backport-CVE-2023-24056.patch

@@ -1,71 +0,0 @@
-From 628b2b2bafa5d3a2017193ddf375093e70666059 Mon Sep 17 00:00:00 2001
-From: Ariadne Conill <ariadne@dereferenced.org>
-Date: Fri, 20 Jan 2023 22:07:03 +0000
-Subject: [PATCH] tuple: test for, and stop string processing, on truncation
-
-otherwise a buffer overflow occurs.
-this has been a bug in pkgconf since the beginning, it seems.
-instead of disclosing the bug correctly, a "hotshot" developer
-decided to blog about it instead.  sigh.
-
-https://nullprogram.com/blog/2023/01/18/
----
- libpkgconf/tuple.c | 28 +++++++++++++++++++++++-----
- 1 file changed, 23 insertions(+), 5 deletions(-)
-
-diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c
-index 2d550d8..b831070 100644
---- a/libpkgconf/tuple.c
-+++ b/libpkgconf/tuple.c
-@@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
- 				}
- 			}
- 
-+			size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
- 			ptr += (pptr - ptr);
- 			kv = pkgconf_tuple_find_global(client, varname);
- 			if (kv != NULL)
- 			{
--				strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
--				bptr += strlen(kv);
-+				size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
-+				if (nlen > remain)
-+				{
-+					pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
-+
-+					bptr = buf + (PKGCONF_BUFSIZE - 1);
-+					break;
-+				}
-+
-+				bptr += nlen;
- 			}
- 			else
- 			{
-@@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
- 
- 				if (kv != NULL)
- 				{
-+					size_t nlen;
-+
- 					parsekv = pkgconf_tuple_parse(client, vars, kv);
-+					nlen = pkgconf_strlcpy(bptr, parsekv, remain);
-+					free(parsekv);
- 
--					strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
--					bptr += strlen(parsekv);
-+					if (nlen > remain)
-+					{
-+						pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
- 
--					free(parsekv);
-+						bptr = buf + (PKGCONF_BUFSIZE - 1);
-+						break;
-+					}
-+
-+					bptr += nlen;
- 				}
- 			}
- 		}
--- 
-2.33.0
-

pkgconf.spec

@@ -1,16 +1,14 @@
 %global pkgconf_libdirs %{_libdir}/pkgconfig:%{_datadir}/pkgconfig
 
 Name:           pkgconf
-Version:        1.8.0
+Version:        1.6.3
-Release:        3
+Release:        6
 Summary:        Package compiler and linker metadata toolkit
 
 License:        ISC
 URL:            http://pkgconf.org/
 Source0:        https://distfiles.dereferenced.org/%{name}/%{name}-%{version}.tar.xz
 
-Patch6000:      backport-CVE-2023-24056.patch
-
 BuildRequires:  gcc, make, autoconf, automake, libtool
 #tests
 BuildRequires:  kyua, atf-tests
@@ -106,27 +104,6 @@ mkdir -p %{buildroot}%{_datadir}/pkgconfig
 %{_mandir}/*/*
 
 %changelog
-* Sun Jan 29 2023 dongyuzhen <dongyuzhen@h-partners.com> - 1.8.0-3
-- fix CVE-2023-24056
-
-* Thu May 05 2022 shixuantong <shixuantong@h-partners.com> - 1.8.0-2
-- Type: NA
-- ID: NA
-- SUG: NA
-- DESC:fix changelog error
-
-* Sat Dec 25 2021 tianwei <tianwei12@huawei.com> - 1.8.0-1
-- Type: NA
-- ID: NA
-- SUG: NA
-- DESC:upgrade version to 1.8.0
-
-* Thu Jul 16 2020 shixuantong <shixuantong@huawei.com> - 1.7.3-1
-- Type: NA
-- ID: NA
-- SUG: NA
-- DESC:update to 1.7.3-1 
-
 * Sun Jan 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.6.3-6
 - Type: enhancement
 - ID: NA

pkgconf.yaml

@@ -1,4 +0,0 @@
-version_control: git
-src_repo: https://git.sr.ht/~kaniini/pkgconf
-tag_prefix: ^pkgconf-
-seperator: .