bsdiff: Add patches for CVEs

Add two patches from Debian fixing CVEs in the bsdiff application.
CVE-2014-9862: Heap vulnerability in bspatch
CVE-2020-14315: Memory Corruption Vulnerability in bspatch

Copied the patches from this location:
https://salsa.debian.org/debian/bsdiff/-/blob/debian/latest/debian/patches/20-CVE-2014-9862.patch
https://salsa.debian.org/debian/bsdiff/-/blob/debian/latest/debian/patches/33-CVE-2020-14315.patch

Signed-off-by: Hauke Mehrtens <[email protected]>
(cherry picked from commit cac723e)

package/utils/bsdiff/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bsdiff
 PKG_VERSION:=4.3
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://www.daemonology.net/bsdiff/

package/utils/bsdiff/patches/001-musl.patch

@@ -1,6 +1,6 @@
---- a/bsdiff.c	2005-08-17 00:13:52.000000000 +0200
-+++ b/bsdiff.c	2016-02-21 01:39:31.157915765 +0100
-@@ -101,7 +101,7 @@
+--- a/bsdiff.c
++++ b/bsdiff.c
+@@ -101,7 +101,7 @@ static void split(off_t *I,off_t *V,off_
  	if(start+len>kk) split(I,V,kk,start+len-kk,h);
  }
 
@@ -9,7 +9,7 @@
  {
  	off_t buckets[256];
  	off_t i,h,len;
-@@ -139,7 +139,7 @@
+@@ -139,7 +139,7 @@ static void qsufsort(off_t *I,off_t *V,u
  	for(i=0;i<oldsize+1;i++) I[V[i]]=i;
  }
 
@@ -18,7 +18,7 @@
  {
  	off_t i;
 
-@@ -149,8 +149,8 @@
+@@ -149,8 +149,8 @@ static off_t matchlen(u_char *old,off_t
  	return i;
  }
 
@@ -29,7 +29,7 @@
  {
  	off_t x,y;
 
-@@ -175,7 +175,7 @@
+@@ -175,7 +175,7 @@ static off_t search(off_t *I,u_char *old
  	};
  }
 
@@ -38,7 +38,7 @@
  {
  	off_t y;
 
-@@ -196,7 +196,7 @@
+@@ -196,7 +196,7 @@ static void offtout(off_t x,u_char *buf)
  int main(int argc,char *argv[])
  {
  	int fd;
@@ -47,7 +47,7 @@
  	off_t oldsize,newsize;
  	off_t *I,*V;
  	off_t scan,pos,len;
-@@ -206,9 +206,9 @@
+@@ -206,9 +206,9 @@ int main(int argc,char *argv[])
  	off_t overlap,Ss,lens;
  	off_t i;
  	off_t dblen,eblen;
@@ -60,9 +60,9 @@
  	FILE * pf;
  	BZFILE * pfbz2;
  	int bz2err;
---- a/bspatch.c	2005-08-17 00:14:00.000000000 +0200
-+++ b/bspatch.c	2016-02-21 01:39:29.753859970 +0100
-@@ -36,7 +36,7 @@
+--- a/bspatch.c
++++ b/bspatch.c
+@@ -36,7 +36,7 @@ __FBSDID("$FreeBSD: src/usr.bin/bsdiff/b
  #include <unistd.h>
  #include <fcntl.h>
 
@@ -71,7 +71,7 @@
  {
  	off_t y;
 
-@@ -62,8 +62,8 @@
+@@ -62,8 +62,8 @@ int main(int argc,char * argv[])
  	int fd;
  	ssize_t oldsize,newsize;
  	ssize_t bzctrllen,bzdatalen;

package/utils/bsdiff/patches/020-CVE-2014-9862.patch

@@ -0,0 +1,37 @@
+From: The FreeBSD Project
+Bug: https://security-tracker.debian.org/tracker/CVE-2014-9862
+Subject: CVE-2014-9862 - check for a negative value on numbers of bytes
+  The implementation of bspatch does not check for a negative value on numbers
+  of bytes read from the diff and extra streams, allowing an attacker who
+  can control the patch file to write at arbitrary locations in the heap.
+  .
+  bspatch's main loop reads three numbers from the "control" stream in
+  the patch: X, Y and Z. The first two are the number of bytes to read
+  from "diff" and "extra" (and thus only non-negative), while the
+  third one could be positive or negative and moves the oldpos pointer
+  on the source image. These 3 values are 64bits signed ints (encoded
+  somehow on the file) that are later passed the function that reads
+  from the streams, but those values are not verified to be
+  non-negative.
+  .
+  Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
+  The patch was downloaded from a link pointed by
+  https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp
+
+---
+ bspatch.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/bspatch.c
++++ b/bspatch.c
+@@ -152,6 +152,10 @@ int main(int argc,char * argv[])
+ 		};
+
+ 		/* Sanity-check */
++		if ((ctrl[0] < 0) || (ctrl[1] < 0))
++			errx(1,"Corrupt patch\n");
++
++		/* Sanity-check */
+ 		if(newpos+ctrl[0]>newsize)
+ 			errx(1,"Corrupt patch\n");
+