net-libs/libsignal-protocol-c: Fix CVE-2022-48468

This commit fixes CVE-2022-48468 for this package's bundled protobuf-c. Here are some reference links about the issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468 https://bugzilla.redhat.com/show_bug.cgi?id=2186673 For reference, here is the commit I made in Fedora to address the issue, which includes this patch: 152eb06d16 Closes: https://bugs.gentoo.org/905098 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Closes: https://github.com/gentoo/gentoo/pull/30764 Signed-off-by: Joonas Niilola <juippis@gentoo.org>
2026-01-05 14:07:27 -08:00 · 2023-04-25 23:45:40 -04:00 · 2023-04-25 23:45:40 -04:00 · c2e3eb85c4
commit c2e3eb85c4
parent 5c5ff92902
2 changed files with 71 additions and 0 deletions
--- a/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch
+++ b/net-libs/libsignal-protocol-c/files/libsignal-protocol-c-2.3.3-CVE-2022-48468.patch
@ -0,0 +1,53 @@
+From 478dfe51552243b367cf2e9c5d047cbbd3c21635 Mon Sep 17 00:00:00 2001
+From: Randy Barlow <randy@electronsweatshop.com>
+Date: Fri, 18 Mar 2022 12:42:57 -0400
+Subject: [PATCH] CVE-2022-48468: unsigned integer overflow
+
+This commit combines two upstream commits from protobuf-c[0][1].
+The first fixes an unsigned integer overflow, and the second fixes a
+regression introduced by the first. I originally decided to amend the
+commit message of the first to mention that it fixes a CVE, but then I
+realized it would be better to bring the fix for the regression together
+with it.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468
+https://bugzilla.redhat.com/show_bug.cgi?id=2186673
+
+[0]
+https://github.com/protobuf-c/protobuf-c/pull/513/commits/289f5c18b195aa43d46a619d1188709abbfa9c82
+[1]
+https://github.com/protobuf-c/protobuf-c/pull/513/commits/0d1fd124a4e0a07b524989f6e64410ff648fba61
+
+Co-authored-by: 10054172 <hui.zhang@thalesgroup.com>
+Co-authored-by: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Signed-off-by: 10054172 <hui.zhang@thalesgroup.com>
+Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
+---
+ src/protobuf-c/protobuf-c.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/src/protobuf-c/protobuf-c.c b/src/protobuf-c/protobuf-c.c
+index 4f2f5bc..6ae5287 100644
+--- a/src/protobuf-c/protobuf-c.c
+++ b/src/protobuf-c/protobuf-c.c
+@@ -2456,10 +2456,13 @@ parse_required_member(ScannedMember *scanned_member,
+ 			return FALSE;
+ 
+ 		def_mess = scanned_member->field->default_value;
+-		subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+-						 allocator,
+-						 len - pref_len,
+-						 data + pref_len);
+		if (len >= pref_len)
+			subm = protobuf_c_message_unpack(scanned_member->field->descriptor,
+							 allocator,
+							 len - pref_len,
+							 data + pref_len);
+		else
+			subm = NULL;
+ 
+ 		if (maybe_clear &&
+ 		    *pmessage != NULL &&
+-- 
+2.39.2
+
--- a/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild
+++ b/net-libs/libsignal-protocol-c/libsignal-protocol-c-2.3.3-r1.ebuild
@ -0,0 +1,18 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit cmake
+
+DESCRIPTION="Signal Protocol C Library"
+HOMEPAGE="https://www.whispersystems.org/"
+SRC_URI="https://github.com/signalapp/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+KEYWORDS="~amd64 ~arm64 ~x86"
+
+LICENSE="GPL-3"
+SLOT="0"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.3.3-CVE-2022-48468.patch
+)