开源软件构建与测试

Changes of Revision 4

_service:tar_scm:c-ares.spec Changed

@@ -1,6 +1,6 @@
 Name:           c-ares
 Version:        1.19.1
-Release:        1
+Release:        3
 Summary:        A C library for asynchronous DNS requests
 
 License:        MIT
@@ -11,6 +11,7 @@
 # Patch0 from Redhat is applied for stopping overriding AC_CONFIG_MACRO_DIR
 Patch0:         0000-Use-RPM-compiler-options.patch
 Patch1:         backport-disable-live-tests.patch
+Patch2:         backport-CVE-2024-25629.patch
 
 %description
 This is c-ares, an asynchronous resolver library. It is intended for applications
@@ -31,7 +32,10 @@
 
 %build
 autoreconf -if
-%configure --enable-shared --disable-static --disable-dependency-tracking
+%if "%{?toolchain}" == "clang"
+  %global conf_opts --enable-debug
+%endif
+%configure --enable-shared --disable-static --disable-dependency-tracking  %{?conf_opts}
 make %{?_smp_mflags}
 
 %install
@@ -60,6 +64,18 @@
 %{_mandir}/man3/*
 
 %changelog
+* Mon Apr 1 2024 liyunfei<liyunfei33@huawei.com> - 1.19.1-3
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix missing -g for clang build
+
+* Tue Feb 27 2024 liweigang <izmirvii@gmail.com> - 1.19.1-2
+- Type: CVE
+- CVE: CVE-2024-25629
+- SUG: NA
+- DESC: fix CVE-2024-25629
+
 * Tue Jul 25 2023 xinghe <xinghe2@h-partners.com> - 1.19.1-1
 - Type:requirements
 - ID:NA

_service:tar_scm:backport-CVE-2024-25629.patch Added

@@ -0,0 +1,30 @@
+From a804c04ddc8245fc8adf0e92368709639125e183 Mon Sep 17 00:00:00 2001
+From: Brad House <brad@brad-house.com>
+Date: Thu, 22 Feb 2024 16:23:33 -0500
+Subject: PATCH Merge pull request from GHSA-mg26-v6qh-x48q
+
+---
+ src/lib/ares__read_line.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/lib/ares__read_line.c b/src/lib/ares__read_line.c
+index d65ac1fcf..018f55e8b 100644
+--- a/src/lib/ares__read_line.c
++++ b/src/lib/ares__read_line.c
+@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       if (!fgets(*buf + offset, bytestoread, fp))
+         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+       len = offset + strlen(*buf + offset);
++
++      /* Probably means there was an embedded NULL as the first character in
++       * the line, throw away line */
++      if (len == 0) {
++        offset = 0;
++        continue;
++      }
++
+       if ((*buf)len - 1 == '\n')
+         {
+           (*buf)len - 1 = 0;
+-- 
+2.20.1