[packages/libconfuse] Up to 3.3

Sat Mar 14 11:58:08 CET 2026

commit 993db5af2635a80ffa728b78681d6c511c1279c6
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Sat Mar 14 11:58:01 2026 +0100

    Up to 3.3

 CVE-2022-40320.patch | 30 ++++++++++++++++++++++++++++++
 libconfuse.spec      | 18 +++++++++++-------
 2 files changed, 41 insertions(+), 7 deletions(-)
---

diff --git a/libconfuse.spec b/libconfuse.spec
index 9d93ade..8a55df6 100644
--- a/libconfuse.spec
+++ b/libconfuse.spec
@@ -6,14 +6,15 @@
 Summary:	libConfuse - a library for parsing configuration files
 Summary(pl.UTF-8):	libConfuse - biblioteka do analizy plików konfiguracyjnych
 Name:		libconfuse
-Version:	2.8
+Version:	3.3
 Release:	1
 License:	ISC
 Group:		Libraries
-#Source0Download: https://github.com/martinh/libconfuse/releases
-Source0:	https://github.com/martinh/libconfuse/releases/download/v%{version}/%{pname}-%{version}.tar.xz
-# Source0-md5:	cb552c5737a72ef164733f0118971eb0
-URL:		https://github.com/martinh/libconfuse
+#Source0Download: https://github.com/libconfuse/libconfuse/releases
+Source0:	https://github.com/libconfuse/libconfuse/releases/download/v%{version}/%{pname}-%{version}.tar.xz
+# Source0-md5:	a183cef2cecdd3783436ff8de500d274
+Patch0:		CVE-2022-40320.patch
+URL:		https://github.com/libconfuse/libconfuse
 BuildRequires:	autoconf >= 2.50
 BuildRequires:	automake >= 1:1.11
 BuildRequires:	gettext-tools >= 0.16.1
@@ -70,6 +71,7 @@ Statyczna biblioteka libConfuse.
 
 %prep
 %setup -q -n %{pname}-%{version}
+%patch -P0 -p1
 
 %build
 %{__gettextize}
@@ -90,12 +92,14 @@ install -d $RPM_BUILD_ROOT{%{_examplesdir}/%{name}-%{version},%{_mandir}/man3,%{
 %{__make} install \
 	DESTDIR=$RPM_BUILD_ROOT
 
+# remove docs installed by make install (we handle them via %doc)
+%{__rm} -r $RPM_BUILD_ROOT%{_docdir}/confuse
 # obsoleted by pkg-config
 %{__rm} $RPM_BUILD_ROOT%{_libdir}/libconfuse.la
 
 install doc/man/man3/* $RPM_BUILD_ROOT%{_mandir}/man3
 
-rm -rf examples/{ftpconf,reread,simple,*.o}
+rm -rf examples/{ftpconf,reread,simple,cfgtest,cli,nested,deprecated,addsec,parsebuf,env,wincfgtest,*.o}
 install examples/* $RPM_BUILD_ROOT%{_examplesdir}/%{name}-%{version}
 
 %find_lang %{pname}
@@ -110,7 +114,7 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(644,root,root,755)
 %doc AUTHORS ChangeLog.md LICENSE README.md
 %attr(755,root,root) %{_libdir}/libconfuse.so.*.*.*
-%attr(755,root,root) %ghost %{_libdir}/libconfuse.so.0
+%attr(755,root,root) %ghost %{_libdir}/libconfuse.so.2
 
 %files devel
 %defattr(644,root,root,755)
diff --git a/CVE-2022-40320.patch b/CVE-2022-40320.patch
new file mode 100644
index 0000000..7e53f74
--- /dev/null
+++ b/CVE-2022-40320.patch
@@ -0,0 +1,30 @@
+# Fix CVE-2022-40320: heap-based buffer over-read in cfg_tilde_expand()
+# due to unterminated username passed to getpwnam().
+# https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
+--- a/src/confuse.c	2026-03-14 11:48:51.537716579 +0100
++++ b/src/confuse.c	2026-03-14 11:49:19.723663639 +0100
+@@ -1863,18 +1863,20 @@
+ 			passwd = getpwuid(geteuid());
+ 			file = filename + 1;
+ 		} else {
+-			/* ~user or ~user/path */
+-			char *user;
++			char *user; /* ~user or ~user/path */
++			size_t len;
+ 
+ 			file = strchr(filename, '/');
+ 			if (file == 0)
+ 				file = filename + strlen(filename);
+ 
+-			user = malloc(file - filename);
++			len = file - filename - 1;
++			user = malloc(len + 1);
+ 			if (!user)
+ 				return NULL;
+ 
+-			strncpy(user, filename + 1, file - filename - 1);
++			strncpy(user, &filename[1], len);
++			user[len] = 0;
+ 			passwd = getpwnam(user);
+ 			free(user);
+ 		}
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/libconfuse.git/commitdiff/993db5af2635a80ffa728b78681d6c511c1279c6

