Add patches from Mandrake to add -fPIC rather than append-flags, hopefully

this will solve bug #32140.  Also add updated security patch.

4 files changed, 367 insertions, 0 deletions

diff --git a/sys-libs/zlib/files/digest-zlib-1.1.4-r3 b/sys-libs/zlib/files/digest-zlib-1.1.4-r3
new file mode 100644
index 000000000000..ac97e5a21b50
--- /dev/null
+++ b/sys-libs/zlib/files/digest-zlib-1.1.4-r3
@@ -0,0 +1 @@
+MD5 ea16358be41384870acbdc372f9db152 zlib-1.1.4.tar.bz2 147014
diff --git a/sys-libs/zlib/files/zlib-1.1.4-build-fPIC.patch b/sys-libs/zlib/files/zlib-1.1.4-build-fPIC.patch
new file mode 100644
index 000000000000..a29bee225acc
--- /dev/null
+++ b/sys-libs/zlib/files/zlib-1.1.4-build-fPIC.patch
@@ -0,0 +1,61 @@
+--- zlib-1.1.4/Makefile.in.build-fPIC	2003-01-30 01:35:18.000000000 -0500
++++ zlib-1.1.4/Makefile.in	2003-01-30 01:40:49.000000000 -0500
+@@ -41,6 +41,8 @@ includedir = ${prefix}/include
+ OBJS = adler32.o compress.o crc32.o gzio.o uncompr.o deflate.o trees.o \
+        zutil.o inflate.o infblock.o inftrees.o infcodes.o infutil.o inffast.o
+ 
++PIC_OBJS = $(OBJS:%.o=%.lo)
++
+ OBJA =
+ # to use the asm code: make OBJA=match.o
+ 
+@@ -80,8 +82,11 @@ match.o: match.S
+ 	mv _match.o match.o
+ 	rm -f _match.s
+ 
+-$(SHAREDLIB).$(VER): $(OBJS)
+-	$(LDSHARED) -o $@ $(OBJS) -lc
++%.lo: %.c
++	$(CC) $(CFLAGS) -DPIC -fPIC -c $< -o $@
++
++$(SHAREDLIB).$(VER): $(PIC_OBJS)
++	$(LDSHARED) -o $@ $(PIC_OBJS) -lc
+ 	rm -f $(SHAREDLIB) $(SHAREDLIB).1
+ 	ln -s $@ $(SHAREDLIB)
+ 	ln -s $@ $(SHAREDLIB).1
+@@ -92,11 +97,8 @@ example: example.o $(LIBS)
+ minigzip: minigzip.o $(LIBS)
+ 	$(CC) $(CFLAGS) -o $@ minigzip.o $(LDFLAGS)
+ 
+-install: $(LIBS)
+-	-@if [ ! -d $(includedir)  ]; then mkdir $(includedir); fi
++install-libs: $(LIBS)
+ 	-@if [ ! -d $(libdir) ]; then mkdir $(libdir); fi
+-	cp zlib.h zconf.h $(includedir)
+-	chmod 644 $(includedir)/zlib.h $(includedir)/zconf.h
+ 	cp $(LIBS) $(libdir)
+ 	cd $(libdir); chmod 755 $(LIBS)
+ 	-@(cd $(libdir); $(RANLIB) libz.a || true) >/dev/null 2>&1
+@@ -109,6 +111,11 @@ install: $(LIBS)
+ # The ranlib in install is needed on NeXTSTEP which checks file times
+ # ldconfig is for Linux
+ 
++install: install-libs
++	-@if [ ! -d $(includedir)  ]; then mkdir $(includedir); fi
++	cp zlib.h zconf.h $(includedir)
++	chmod 644 $(includedir)/zlib.h $(includedir)/zconf.h
++
+ uninstall:
+ 	cd $(includedir); \
+ 	v=$(VER); \
+--- zlib-1.1.4/configure.build-fPIC	2003-01-30 01:35:18.000000000 -0500
++++ zlib-1.1.4/configure	2003-01-30 01:39:59.000000000 -0500
+@@ -130,7 +130,7 @@ if test $shared -eq 1; then
+   if test "`($CC -c $SFLAGS $test.c) 2>&1`" = "" &&
+      test "`($LDSHARED -o $test$shared_ext $test.o) 2>&1`" = ""; then
+     CFLAGS="$SFLAGS"
+-    LIBS="$SHAREDLIB.$VER"
++    LIBS="$LIBS $SHAREDLIB.$VER"
+     echo Building shared library $SHAREDLIB.$VER with $CC.
