From 1694337de79e237201d89acee86366764e38b1cd Mon Sep 17 00:00:00 2001
From: CRTS <crts [at] gmx [dot] net>
Date: Mon, 26 Feb 2024 07:59:12 +0700
Subject: system/libsignal-protocol-c: Update script.

Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
---
 system/libsignal-protocol-c/README                 |  9 ++++
 ...libsignal-protocol-c-2.3.3-CVE-2022-48468.patch | 53 ++++++++++++++++++++++
 .../libsignal-protocol-c.SlackBuild                | 17 ++++---
 3 files changed, 73 insertions(+), 6 deletions(-)
 create mode 100644 system/libsignal-protocol-c/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch

(limited to 'system')

diff --git a/system/libsignal-protocol-c/README b/system/libsignal-protocol-c/README
index d80dcb6efe..7923ac2069 100644
--- a/system/libsignal-protocol-c/README
+++ b/system/libsignal-protocol-c/README
@@ -1,2 +1,11 @@
 This is a ratcheting forward secrecy protocol that works
 in synchronous and asynchronous messaging environments.
+The code upstream has been marked as "archived" since February 2022.
+
+The default is to provide a shared library. However, one can build it
+statically by passing STATIC=yes:
+
+# STATIC=yes sh libsignal-protocol-c.SlackBuild
+
+This way you can statically link it into your final program and 
+remove the library.
diff --git a/system/libsignal-protocol-c/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch b/system/libsignal-protocol-c/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch
new file mode 100644
index 0000000000..8b3706dd88
--- /dev/null
+++ b/system/libsignal-protocol-c/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch
@@ -0,0 +1,53 @@
+From 478dfe51552243b367cf2e9c5d047cbbd3c21635 Mon Sep 17 00:00:00 2001
+From: Randy Barlow <randy@electronsweatshop.com>
+Date: Fri, 18 Mar 2022 12:42:57 -0400
+Subject: [PATCH] CVE-2022-48468: unsigned integer overflow
+
+This commit combines two upstream commits from protobuf-c[0][1].
+The first fixes an unsigned integer overflow, and the second fixes a
+regression introduced by the first. I originally decided to amend the
+commit message of the first to mention that it fixes a CVE, but then I
+realized it would be better to bring the fix for the regression together
+with it.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468
+https://bugzilla.redhat.com/show_bug.cgi?id=2186673
+
+[0]
+https://github.com/protobuf-c/protobuf-c/pull/513/commits/289f5c18b195aa43d46a619d1188709abbfa9c82
+[1]
+https://github.com/protobuf-c/protobuf-c/pull/513/commits/0d1fd124a4e0a07b524989f6e64410ff648fba61
+
+Co-authored-by: 10054172 <hui.zhang@thalesgroup.com>
+Co-authored-by: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Signed-off-by: 10054172 <hui.zhang@thalesgroup.com>
+Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
+---
+ src/protobuf-c/protobuf-c.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/protobuf-c/protobuf-c.c b/src/protobuf-c/protobuf-c.c
+index 4f2f5bc..6ae5287 100644
+--- a/src/protobuf-c/protobuf-c.c
++++ b/src/protobuf-c/protobuf-c.c
+@@ -2456,10 +2456,13 @@ parse_required_member(ScannedMember *scanned_member,
+ 			return FALSE;
+ 
+ 		def_mess = scanned_member->field->default_value;
+-		subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+-						 allocator,
+-						 len - pref_len,
+-						 data + pref_len);
++		if (len >= pref_len)
++			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
++							 allocator,
++							 len - pref_len,
++							 data + pref_len);
++		else
++			subm = NULL;
+ 
+ 		if (maybe_clear &&
+ 		    *pmessage != NULL &&
+-- 
+2.39.2
+
diff --git a/system/libsignal-protocol-c/libsignal-protocol-c.SlackBuild b/system/libsignal-protocol-c/libsignal-protocol-c.SlackBuild
index 53167e23dc..742b7f532d 100644
--- a/system/libsignal-protocol-c/libsignal-protocol-c.SlackBuild
+++ b/system/libsignal-protocol-c/libsignal-protocol-c.SlackBuild
@@ -27,7 +27,7 @@ cd $(dirname $0) ; CWD=$(pwd)
 
 PRGNAM=libsignal-protocol-c
 VERSION=${VERSION:-2.3.3}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 TAG=${TAG:-_SBo}
 PKGTYPE=${PKGTYPE:-tgz}
 
@@ -51,6 +51,8 @@ TMP=${TMP:-/tmp/SBo}
 PKG=$TMP/package-$PRGNAM
 OUTPUT=${OUTPUT:-/tmp}
 
+[ "${STATIC:-no}" = "yes" ] && SHARED_LIBS_STATUS=OFF || SHARED_LIBS_STATUS=ON
+
 if [ "$ARCH" = "i586" ]; then
   SLKCFLAGS="-O2 -march=i586 -mtune=i686"
   LIBDIRSUFFIX=""
@@ -60,6 +62,9 @@ elif [ "$ARCH" = "i686" ]; then
 elif [ "$ARCH" = "x86_64" ]; then
   SLKCFLAGS="-O2 -fPIC"
   LIBDIRSUFFIX="64"
+elif [ "$ARCH" = "aarch64" ]; then
+  SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
 else
   SLKCFLAGS="-O2"
   LIBDIRSUFFIX=""
@@ -80,6 +85,9 @@ find -L . \
  \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
   -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
 
+# Patch for CVE-2022-48468 (obtained from the Gentoo package)
+patch -p1 < $CWD/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch
+
 mkdir -p build
 cd build
   cmake \
@@ -87,15 +95,12 @@ cd build
     -DCMAKE_CXX_FLAGS:STRING="$SLKCFLAGS" \
     -DCMAKE_INSTALL_PREFIX=/usr \
     -DLIB_SUFFIX=${LIBDIRSUFFIX} \
-    -DMAN_INSTALL_DIR=/usr/man \
+    -DBUILD_SHARED_LIBS=$SHARED_LIBS_STATUS \
     -DCMAKE_BUILD_TYPE=Release ..
   make
-  make install DESTDIR=$PKG
+  make install/strip DESTDIR=$PKG
 cd ..
 
-find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
-  | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
-
 mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
 cp -a \
   ISSUE_TEMPLATE.md LICENSE README.md \
-- 
cgit v1.2.3-65-gdbad