((osip_list_size (body->headers) > 0) || (body->content_type != NULL)) {
++    if (length < tmp_body - ptr + 3) {
++      size_t len;
++
++      len = tmp_body - ptr;
++      length = length + 3 + body->length; /* add body->length, to avoid calling realloc often */
++      ptr = osip_realloc (ptr, length);
++      tmp_body = ptr + len;
++    }
+     tmp_body = osip_strn_append (tmp_body, CRLF, 2);
+   }
+   if (length < tmp_body - ptr + body->length + 4) {
+--- libosip2-4.1.0.orig/src/osipparser2/osip_message_parse.c
++++ libosip2-4.1.0/src/osipparser2/osip_message_parse.c
+@@ -812,6 +812,12 @@ msg_osip_body_parse (osip_message_t * si
+     if ('\n' == start_of_body[0] || '\r' == start_of_body[0])
+       start_of_body++;
+ 
++    /* if message body is empty or contains a single CR/LF */
++    if (end_of_body <= start_of_body) {
++      osip_free (sep_boundary);
++      return OSIP_SYNTAXERROR;
++    }
++
+     body_len = end_of_body - start_of_body;
+ 
+     /* Skip CR before end boundary. */
+--- libosip2-4.1.0.orig/src/osipparser2/osip_message_to_str.c
++++ libosip2-4.1.0/src/osipparser2/osip_message_to_str.c
+@@ -378,6 +378,13 @@ _osip_message_to_str (osip_message_t * s
+     /* A start-line isn't required for message/sipfrag parts. */
+   }
+   else {
++    size_t message_len = strlen(tmp);
++    if (_osip_message_realloc (&message, dest, message_len + 3, &malloc_size) < 0) {
++      osip_free (tmp);
++      *dest = NULL;
++      return OSIP_NOMEM;
++    }
++
+     message = osip_str_append (message, tmp);
+     osip_free (tmp);
+     message = osip_strn_append (message, CRLF, 2);
+--- libosip2-4.1.0.orig/src/osipparser2/osip_port.c
++++ libosip2-4.1.0/src/osipparser2/osip_port.c
+@@ -1462,8 +1462,10 @@ osip_clrncpy (char *dst, const char *src
+   char *p;
+   size_t spaceless_length;
+ 
+-  if (src == NULL)
++  if (src == NULL || len == 0) {
++    *dst = '\0';
+     return NULL;
++  }
+ 
+   /* find the start of relevant text */
+   pbeg = src;