+   elif test -z "$old_cc" -a -z "$old_cflags"; then
+     echo No shared library suppport.
diff --git a/sys-libs/zlib/files/zlib-1.1.4-glibc.patch b/sys-libs/zlib/files/zlib-1.1.4-glibc.patch
new file mode 100644
index 000000000000..49ded8639f8e
--- /dev/null
+++ b/sys-libs/zlib/files/zlib-1.1.4-glibc.patch
@@ -0,0 +1,11 @@
+--- zlib-1.1.3/Makefile.in.glibc	Wed Sep  9 11:48:46 1998
++++ zlib-1.1.3/Makefile.in	Wed Sep  9 11:49:04 1998
+@@ -80,7 +80,7 @@
+ 	rm -f _match.s
+ 
+ $(SHAREDLIB).$(VER): $(OBJS)
+-	$(LDSHARED) -o $@ $(OBJS)
++	$(LDSHARED) -o $@ $(OBJS) -lc
+ 	rm -f $(SHAREDLIB) $(SHAREDLIB).1
+ 	ln -s $@ $(SHAREDLIB)
+ 	ln -s $@ $(SHAREDLIB).1
diff --git a/sys-libs/zlib/files/zlib-1.1.4-gzprintf.patch b/sys-libs/zlib/files/zlib-1.1.4-gzprintf.patch
new file mode 100644
index 000000000000..28b610f57a79
--- /dev/null
+++ b/sys-libs/zlib/files/zlib-1.1.4-gzprintf.patch
@@ -0,0 +1,294 @@
+This patch fixes security holes caused by potential buffer overflows
+in the implementation of the gzprintf() function in zlib 1.1.4. The
+security holes are fixed for platforms providing vsnprintf(3) and
+snprintf(3) only. This patch is derived from a prepared security patch,
+originally created by Kelledin <kelledin@users.sourceforge.net>. The
+OpenPKG project reduced the patch in size and fixed the configuration
+checks.
+
+diff -ru3 zlib-1.1.4.orig/configure zlib-1.1.4/configure
+--- zlib-1.1.4.orig/configure	Wed Jul  8 20:19:35 1998
++++ zlib-1.1.4/configure	Thu Feb 27 15:14:54 2003
+@@ -155,7 +155,212 @@
+   echo "Checking for unistd.h... No."
+ fi
+ 
+-cat > $test.c <<EOF
++cat >$test.c <<EOF
++#include <stdio.h>
++#include <stdlib.h>
++
++#if (defined(__MSDOS__) || defined(_WINDOWS) || defined(_WIN32) || defined(__WIN32__) || defined(WIN32) || defined(__STDC__) || defined(__cplusplus) || defined(__OS2__)) && !defined(STDC)
++#  define STDC
++#endif
++
++int main() 
++{
++#ifndef STDC
++  choke me
++#endif
++
++  return 0;
++}
++EOF
++
++if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
++  echo "Checking whether to use vsnprintf() or snprintf()... using vsnprintf()"
++
++  cat >$test.c <<EOF
++#include <stdio.h>
++#include <stdarg.h>
++
++int mytest(char *fmt, ...)
++{
++  char buf[20];
++  va_list ap;
++
++  va_start(ap, fmt);
++  vsnprintf(buf, sizeof(buf), fmt, ap);
++  va_end(ap);
++  return 0;
++}
++
++int main()
++{
++  return (mytest("Hello%d\n", 1));
++}
++EOF
++  
++  if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
++    CFLAGS="$CFLAGS -DHAS_vsnprintf"
++    echo "Checking for vsnprintf() in stdio.h... Yes."
++
++    cat >$test.c <<EOF
++#include <stdio.h>
++#include <stdarg.h>
++
++int mytest(char *fmt, ...)
++{
++  int i;
++  char buf[20];
++  va_list ap;
++
++  va_start(ap, fmt);
++  i = vsnprintf(buf, sizeof(buf), fmt, ap);
++  va_end(ap);
++  return 0;
++}
++
++int main()
++{
++  return (mytest("Hello%d\n", 1));
++}
++EOF
++
++    if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
++      CFLAGS="$CFLAGS -DHAS_vsnprintf_return"
++      echo "Checking for return value of vsnprintf()... Yes."
++    else
++      echo "Checking for return value of vsnprintf()... No."
++      echo "  WARNING: apparently vsnprintf() does not return a value. zlib"
++      echo "  can build but will be open to possible string-format security"
++      echo "  vulnerabilities."
++    fi
++  else
++    echo "Checking for vsnprintf() in stdio.h... No."
++    echo "  WARNING: vsnprintf() not found, falling back to vsprintf(). zlib"
++    echo "  can build but will be open to possible buffer-overflow security"
++    echo "  vulnerabilities."
++
++    cat >$test.c <<EOF
++#include <stdio.h>
++#include <stdarg.h>
++
++int mytest(char *fmt, ...)
++{
++  int i;
++  char buf[20];
++  va_list ap;
++
++  va_start(ap, fmt);
++  i = vsprintf(buf, fmt, ap);
++  va_end(ap);
++  return 0;
++}
++
++int main() 
++{
++  return (mytest("Hello%d\n", 1));
++}
++EOF
++
++    if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
++      CFLAGS="$CFLAGS -DHAS_vsprintf_return"
++      echo "Checking for return value of vsprintf()... Yes."
