diff options
| author | Leo <thinkabit.ukim@gmail.com> | 2019-07-21 02:35:49 -0300 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-07-22 11:45:39 +0200 |
| commit | ac4f22e825980b99d4fd80cb49d11ff7be0e3e3a (patch) | |
| tree | 295c04b19828ea18eec22dfb52d2d5a77aa04125 | |
| parent | 177d553d273545ef959c076901ab92d9cdecbbff (diff) | |
main/libcroco: fix a few CVEs
| -rw-r--r-- | main/libcroco/APKBUILD | 16 | ||||
| -rw-r--r-- | main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch | 29 |
2 files changed, 42 insertions, 3 deletions
diff --git a/main/libcroco/APKBUILD b/main/libcroco/APKBUILD index 09491444159..7e9e34d4f23 100644 --- a/main/libcroco/APKBUILD +++ b/main/libcroco/APKBUILD @@ -1,14 +1,23 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libcroco pkgver=0.6.13 -pkgrel=0 +pkgrel=1 pkgdesc="GNOME CSS2 parsing and manipulation toolkit" url="http://www.gnome.org" arch="all" license="LGPL-2.1-only" subpackages="$pkgname-dev $pkgname-doc" makedepends="glib-dev libxml2-dev" -source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz" +source="https://download.gnome.org/sources/$pkgname/0.6/$pkgname-$pkgver.tar.xz + CVE-2017-8871-and-CVE-2017-8834.patch + " + +# secfixes: +# 0.6.13-r1: +# - CVE-2017-7960 +# - CVE-2017-7961 +# - CVE-2017-8871 +# - CVE-2017-8834 build() { cd "$builddir" @@ -29,4 +38,5 @@ package() { cd "$builddir" make DESTDIR="$pkgdir" install } -sha512sums="038a3ac9d160a8cf86a8a88c34367e154ef26ede289c93349332b7bc449a5199b51ea3611cebf3a2416ae23b9e45ecf8f9c6b24ea6d16a5519b796d3c7e272d4 libcroco-0.6.13.tar.xz" +sha512sums="038a3ac9d160a8cf86a8a88c34367e154ef26ede289c93349332b7bc449a5199b51ea3611cebf3a2416ae23b9e45ecf8f9c6b24ea6d16a5519b796d3c7e272d4 libcroco-0.6.13.tar.xz +568ad8205f5c2ab1eb949ef664671069fad5991e43992e35092738c1a741289303dba343c8002caec817d1c27fe5645dc2a861573fb4d91074aef59ff41f3d27 CVE-2017-8871-and-CVE-2017-8834.patch" diff --git a/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch new file mode 100644 index 00000000000..f65c6a97481 --- /dev/null +++ b/main/libcroco/CVE-2017-8871-and-CVE-2017-8834.patch @@ -0,0 +1,29 @@ +From deda38539f5b25616aa294d8b19d33ebf8e175ff Mon Sep 17 00:00:00 2001 +From: Mike Gorse <mgorse@alum.wpi.edu> +Date: Thu, 2 May 2019 10:54:43 -0500 +Subject: [PATCH] cr_utils_read_char_from_utf8_buf: move past invalid UTF-8 + +Otherwise, the offending character is never consumed, possibly leading +to an infinite loop. + +https://bugzilla.gnome.org/show_bug.cgi?id=782647 +--- + src/cr-utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cr-utils.c b/src/cr-utils.c +index 2420cec..6cf4849 100644 +--- a/src/cr-utils.c ++++ b/src/cr-utils.c +@@ -505,6 +505,7 @@ cr_utils_read_char_from_utf8_buf (const guchar * a_in, + + } else { + /*BAD ENCODING */ ++ nb_bytes_2_decode = 1; + goto end; + } + +-- +2.20.1 + + |