Fri Nov 26 12:23:09 2021 UTC ()
gmp: fix CVE-2021-43618 using upstream patch

Bump PKGREVISION.


(wiz)
diff -r1.88 -r1.89 pkgsrc/devel/gmp/Makefile
diff -r1.58 -r1.59 pkgsrc/devel/gmp/distinfo
diff -r0 -r1.1 pkgsrc/devel/gmp/patches/patch-mpz_inp__raw.c
cvs diff -r1.88 -r1.89 pkgsrc/devel/gmp/Makefile (expand / switch to unified diff)

--- pkgsrc/devel/gmp/Makefile 2020/11/16 13:12:41 1.88
+++ pkgsrc/devel/gmp/Makefile 2021/11/26 12:23:08 1.89
@@ -1,16 +1,17 @@ @@ -1,16 +1,17 @@
1# $NetBSD: Makefile,v 1.88 2020/11/16 13:12:41 wiz Exp $ 1# $NetBSD: Makefile,v 1.89 2021/11/26 12:23:08 wiz Exp $
2 2
3DISTNAME= gmp-6.2.1 3DISTNAME= gmp-6.2.1
 4PKGREVISION= 1
4CATEGORIES= devel math 5CATEGORIES= devel math
5MASTER_SITES= https://gmplib.org/download/gmp/ 6MASTER_SITES= https://gmplib.org/download/gmp/
6MASTER_SITES+= ${MASTER_SITE_GNU:=gmp/} 7MASTER_SITES+= ${MASTER_SITE_GNU:=gmp/}
7# Use .tar.bz2 distfile so that no extra dependency on archivers/xz 8# Use .tar.bz2 distfile so that no extra dependency on archivers/xz
8# is needed when building lang/gcc* with option gcc-inplace-math. 9# is needed when building lang/gcc* with option gcc-inplace-math.
9EXTRACT_SUFX= .tar.bz2 10EXTRACT_SUFX= .tar.bz2
10 11
11MAINTAINER= pkgsrc-users@NetBSD.org 12MAINTAINER= pkgsrc-users@NetBSD.org
12HOMEPAGE= https://gmplib.org/ 13HOMEPAGE= https://gmplib.org/
13COMMENT= Library for arbitrary precision arithmetic 14COMMENT= Library for arbitrary precision arithmetic
14LICENSE= gnu-lgpl-v3 OR gnu-gpl-v2 15LICENSE= gnu-lgpl-v3 OR gnu-gpl-v2
15 16
16USE_LANGUAGES= c c++ c99 17USE_LANGUAGES= c c++ c99
cvs diff -r1.58 -r1.59 pkgsrc/devel/gmp/distinfo (expand / switch to unified diff)

--- pkgsrc/devel/gmp/distinfo 2021/10/26 10:14:43 1.58
+++ pkgsrc/devel/gmp/distinfo 2021/11/26 12:23:08 1.59
@@ -1,6 +1,7 @@ @@ -1,6 +1,7 @@
1$NetBSD: distinfo,v 1.58 2021/10/26 10:14:43 nia Exp $ 1$NetBSD: distinfo,v 1.59 2021/11/26 12:23:08 wiz Exp $
2 2
3BLAKE2s (gmp-6.2.1.tar.bz2) = 4125e2992b9aa28eea69ada6030b34a0e293ca80140c3c069f4fcbd38055d6ee 3BLAKE2s (gmp-6.2.1.tar.bz2) = 4125e2992b9aa28eea69ada6030b34a0e293ca80140c3c069f4fcbd38055d6ee
4SHA512 (gmp-6.2.1.tar.bz2) = 8904334a3bcc5c896ececabc75cda9dec642e401fb5397c4992c4fabea5e962c9ce8bd44e8e4233c34e55c8010cc28db0545f5f750cbdbb5f00af538dc763be9 4SHA512 (gmp-6.2.1.tar.bz2) = 8904334a3bcc5c896ececabc75cda9dec642e401fb5397c4992c4fabea5e962c9ce8bd44e8e4233c34e55c8010cc28db0545f5f750cbdbb5f00af538dc763be9
5Size (gmp-6.2.1.tar.bz2) = 2493916 bytes 5Size (gmp-6.2.1.tar.bz2) = 2493916 bytes
6SHA1 (patch-acinclude.m4) = 3f76c0aa8d29ec815a93448f9c4bc976ebdf7a2a 6SHA1 (patch-acinclude.m4) = 3f76c0aa8d29ec815a93448f9c4bc976ebdf7a2a
 7SHA1 (patch-mpz_inp__raw.c) = d25995039d4c7226b5209cb932c13fe59a4578ca
File Added: pkgsrc/devel/gmp/patches/patch-mpz_inp__raw.c
$NetBSD: patch-mpz_inp__raw.c,v 1.1 2021/11/26 12:23:08 wiz Exp $

Fix for CVE-2021-43618
https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e

--- mpz/inp_raw.c.orig	2020-11-14 18:45:09.000000000 +0000
+++ mpz/inp_raw.c
@@ -88,8 +88,11 @@ mpz_inp_raw (mpz_ptr x, FILE *fp)
 
   abs_csize = ABS (csize);
 
+  if (UNLIKELY (abs_csize > ~(mp_bitcnt_t) 0 / 8))
+    return 0; /* Bit size overflows */
+
   /* round up to a multiple of limbs */
-  abs_xsize = BITS_TO_LIMBS (abs_csize*8);
+  abs_xsize = BITS_TO_LIMBS ((mp_bitcnt_t) abs_csize * 8);
 
   if (abs_xsize != 0)
     {