++    else
++      echo "Checking for return value of vsprintf()... No."
++      echo "  WARNING: apparently vsprintf() does not return a value. zlib"
++      echo "  can build but will be open to possible string-format security"
++      echo "  vulnerabilities."
++    fi
++  fi
++else
++  echo "Checking whether to use vsnprintf() or snprintf()... using snprintf()"
++
++  cat >$test.c <<EOF
++#include <stdio.h>
++#include <stdarg.h>
++
++int mytest() 
++{
++  char buf[20];
++
++  snprintf(buf, sizeof(buf), "%s", "foo");
++  return 0;
++}
++
++int main() 
++{
++  return (mytest());
++}
++EOF
++
++  if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
++    CFLAGS="$CFLAGS -DHAS_snprintf"
++    echo "Checking for snprintf() in stdio.h... Yes."
++
++    cat >$test.c <<EOF
++#include <stdio.h>
++#include <stdarg.h>
++
++int mytest(char *fmt, ...)
++{
++  int i;
++  char buf[20];
++
++  i = snprintf(buf, sizeof(buf), "%s", "foo");
++  return 0;
++}
++
++int main() 
++{
++  return (mytest());
++}
++EOF
++
++    if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
++      CFLAGS="$CFLAGS -DHAS_snprintf_return"
++      echo "Checking for return value of snprintf()... Yes."
++    else
++      echo "Checking for return value of snprintf()... No."
++      echo "  WARNING: apparently snprintf() does not return a value. zlib"
++      echo "  can build but will be open to possible string-format security"
++      echo "  vulnerabilities."
++    fi
++  else
++    echo "Checking for snprintf() in stdio.h... No."
++    echo "  WARNING: snprintf() not found, falling back to sprintf(). zlib"
++    echo "  can build but will be open to possible buffer-overflow security"
++    echo "  vulnerabilities."
++
++    cat >$test.c <<EOF
++#include <stdio.h>
++#include <stdarg.h>
++
++int mytest(char *fmt, ...) 
++{
++  int i;
++  char buf[20];
++
++  i = sprintf(buf, "%s", "foo");
++  return 0;
++}
++
++int main() 
++{
++  return (mytest());
++}
++EOF
++
++    if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
++      CFLAGS="$CFLAGS -DHAS_sprintf_return"
++      echo "Checking for return value of sprintf()... Yes."
++    else
++      echo "Checking for return value of sprintf()... No."
++      echo "  WARNING: apparently sprintf() does not return a value. zlib"
++      echo "  can build but will be open to possible string-format security"
++      echo "  vulnerabilities."
++    fi
++  fi
++fi
++
++cat >$test.c <<EOF
+ #include <errno.h>
+ int main() { return 0; }
+ EOF
+diff -ru3 zlib-1.1.4.orig/gzio.c zlib-1.1.4/gzio.c
+--- zlib-1.1.4.orig/gzio.c	Mon Mar 11 14:16:01 2002
++++ zlib-1.1.4/gzio.c	Thu Feb 27 14:29:26 2003
+@@ -530,13 +530,31 @@
+ 
+     va_start(va, format);
+ #ifdef HAS_vsnprintf
++#  ifdef HAS_vsnprintf_return
++    len = vsnprintf(buf, sizeof(buf), format, va);
++    va_end(va);
++    if (len <= 0 || len >= sizeof(buf))
++        return 0;
++#  else
+     (void)vsnprintf(buf, sizeof(buf), format, va);
++    va_end(va);
++    len = strlen(buf);
++    if (len <= 0)
++        return 0;
++#  endif
+ #else
++#  ifdef HAS_vsprintf_return
++    len = vsprintf(buf, format, va);
++    va_end(va);
++    if (len <= 0 || len >= sizeof(buf))
++        return 0;
++#  else
+     (void)vsprintf(buf, format, va);
+-#endif
+     va_end(va);
+     len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
+     if (len <= 0) return 0;
++#  endif
++#endif
+ 
+     return gzwrite(file, buf, (unsigned)len);
+ }
+@@ -553,14 +571,31 @@
+     int len;
+ 
+ #ifdef HAS_snprintf
++#  ifdef HAS_snprintf_return
++    len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
++	         a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
++    if (len <= 0 || len >= sizeof(buf))
++        return 0;
++#  else
+     snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
+ 	     a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
++    len = strlen(buf);
++    if (len <= 0)
++        return 0;
++#  endif
+ #else
++#  ifdef HAS_sprintf_return
++    len = sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
++	        a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
++    if (len <= 0 || len >= sizeof(buf))
++        return 0;
++#  else
+     sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
+ 	    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+-#endif
+     len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */
+     if (len <= 0) return 0;
++#  endif
++#endif
+ 
+     return gzwrite(file, buf, len);
+ }